SQL Server Privilege Level Flaw Fixed

A potentially dangerous vulnerability has been detected in several versions
of Microsoft’s SQL Server product and the company is
warning system administrators that an intruder could use the flaw to elevate
privilege levels.

In a security advisory issued Thursday, Microsoft
issued patches to plug holes in the SQL Server 7.0, SQL Server 2000, Data
Engine (MSDE) 1.0 and Desktop Engine (MSDE) 2000.

It is the second major fix to the SQL Server software this month and
Microsoft said the current patch was in addition to the cumulative
patch
issued in early October to plug holes in the SQL Server 7.0 and
2000 products.

In describing the latest vulnerability as “critical,” Microsoft said it
would allow low-privilege users on the server to elevate privilege levels
and make unauthorized changes to tasks created by other users.

“An attacker who is able to authenticate to a SQL server could delete,
insert or update all the web tasks created by other users. In addition, the
attacker could run already created web tasks in the context of the creator
of the web task,” the company warned.

The bug, which was reported to Microsoft by Next Generation Security
Software Ltd. (NGSS), targets an extended storage procedure and weak
permissions on a table combine to allow the unauthorized elevation of
privileges.

The SQL Server supplies stored procedures for managing SQL Server and
displaying information about databases and users. Microsoft said the flaw
made it possible for an attacker to execute a SQL Server stored procedure
that would run Web tasks.

“Since anyone who could authenticate to the SQL Server could run this stored
procedure, it is possible for an attacker to run previously stored web tasks
in the context of the person who created them, thereby potentially elevating
his or her privileges,” it warned.

Earlier this month, Microsoft’s cumulative patch for the SQL Server fixed an
unchecked buffer in SQL Server 2000 authentication function, an unchecked
buffer in database console commands and a flaw in output file handling for
scheduled jobs.

Back in August, CERT issued a warning
that several vulnerabilities were detected in Microsoft SQL Server 7.0,
Microsoft SQL Server 2000, and Microsoft SQL Server Desktop Engine 2000
products. Those flaws allowed remote attackers to obtain sensitive
information, alter database content, compromise SQL servers, and, in some
configurations, compromise server hosts. Microsoft also issued a patch for
that vulnerability.

Microsoft also issued two more security bulletins on Thursday to fix vulnerabilities in its popular Word and Excel applications and for the Windows XP operating system.

The patch for the Word and Excel applications (download here) fixes a vulnerability that allows an attacher to use field codes and external updates to steal information from a user.

“Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user’s local computer,” the company warned.

Affected software include MS Word 2002, MS Word 2000, MS Word 97, MS Word 98, MS Word X for Macintosh, MS Word 2001 for Macintosh, MS Word 98 for Macintosh and MS Excel 2002. Microsoft issued a “moderate” rating on the bug and noted that most of the patches needed the installation of the the latest service pack first.

Another fix was issued (download here) to plug a hole in the Windows XP version of Help and Support Center.

“An attacker could exploit the vulnerability by constructing a web page that, when opened, would call an errant function in the XP Support Center and supply the name of an existing file or folder as the argument,” the company said. It warned that the attempt to upload the file or folder would fail, but the file nevertheless would be deleted. “The page could be hosted on a web site in order to attack users visiting the site, or could be sent as an HTML mail in order to attack the recipient when it was opened,” according to the advisory.

The vulnerability would not enable an attacker to take any action other than deleting files. It would not grant any form of administrative control over the system, nor would it enable the attacker to read or modify files.

Customers who have applied Windows XP Service Pack 1 are at no risk from the vulnerability.

News Around the Web