{"vuid":"VU#627275","idnumber":"627275","name":"Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures","keywords":["Microsoft SQL Server 7","buffer overflow","extended stored procedures","xp_controlqueueservice","xp_createprivatequeue","xp_createqueue","xp_decodequeuecmd","xp_deleteprivatequeue","xp_deletequeue","xp_displayqueuemesgs","xp_dsninfo","xp_mergelineages","xp_oledbinfo","xp_proxiedmetadata","xp_readpkfromqueue","xp_readpkfromvarbin","xp_repl_encrypt","xp_resetqueue","xp_sqlinventory","xp_unpackcab","MS02-020","svr_paraminfo","Q319507"],"overview":"Microsoft SQL Server 7.0 and SQL Server 2000 contain buffer overflow vulnerabilities in multiple extended stored procedures. A remote attacker could cause a denial of service or execute arbitrary code or commands with the privileges of the SQL Server process, potentially gaining complete control over a vulnerable system. An attacker could also manipulate databases stored on a vulnerable system.","clean_desc":"Microsoft SQL Server provides a scripting construct known as an \"extended stored procedure\" that can execute a collection of server commands together. Several of the extended stored procedures included with the Microsoft SQL Server contain buffer overflow vulnerabilities. These procedures provide increased functionality for database applications, allowing them to access operating system or network resources. Parameters are passed to extended stored procedures via an API that specifies the actual and maximum length of various parameter data types. Some of the extended stored procedures fail to adequately validate the length of input parameters, resulting in stack buffer overflow conditions. Since some of the vulnerable procedures are configured by default to allow public access, it is possible for an unauthenticated attacker to exploit one or more of these buffer overflows. SQL Server databases are commonly used in web applications, so the vulnerable procedures may be accessible via the Internet. Microsoft Security Bulletin MS02-020 states <blockquote> <i> An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if  a  web-site  or  other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. </i> </blockquote>","impact":"This vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the SQL service account. If the privileges of the service account are elevated via VU#796313, this vulnerability may result in compromise of the server host.","resolution":"Apply patch Microsoft has published Security Bulletin MS02-020 to address this vulnerability. For more information, please see http://www.microsoft.com/technet/security/bulletin/MS02-020.asp","workarounds":"Disable vulnerable procedures Disable (drop) the vulnerable extended stored procedures. Note that this may affect functionality, and that the CERT/CC has not verified the list of vulnerable procedures referenced in the Application Security, Inc. report.","sysaffected":"","thanks":"The CERT/CC acknowledges Cesar Cerrudo of \nApplication Security, Inc. for reporting these vulnerabilities, and Bronek Kozicki for reporting the \nprivilege elevation\n issue.","author":"This document was written by Art Manion and Jeffrey P. Lanza.","public":["http://www.appsecinc.com/resources/alerts/mssql/02-0000.html","http://www.microsoft.com/technet/security/bulletin/MS02-020.asp","http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q319507","http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=8813","http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.asp"],"cveids":["CVE-2002-0154"],"certadvisory":"CA-2002-22","uscerttechnicalalert":null,"datecreated":"2002-03-12T17:58:01Z","publicdate":"2002-03-12T00:00:00Z","datefirstpublished":"2002-07-26T07:47:26Z","dateupdated":"2002-07-29T23:18:35Z","revision":44,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"10","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"18","cam_easeofexploitation":"15","cam_attackeraccessrequired":"17","cam_scorecurrent":"45.1828125","cam_scorecurrentwidelyknown":"51.6375","cam_scorecurrentwidelyknownexploited":"64.546875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":45.1828125,"vulnote":null}