Microsoft Security Bulletin (MS00-092)
   
   Patch Available for "Extended Stored Procedure Parameter Parsing"
   Vulnerability
   
   Originally posted: December 01, 2000
   
Summary

   Microsoft has released a patch that eliminates a security
   vulnerability in Microsoft® SQL Server and Microsoft SQL Server
   Desktop Engine (MSDE). The vulnerability could enable a malicious user
   to run code on the server, subject to a number of restrictions.
   
   Frequently asked questions regarding this vulnerability and the patch
   can be found at
   https://www.microsoft.com/technet/security/bulletin/fq00-092.asp
   
Issue

   Extended Stored Procedures (XPs) are DLLs that can be installed by a
   SQL Server administrator to provide enhanced functionality within SQL
   Server. An API provided by SQL Server to parse input parameters for
   XPs, srv_paraminfo(), has a flaw that could result in a buffer overrun
   condition. The API is designed to locate the nth parameter in a
   string, and put it into a buffer provided by the XP. By design, the
   API does not provide a way for the XP to indicate the length of the
   buffer instead, the XP is expected to ensure that the buffer will be
   large enough to hold the parameter. However, not all XPs provided by
   default in SQL Server perform this checking. A malicious user who
   provided a sufficiently-long parameter to an affected XP could cause a
   buffer overrun within srv_paraminfo, in order to either cause the SQL
   Server to fail, or to cause code of her choice to execute.
   
   There are two scenarios whereby a malicious user might seek to exploit
   the vulnerability:
     * First, she might try to attack a SQL Server directly, by logging
       onto it and calling an XP. However, she could only do this if she
       could successfully authenticate to the SQL Server.
     * Alternatively, she could try to attack a database server that
       served as a back-end to a web server, by providing
       carefully-chosen inputs to the web application. However, XPs are
       rarely used by web applications. Even if a web application did use
       an XP, she would need detailed knowledge of the design of the web
       application in order to feed it parameters that would pass to an
       XP, and thence to srv_paraminfo() in such a way as to exploit the
       unchecked buffer.
       
   As a result of these restrictions, it is likely that this
   vulnerability would be most useful to a malicious user who had already
   compromised a web server and become a valid SQL Server user on the
   back-end server. If the malicious user did succeed in running code on
   the server, it would run in the security context of the SQL Server
   service account. If best practices have been followed, this account
   would have only normal user privileges on the machine. In this case,
   the malicious users code could take any desired action against the
   database, but would not gain administrative control of the machine.
   
   The patch works by changing all default XPs to allocate a correctly
   sized buffer before calling srv_paraminfo(). This approach was chosen
   over modifying srv_paraminfo() because the latter course of action
   would have introduced backward compatibility problems. Microsoft
   recommends that any third-party XPs that call srv_paraminfo() also be
   checked to ensure that they do so correctly. (The Knowledge Base
   article referenced below provides information on how to do this.)
   
Affected Software Versions

     * Microsoft SQL Server 7.0
     * Microsoft SQL Server 2000
     * Microsoft Data Engine 1.0 (MSDE 1.0)
     * Microsoft SQL Server Desktop Engine 2000 (MSDE 2000)
       
   Note: MSDE 1.0 was released with SQL Server 7.0. MSDE 2000 was
   released with SQL Server 2000.
   
Patch Availability

     * https://support.microsoft.com/support/sql/xp_security.asp
       
   Note: The SQL Server 7.0 patch can be applied atop Service Pack 2. It
   will be included in SQL Server 7.0 Service Pack 3.
   
   Note: The SQL Server 2000 patch can be applied atop SQL Server 2000.
   It will be included in SQL Server 2000 Service Pack 1.
   
   Note Additional security patches are available at the Microsoft
   Download Center 
   
More Information

   Please see the following references for more information related to
   this issue.
     * Frequently Asked Questions: Microsoft Security Bulletin MS00-092,
       https://www.microsoft.com/technet/security/bulletin/fq00-092.asp
     * Microsoft Knowledge Base (KB) article Q280380,
       https://www.microsoft.com/technet/support/kb.asp?ID=280380
     * Microsoft TechNet Security web site,
       https://www.microsoft.com/technet/security/default.asp
       
Obtaining Support on this Issue

   This is a fully supported patch. Information on contacting Microsoft
   Product Support Services is available at
   https://support.microsoft.com/support/contact/default.asp.
   
Acknowledgments

   Microsoft thanks  David Litchfield and Chris Anley of @stake for
   reporting this issue to us and working with us to protect customers.
   
Revisions

     * December 01, 2000: Bulletin Created.
       
   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
   "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
   WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
   SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
   WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
   OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
   OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   [spacer.gif] Send this document
   to a colleague [spacer.gif]
   [spacer.gif]
   Printer-friendly
   version
   
   [contact.gif] Contact Microsoft Security
   
     Last updated December 1, 2000
     © 2000 Microsoft Corporation. All rights reserved. Terms of use.