{"vuid":"VU#811371","idnumber":"811371","name":"Microsoft SQLXML ISAPI filter vulnerable to buffer overflow via contenttype parameter","keywords":["Microsoft","SQL Server","SQLXML","ISAPI filter","buffer overflow","arbitrary code execution","long string of characters","contenttype parameter","Q321911","MS02-030","IIS","internet information server","header"],"overview":"A buffer overflow vulnerability exists in the Microsoft SQLXML Internet Services Application Programming Interface (ISAPI) extension for Internet Information Server (IIS). This vulnerability could allow a remote attacker to cause a denial of service or execute arbitrary code with LocalSystem privileges.","clean_desc":"Microsoft SQL Server 2000 includes a feature called SQLXML that allows the server to handle SQL queries and responses via XML. IIS enables XML over HTTP using SQLXML HTTP components, one of which is an ISAPI extension. A client SQLXML HTTP request takes the form of a URI that contains a number of arguments including the name of the IIS server, the virtual directory (virtual root), and optional parameters. One of the optional parameters, contenttype, sets the Content-Type header for the HTTP response to the client. The entire URI, including the contenttype parameter, is controlled by the client. The SQLXML ISAPI extension does not adequately validate the length of the contenttype parameter. As a result, an attacker could construct a URI with a specially crafted value for contenttype that triggers a buffer overflow on a vulnerable IIS server. Microsoft Security Bulletin MS02-030 notes that SQLXML is installed but disabled by default. In addition, SQLXML must be configured to run over HTTP in order to install the SQLXML ISAPI extension. An IIS server is only vulnerable if SQLXML is enabled and configured to run over HTTP.","impact":"A remote attacker could execute arbitrary code or cause a denial of service. The SQLXML ISAPI extension runs as LocalSystem.","resolution":"Apply a Patch Apply the appropriate patch as referenced in Microsoft Security Bulletin MS02-030.","workarounds":"Disable Vulnerable Service If the services are not needed, disable or uninstall SQLXML or SQLXML over HTTP. As a general practice, the CERT/CC recommends disabling any services that are not explicitly required.","sysaffected":"","thanks":"The CERT/CC thanks both Matt Moore of Westpoint and Microsoft for information used in this document.","author":"This document was written by Art Manion.","public":["http://www.westpoint.ltd.uk/advisories/wp-02-0007.txt","http://www.microsoft.com/technet/security/bulletin/MS02-030.asp","http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlref/xmlref_7583.asp","http://www.securityfocus.com/bid/5004"],"cveids":["CVE-2002-0186"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-06-13T13:17:52Z","publicdate":"2002-06-12T00:00:00Z","datefirstpublished":"2002-06-25T00:18:16Z","dateupdated":"2002-08-08T19:28:09Z","revision":31,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"16","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"9","cam_impact":"17","cam_easeofexploitation":"9","cam_attackeraccessrequired":"20","cam_scorecurrent":"12.393","cam_scorecurrentwidelyknown":"14.4585","cam_scorecurrentwidelyknownexploited":"24.786","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.393,"vulnote":null}