|
__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Unchecked Buffer in SQLXML Vulnerability [Microsoft Security Bulletin MS02-030] June 13, 2002 19:00 GMT Number M-091 ______________________________________________________________________________ PROBLEM: Two vulnerabilities exist in Microsoft's SQLXML. The first vulnerability is an unchecked buffer in an ISAPI extension that could allow an attacker to run code of their choice on Microsoft's IIS Server. The second vulnerability is a function specifying an XML tag that could allow an attacker to run script on a user's computer with higher privileges. PLATFORM: Microsoft SQL Server 2000 DAMAGE: Exploiting these vulnerabilities can lead to an attacker running code of choice, or an attacker to run script on a user's computer, therefore escalating his or her privileges. SOLUTION: Apply appropriate patches as prescribed by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An administrator must have set up a virtual ASSESSMENT: directory structure and naming used by the SQLXML HTTP components on an IIS Server. An attacker must know the location of the virtual directory on the IIS Server in order to exploit it. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-091.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/ bulletin/MS02-030.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-030 *****] Microsoft Security Bulletin MS02-030 Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911) Originally posted: June 12, 2002 Summary Who should read this bulletin: System administrators using Microsoft® SQL Server™ 2000. Impact of vulnerability: Two vulnerabilities, the most serious of which could run code of attacker’s choice. Maximum Severity Rating: Moderate Recommendation: System administrators who have enabled SQLXML and enabled data queries over HTTP should install the patch immediately. Affected Software: Microsoft SQLXML, which ships as part of SQL Server 2000 and can be downloaded separately. Technical details Technical description: SQLXML enables the transfer of XML data to and from SQL Server 2000. Database queries can be returned in the form of XML documents which can then be stored or transferred easily. Using SQLXML, you can access SQL Server 2000 using XML through your browser over HTTP. Two vulnerabilities exist in SQLXML: * An unchecked buffer vulnerability in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. * A vulnerability in a function specifying an XML tag that could allow an attacker to run script on the user’s computer with higher privilege. For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone. Mitigating factors: Unchecked buffer in SQLXML ISAPI extension: * The administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server. The vulnerability gives no means for an attacker to obtain the directory structure. * The attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. Script injection via XML tag: * For an attack to succeed, the user must have privileges on the SQL Server. * The attacker must know the address of the SQL Server on which the user has privileges. * The attacker must lure the user to a website under their control. * Queries submitted via HTTP are not enabled by default. * Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root. * The script will run in the user’s browser according to the IE security zone used to connect with the IIS Server hosting the SQLXML components. In most cases, this will be the Intranet Zone. Severity Rating: Unchecked buffer in SQLXML ISAPI extension: Internet Servers Intranet Servers Client Systems +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML version shipped with SQL Server 2000 Gold Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML version 2 Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML versions 3 Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Script injection via XML tag: Internet Servers Intranet Servers Client Systems +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML version shipped with SQL Server 2000 Gold Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML version 2 Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Microsoft SQLXML versions 3 Moderate Moderate None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The criticality is reckoned due to the possibility of remotely running code in the security context of the operating system and the possibility of running script on a user’s system with elevated privileges. Vulnerability identifiers: * Unchecked buffer in SQLXML ISAPI extension - CAN-2002-0186 * Script injection via XML tag - CAN-2002-0187 Tested Versions: Microsoft tested the original SQLXML version shipping with SQL Server 2000 Gold as well as SQLXML versions 1, 2 and 3 to assess whether they are affected by this vulnerability. SQLXML version 1 is no longer supported, and should be upgraded to a later version as discussed in the FAQ below. Patch availability Download locations for this patch * Microsoft SQLXML version shipping with SQL 2000 Gold: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39547 * Microsoft SQLXML version 2: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38480 * Microsoft SQLXML version 3: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38481 Additional information about this patch Installation platforms: This patch can be installed on systems running SQL Server 2000 SP2 Inclusion in future service packs: The fix for this issue will be included in SQL Server 2000 SP3. Reboot needed: Yes Superseded patches: None. Verifying patch installation: SQLXML shipping with SQL Server 2000 Gold: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q321858 SQLXML Version 2.0: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 2.0\Q321460 SQLXML Version 3.0: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 3.0\Q320833 Caveats: None Localization: This patch can be applied on all language versions. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site * All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Matt Moore of Westpoint Ltd. for reporting this issue to us and working with us to protect customers. Support: * Microsoft Knowledge Base article Q321911 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (June 12, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-030 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-081: SSHD "AllowedAuthentications" Vulnerability M-082: Microsoft Cumulative Patch for Internet Explorer M-083: Microsoft Authentication Flaw in Windows Debugger M-084: Red Hat "pam_ldap" Vulnerability M-085: IMAP Partial Mailbox Attritbute Buffer Overflow Vulnerability M-086: Sun SEA SNMP Vulnerability M-087: SGI IRIX rpc.passwd Vulnerability M-088: MS Unchecked Buffer in Gopher Protocol Handler M-089: MS Heap Overrun in HTR Chunked Encoding Vulnerability M-090: Microsoft Unchecked Buffer in RAS Phonebook Vulnerability