|
| |
|
Security Intelligence Operations
Microsoft SQL Server Convert Function Buffer Overflow Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Unintended Weakness: Buffer Overflow |
|
| IntelliShield ID: | 16189 |
| Version: | 1 |
| First Published: | July 08, 2008 03:38 PM EDT |
| Last Published: | July 08, 2008 03:38 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-0086 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
| CVSS Base: | 9.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 6.9 |
|
|
| |
| Version Summary: | Microsoft SQL Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected application. An update is available. |
| |
| |
| Description |
|
Microsoft SQL Server 2000 and Microsoft SQL Server 2000 Desktop Engine contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected SQL Server process.
This vulnerability exists due to insufficient boundary restrictions on user-supplied data. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious SQL statement to the affected system, which could trigger a buffer overflow. An attacker could leverage the resulting memory corruption to execute arbitrary code.
Microsoft confirmed this vulnerability in a security bulletin and released software updates. |
| |
| Warning Indicators |
|
The following Microsoft SQL Server products are affected:
- Microsoft SQL Server 2000 SP4 and prior
- Microsoft SQL Server 2000 Itanium-based Edition SP4 and prior
- Microsoft SQL Server 2000 Desktop Engine SP4 and prior
|
| |
| IntelliShield Analysis |
|
An attacker must authenticate to an affected database application to directly exploit this vulnerability. If an application, such as a web application, is linked to an affected SQL Server, an attacker may be able to leverage SQL injection attacks to supply malformed input to the back-end database. The attacker could exploit the vulnerability to execute arbitrary code with the privileges of the affected SQL Server process. Because SQL Server 2000 installations may be configured to use Local System privileges, a successful exploit may result in a complete system compromise.
If the convert() function is exposed on websites or other network-accessible applications and an attacker can identify a method of directing input to the affected function, the attacker could exploit this vulnerability remotely and without authentication. However, this exploit scenario is highly dependent on site configuration.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in this month's Microsoft security bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2008
The update available from Microsoft corrects this vulnerability by properly allocating memory areas to prevent a buffer overflow. |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-040 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the affected application. |
| |
| Technical Information |
|
This vulnerability exists because Microsoft SQL Server fails to properly limit the size of input to the convert() function. This function allows for the conversion of date and time information. Because no security restrictions exist to limit access to the function, any authenticated user can call the function. If an application, such as a web application, that is tied to an affected SQL Server allows user-supplied data to be processed by convert(), an unauthenticated, remote attacker can also exploit this vulnerability. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious SQL request that is designed to submit overly large input to the affected function. A buffer overflow could occur as a
result of processing of this request, which could corrupt system memory. The attacker could leverage the corruption of system memory to execute arbitrary code with the privileges of the affected SQL Server process. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate software updates.
Administrators are advised to restrict network access to affected systems.
Administrators are advised to restrict access to the affected database software.
Administrators are advised to audit the use of the affected function on exposed websites and applications. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
GDR Software Updates
QFE Software Updates
Windows Components
|
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
