Database administrators using Microsoft’s SQL Server software need to know that their installation is vulnerable to an attack based on an unchecked buffer in the ad hoc query feature. This issue is covered in Microsoft Security Bulletin MS02-007.

The problem
SQL Server 7.0 and 2000 both feature the ability to access data from remote servers on an as-needed basis through low-level OLE DB. Unfortunately, an unchecked buffer has been found in the way OLE DB provider names are handled during ad hoc query connections to external databases.

This buffer overrun vulnerability is related to several ad hoc names used by the SQL Server to connect with remote data sources that are accessed only occasionally. That is, they aren’t part of the regular database. This is commonly used with data warehousing operations where a regular linked server connection is not established to some data sources but access is needed on occasion.

Since the queries passed to these functions are not properly validated, long text entries can overwrite memory in the server. Random queries will simply cause the server to crash. This will cause no damage to the database or server, but the service will need to be restarted. But carefully contrived queries may allow the attacker to pass commands directly to the server.

Threat level—moderate
Microsoft rates the threats as moderate for all combinations of SQL Server 7.0 and 2000, but the damage potential is severe in cases where servers aren’t properly configured.

A buffer overrun can be used to crash the server with relative ease and without an attacker knowing any details about the system. Alternatively, knowledgeable attackers could penetrate the system through exploitation of this unchecked buffer, allowing them to run any arbitrary code on the server. Severe damage is possible, including altering data in the database without leaving any trace or even reformatting the hard drives of the server.

A Web site operating as a database front end that is configured to process arbitrary queries could provide a path for system penetration using this unchecked buffer.

Mitigating circumstances
The potential damage of this flaw depends entirely on the security settings for the server. By default, SQL Server installs with privileges for a domain user. Following good security practices in configuring SQL servers, an administrator will usually leave the default setting and therefore restrict access via this vulnerability to that of a domain user, which has very limited capabilities. This vulnerability only lets the attacker gain access to the system using these permissions. It doesn’t, by itself, bypass any existing security settings.

Also, a well-configured system won’t permit users to execute arbitrary queries, and Web-based (or other easily accessible) databases should definitely have well-designed filters that are applied to all queries. If inputs are properly filtered, a system isn’t vulnerable to these attacks even if the patch isn’t installed.

This threat exists in Microsoft SQL Server 7.0 and Microsoft SQL Server 2000. Microsoft doesn’t support earlier versions and therefore has no comment on whether they may be vulnerable to this threat.

The Microsoft patch corrects the faulty checking of the queries, so it shouldn’t alter the operation of the server. The SQL Server 7.0 patch is available in the SQL Server 7.0 Cumulative Security patch. The SQL Server 2000 patch is available in the SQL Server 2000 Cumulative Security patch.