----- Original Message ----- 
From: "@stake Advisories" <advisories@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, July 23, 2003 1:11 PM
Subject: Microsoft SQL Server local code execution


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>                              @stake Inc.
>                            www.atstake.com 
> 
>                           Security Advisory
> 
>  
> Advisory Name: Microsoft SQL Server local code execution
>  Release Date: 07/23/2003
>   Application: Microsoft SQL Server 7, 2000, MSDE
>      Platform: Windows NT/2000/XP
>      Severity: Local code execution / Denial of Service
>        Author: Andreas Junestam (andreas@atstake.com)
> Vendor Status: Microsoft has patch available
> CVE Candidate: CAN-2003-0232
>     Reference: www.atstake.com/research/advisories/2003/a072303-3.txt
> 
> 
> Overview:
> 
> Microsoft SQL Server uses LPC (Local Procedure Calls) to
> implement some of its inter-processes communication. The
> port providing this service can be used by anyone. By sending
> a specially crafted message to SQL Server through this port,
> an attacker can overwrite certain parts of memory and thus
> execute code using the SQL Server's credentials.
> 
> 
> Detailed Description:
> 
> Microsoft SQL Server uses different ways of communicating with
> a client locally, one of them is over a LPC port. This port
> can by used by any local user to send information to the SQL
> Server service. By sending a specially crafted message to this
> port it is possible to overwrite information stored on the
> stack. This would allow an attacker to execute code under
> SQL Server's credentials thereby escalating privileges. This
> would then allow the user to read and write access to the
> database files.  If the SQL Server is running under the
> Administrator or Local System account this would enable
> system compromise.
> 
> As with most SQL Server issues MSDE is effected.  MSDE is
> included in many Microsoft and non-Microsoft products. A list
> of products that includes MSDE is here:
> 
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13
> 
> 
> Vendor Response:
> 
> Microsoft was contacted on 02/05/2003
> 
> Microsoft has a bulletin and patch available:
> 
> http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
> 
> 
> Recommendation:
> 
> Install the vendor patch. If your SQL Server is running under
> the Administrator or Local System account consider running SQL
> Server under a less privileged account.
> 
> 
> Common Vulnerabilities and Exposures (CVE) Information:
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
> 
>   CAN-2003-0232
> 
> 
> @stake Vulnerability Reporting Policy:
> http://www.atstake.com/research/policy/
> 
> @stake Advisory Archive:
> http://www.atstake.com/research/advisories/
> 
> PGP Key:
> http://www.atstake.com/research/pgp_key.asc
> 
> Copyright 2003 @stake, Inc. All rights reserved.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> 
> iQA/AwUBPx75pUe9kNIfAm4yEQKqjwCgjN94EPfRFvtLd/4CHGjbW6QU/XIAoLKp
> teXQzo5cqxIZY2OcMil/n9AC
> =iMTE
> -----END PGP SIGNATURE-----
> 
>