Security Intelligence Operations

Microsoft SQL Server, Desktop Engine, and Windows Internal Database contain a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code with the privileges of the affected SQL Server process.

This vulnerability exists due to insufficient validation on certain types of files.  An authenticated, remote attacker could exploit this vulnerability by placing a malicious file on an affected system and then utilizing a SQL statement to cause the affected service to process the file.  Memory corruption resulting from the error could allow the attacker to execute arbitrary code with elevated privileges.

Microsoft has confirmed this vulnerability in a security bulletin and released software updates that correct it.

The following Microsoft applications are vulnerable:

• Microsoft SQL Server 7.0 SP4 and prior
• Microsoft SQL Server 2000 SP4 and prior
• Microsoft SQL Server 2000 Itanium-based Edition SP4 and prior
• Microsoft SQL Server 2005 SP2 and prior
• Microsoft SQL Server 2005 x64 Edition SP2 and prior
• Microsoft SQL Server 2005 for Itanium-based Systems SP2 and prior 
• Microsoft Data Engine (MSDE) 1.0 SP4 and prior
• Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4 and prior
• Microsoft SQL Server 2005 Express Edition SP2 and prior
• Microsoft SQL Server 2005 Express Edition with Advanced Services SP2 and prior
• Microsoft SQL Server 2000 Desktop Engine (WMSDE)
• Windows Internal Database (WYukon) SP2 and prior
• Windows Internal Database (WYukon) x64 Edition SP2 and prior

Attackers require credentials sufficient to authenticate to the affected SQL Server and place a file on the affected system in order to exploit this vulnerability.  The attacker may also require access to internal networks to connect to an affected system.  These access requirements may restrict the source of potential attacks.  If an exploit is successful, the attacker could execute arbitrary code with the privileges of the affected SQL Server process.  By default, SQL Server 2005 does not run with System privileges.  An exploit against that version would likely not result in a system compromise, but could allow an attacker to gain complete control over an affected SQL Server. Other versions may default to Local System privileges, and therefore a successful exploit in such cases may result in a complete system compromise.

If a facility is exposed on websites or other network-accessible applications that allow an unauthenticated user to access the vulnerable application, and if an attacker can identify a method of placing a file and directing input to the affected SQL Server, the attacker could exploit the vulnerability remotely and without authentication.  However, this exploit scenario is highly dependent on site configuration.  An attacker may be able to bypass the authentication requirement by leveraging an unrelated SQL injection vulnerability in a web application hosted on a Microsoft SQL Server.  In this manner, the attacker may be able to place a malicious file on the server.  Due to the recent rise in SQL injection attacks, administrators should take care to mitigate this vulnerability in affected systems.

The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in this month's Microsoft security bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2008

The update from Microsoft corrects this vulnerability by properly validating files loaded by the affected application.

Microsoft has released a security bulletin at the following link: MS08-040