__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               Microsoft Unchecked Buffer in SQLXML Vulnerability
                     [Microsoft Security Bulletin MS02-030]

June 13, 2002 19:00 GMT                                           Number M-091
______________________________________________________________________________
PROBLEM:       Two vulnerabilities exist in Microsoft's SQLXML. The first 
               vulnerability is an unchecked buffer in an ISAPI extension that 
               could allow an attacker to run code of their choice on 
               Microsoft's IIS Server. The second vulnerability is a function 
               specifying an XML tag that could allow an attacker to run 
               script on a user's computer with higher privileges. 
PLATFORM:      Microsoft SQL Server 2000 
DAMAGE:        Exploiting these vulnerabilities can lead to an attacker 
               running code of choice, or an attacker to run script on a 
               user's computer, therefore escalating his or her privileges. 
SOLUTION:      Apply appropriate patches as prescribed by Microsoft. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An administrator must have set up a virtual 
ASSESSMENT:    directory structure and naming used by the SQLXML HTTP 
               components on an IIS Server. An attacker must know the location 
               of the virtual directory on the IIS Server in order to exploit 
               it. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-091.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                             default.asp?url=/technet/security/
                              bulletin/MS02-030.asp
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-030 *****]

Microsoft Security Bulletin MS02-030  

Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
Originally posted: June 12, 2002

Summary
Who should read this bulletin: System administrators using Microsoft® 
SQL Server™ 2000. 

Impact of vulnerability: Two vulnerabilities, the most serious of which could run 
code of attacker’s choice.

Maximum Severity Rating: Moderate

Recommendation: System administrators who have enabled SQLXML and enabled data 
queries over HTTP should install the patch immediately.

Affected Software:

Microsoft SQLXML, which ships as part of SQL Server 2000 and can be downloaded 
separately.

 Technical details

Technical description:

SQLXML enables the transfer of XML data to and from SQL Server 2000. Database 
queries can be returned in the form of XML documents which can then be stored or 
transferred easily. Using SQLXML, you can access SQL Server 2000 using XML 
through your browser over HTTP.

Two vulnerabilities exist in SQLXML: 

* An unchecked buffer vulnerability in an ISAPI extension that could, in the worst 
case, allow an attacker to run code of their choice on the Microsoft Internet 
Information Services (IIS) Server.
* A vulnerability in a function specifying an XML tag that could allow an attacker 
to run script on the user’s computer with higher privilege. For example, a script 
might be able to be run in the Intranet Zone instead of the Internet Zone.

Mitigating factors: 

Unchecked buffer in SQLXML ISAPI extension: 

* The administrator must have set up a virtual directory structure and naming used by 
the SQLXML HTTP components on an IIS Server. The vulnerability gives no means for an 
attacker to obtain the directory structure.
* The attacker must know the location of the virtual directory on the IIS Server that 
has been specifically set up for SQLXML.

Script injection via XML tag:

* For an attack to succeed, the user must have privileges on the SQL Server.
* The attacker must know the address of the SQL Server on which the user has privileges.
* The attacker must lure the user to a website under their control.
* Queries submitted via HTTP are not enabled by default.
* Microsoft best practices recommends against allowing ad hoc URL queries against the 
database through a virtual root.
* The script will run in the user’s browser according to the IE security zone used to 
connect with the IIS Server hosting the SQLXML components. In most cases, this will be 
the Intranet Zone.

Severity Rating: 

Unchecked buffer in SQLXML ISAPI extension:  Internet Servers Intranet Servers Client Systems
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version shipped with SQL 
Server 2000 Gold 				Moderate 	Moderate 	None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version 2 			Moderate 	Moderate 	None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML versions 3 			Moderate 	Moderate 	None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Script injection via XML tag:  Internet Servers 	Intranet Servers   Client Systems
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version 
shipped with SQL Server 2000 
Gold 				Moderate 		Moderate 		None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version 2 	Moderate 		Moderate 		None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML versions 3 	Moderate 		Moderate 		None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above assessment is based on the types of systems affected by the vulnerability, their 
typical deployment patterns, and the effect that exploiting the vulnerability would have 
on them. The criticality is reckoned due to the possibility of remotely running code in the 
security context of the operating system and the possibility of running script on a user’s 
system with elevated privileges.

Vulnerability identifiers: 

* Unchecked buffer in SQLXML ISAPI extension - CAN-2002-0186
* Script injection via XML tag - CAN-2002-0187

Tested Versions:
Microsoft tested the original SQLXML version shipping with SQL Server 2000 Gold as well as 
SQLXML versions 1, 2 and 3 to assess whether they are affected by this vulnerability. 
SQLXML version 1 is no longer supported, and should be upgraded to a later version as 
discussed in the FAQ below.

Patch availability

Download locations for this patch

* Microsoft SQLXML version shipping with SQL 2000 Gold:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39547
* Microsoft SQLXML version 2:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38480
* Microsoft SQLXML version 3:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38481

 Additional information about this patch

Installation platforms: 
This patch can be installed on systems running SQL Server 2000 SP2

Inclusion in future service packs:
The fix for this issue will be included in SQL Server 2000 SP3.

Reboot needed: Yes 

Superseded patches: None. 

Verifying patch installation: 

SQLXML shipping with SQL Server 2000 Gold: 

* To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q321858

SQLXML Version 2.0:

* To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 2.0\Q321460

SQLXML Version 3.0:

* To verify that the patch has been installed on the machine, confirm that the following 
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 3.0\Q320833

Caveats:
None 

Localization:
This patch can be applied on all language versions. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations:

* Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable form 
from the WindowsUpdate Corporate site.

Other information:

Acknowledgments
Microsoft thanks Matt Moore of Westpoint Ltd. for reporting this issue to us and working 
with us to protect customers.

Support: 

* Microsoft Knowledge Base article Q321911 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be 
found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no charge 
for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.

Revisions:

* V1.0 (June 12, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-030 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-081: SSHD "AllowedAuthentications" Vulnerability
M-082: Microsoft Cumulative Patch for Internet Explorer
M-083: Microsoft Authentication Flaw in Windows Debugger
M-084: Red Hat "pam_ldap" Vulnerability
M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability
M-086: Sun SEA SNMP Vulnerability
M-087: SGI IRIX rpc.passwd Vulnerability
M-088: MS Unchecked Buffer in Gopher Protocol Handler
M-089: MS Heap Overrun in HTR Chunked Encoding  Vulnerability
M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability