-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have received several inquiries regarding the advisory, "Named
Pipe Filename Local Privilege Escalation" that was published by
@stake on 07/08/2003. These answers should clarify where the
vulnerability actually lies so customers can make informed
decisions on what may need to be fixed in their environments.


1. Is SQL Server 7.0 vulnerable?

The actual vulnerability is at the Windows NT/XP/2000 platform level,
not at the application level. Any application that calls CreateFile
based on user input and doesn't filter out named pipe names can be
used as an attack vector to exploit this vulnerability.  Since SQL
Server 7.0 contains the xp_fileexist procedure, which calls
CreateFile with user input, it is an attack vector.  Instead of
fixing this one attack vector Microsoft has fixed the actual design
vulnerability with new privileges. If you are running SQL Server 7.0
you should upgrade to Windows 2000 SP4 if local privilege
escalation is a risk in your environment.

There are potentially many other applications that can be used as
attack vectors.  We have made no attempt to find any other vectors
at this time. SQL Server MSDE which is installed by many products is
potentially another vector.  A full list is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


2. Are Windows NT 4.0, Windows XP, and Windows 2003 vulnerable?

Windows NT 4.0 and Windows XP are.

The MSDN documentation for SeImpersonatePrivilege states this:

"Windows XP, Windows 2000 SP3 and earlier, Windows NT:  This
privilege  is not supported."

[line wrapped]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
security/security/authorization_constants.asp

Windows 2000 SP4 and Windows 2003 are the only platforms that support
the new privilege that fixes this issue.


3. Has @stake conducted any extensive research on the potential
impact on production systems when implementing SP4? 

We have not done any research on the impact of SP4 on production
systems. We are not set up to do application regression testing.
This is a major change for applications that must use
impersonation.  As with all service packs, acceptance testing is
advised. The Microsoft KB article
(http://support.microsoft.com/default.aspx?scid=kb;[LN];821546) does
have troubleshooting tips for applications that require the
impersonation privilege that are not started by the service control
manager or the COM infrastructure.


4. What are some other workarounds to this issue?

Since this is a local privilege escalation issue it can be mitigated
by only allowing administrators to logon locally to servers running
applications that can be used as attack vectors.  If you are running
terminal services then only administrators should be given
permission to connect.


5. Why is there no Microsoft bulletin on this issue?

Microsoft's policy is to not issue bulletins for vulnerabilities that
are fixed in service packs.



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPww3GEe9kNIfAm4yEQJErgCgzv63PpiKGQJKVcByXUAzJ5Sh1yoAoMIV
b08pH5Ek0SxIddU8P5/WGYzh
=0yaa
-----END PGP SIGNATURE-----