Microsoft Security Bulletin MS02-040 (Moderate)

Question

Post reply

Microsoft Security Bulletin MS02-040 (Moderate)

K. Brian Kelley

SSC Guru

Points: 114642
More actions
July 31, 2002 at 8:12 pm

#78551

New security bulletin about an MDAC vulnerability affecting SQL Server 7.0 and 2000:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-040.asp
This is another buffer overflow discovered by David Litchfield. An attacker must have the ability to execute a query on the server. This isn't as hard as it sounds, especially if an application leaves a server vulnerable to a SQL Injection attack.
A patch is available for MDAC versions 2.5, 2.6, and 2.7.
K. Brian Kelley
bkelley@sqlservercentral.com
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Andy Warren SSC Guru Points: 119902 More actions · Answer 1

I saw this today too - looks like 3 different patches? They couldnt do an all in one?!

Andy

http://www.sqlservercentral.com/columnists/awarren/

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter

Nick Beagley Ten Centuries Points: 1349 More actions · Answer 2

What's this "DisallowAdhocAccess option" the faq claims is set using "the advanced sp_serveroption" to stop openrowset useage?

I've only got sql7 at work, but can't find it.

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 3

I'm not seeing anything in Books Online about it, though I've been looking, too. I've found how to do it through EM. When you set the provider options, the options you pick get applied to all connections using that provider. So with respect to sources connecting via OLE DB, here's how to set it up:

Start a new linked server connection:

Select the OLE DB Provider (even though we would normally select SQL Server when connecting to another SQL Server, it uses OLE DB):

We want to modify the Provider Options:

The last option disallows adhoc access:

BTW, this work around is also applicable to Microsoft Security Bulletin 01-032:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-032.asp

K. Brian Kelley

bkelley@sqlservercentral.com

http://www.sqlservercentral.com/columnists/bkelley/

K. Brian Kelley
@kbriankelley

Nick Beagley Ten Centuries Points: 1349 More actions · Answer 4

Thanks, I've fixed that now.

I can't believe that openrowset is available to ALL users by default, and that it isn't restricted to the DSN's setup on the host server...

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 5

It is frightening. Some of the recent vulnerabilities wouldn't be a big deal except permissions default to the public role. Great googlymoogly!

Of course, someone's figured out that if they can get a buffer overflow attack to work, they can deploy a patch which will make SQL Server think everyone is a sysadmin. This was a side point of the weak hashes on the SQL Server login passwords from Litchfield.

I'm thinking neither Microsoft nor Oracle like this guy very much any more, but he's earnestly going after security holes and giving them a chance to respond.

K. Brian Kelley

bkelley@sqlservercentral.com

http://www.sqlservercentral.com/columnists/bkelley/

K. Brian Kelley
@kbriankelley