Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft SQL Server 2000 SQLXML buffer overflow

  wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting

From:MICROSOFT <secure_(at)_microsoft.com>
Date:13.06.2002
Subject:Security Bulletin MS02-030: Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in SQLXML Could Lead to Code Execution
           (Q321911)
Date:       12 June 2002
Software:   Microsoft SQLXML
Impact:     Two vulnerabilities, the most serious of which could run
           code of attacker's choice.
Max Risk:   Moderate
Bulletin:   MS02-030

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp.
- ----------------------------------------------------------------------

Issue:
======
SQLXML enables the transfer of XML data to and from SQL Server 2000.
Database queries can be returned in the form of XML documents which
can then be stored or transferred easily. Using SQLXML, you can
access SQL Server 2000 using XML through your browser over HTTP.

Two vulnerabilities exist in SQLXML:

- - An unchecked buffer vulnerability in an ISAPI extension that could,
 in the worst case, allow an attacker to run code of their choice
 on the Microsoft Internet Information Services (IIS) Server.

- - A vulnerability in a function specifying an XML tag that could
 allow an attacker to run script on the user's computer with higher
 privilege. For example, a script might be able to be run in the
 Intranet Zone instead of the Internet Zone.

Mitigating Factors:
====================
Unchecked buffer in SQLXML ISAPI extension:

- The administrator must have set up a virtual directory structure
  and naming used by the SQLXML HTTP components on an IIS Server.
  The vulnerability gives no means for an attacker to obtain the
  directory structure.

- The attacker must know the location of the virtual directory on
  the IIS Server that has been specifically set up for SQLXML.

Script injection via XML tag:

- For an attack to succeed, the user must have privileges on the
  SQL Server.

- The attacker must know the address of the SQL Server on which
  the user has privileges.

- The attacker must lure the user to a website under their control.

- Queries submitted via HTTP are not enabled by default.

- Microsoft best practices recommends against allowing ad hoc URL
  queries against the database through a virtual root.

- The script will run in the user's browser according to the IE
  security zone used to connect with the IIS Server hosting the
  SQLXML components. In most cases, this will be the Intranet Zone.


Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Matt Moore of Westpoint Ltd. (http://www.westpoint.ltd.uk/)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod