Microsoft Security Bulletin MS02-061 provides a cumulative patch for several versions of Microsoft SQL Server and addresses a serious new vulnerability found in this software.
Microsoft reports, “The problem lies in one stored procedure, an extended stored procedure and weak permissions on a table.” Together, these flaws allow an attacker to increase access privileges and modify the way the server reacts to Web requests. Once authenticated at a low level, the attacker can use this vulnerability to modify "Web tasks" or run any existing Web task. (Web tasks extract information from a database and produce a Web page or other HTML document so the user can see the information formatted in a specific way.)
Stored procedures are a group of preset SQL statements that are callable by a single name. They can be viewed as a sort of macro, making it easier to pose frequently used complex SQL queries to a database. The stored procedures involved in this vulnerability are collections of compiled Transact-SQL statements. Transact-SQL is the primary programming language used as an interface between applications and the SQL Server database.
An extended stored procedure (ESP) allows programmers and administrators to create customized external routines in C or C#. These ESPs work the same way as stored procedures, and to other users, they appear to be simply another stored procedure. Web tasks are a system-stored procedure.
NGSSoftware discovered this vulnerability and reported it to Microsoft on August 23. Its advisory provides details of the threat. Xp_runwebtask fails to set permissions properly, and the Web tasks’ permissions table msdb.dbo.mswebtasks is set improperly, allowing "PUBLIC" too many privileges. By updating a Web task belonging to an owner with high privileges and running the task through xp_runwebtask, an attacker can elevate his or her privileges and run commands or become a member of the SYSADMIN group.
- Microsoft SQL Server 7.0
- Microsoft SQL Server 2000
- Microsoft Data Engine (MSDE) 1.0
- Microsoft Desktop Engine 2000
Microsoft describes the new vulnerability fixed by this cumulative patch as the only critical threat for servers. The flaw has no direct affect on client systems. Depending on who or, more particularly, on how many people have authorized access to your SQL servers, this may or may not be a big threat for your organization. The more tightly controlled your access is, the lower the threat. Of course, the magnitude of the threat also depends on how you use SQL Server.
The main mitigating factor here is that if you aren’t using Web tasks, there is no real risk. This attack can succeed only by initially exploiting existing Web tasks. Another mitigating factor, although I consider it less comforting, is that the attacker has to be an authenticated user. Lots of hacking is regularly done by company insiders, so the mere fact that someone has to have access to the SQL Server at some level isn’t a major safety element, especially since this vulnerability allows users to elevate their privileges.
Fix—apply the patch
Microsoft provides links to patches for SQL Server 7.0 and SQL Server 2000 in MS02-061. Since these links may change over time, I won't include them here. The links provided in the security bulletin are to service packs, and you need to read the associated information to see what each one involves, what is included and what isn’t, and what sequence you must use to apply some of the patches.
Considering how simple fixing this vulnerability appears to be, Microsoft took quite a while to repair it. Nevertheless, if your organization relies on SQL Server, you need to check out this bulletin to determine whether your data could be at risk.