CERTVU:247545Protegrity Secure.Data for Microsoft SQL Server 2000 contains buffer overflows in extended stored procedures
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
86.9%
Overview
Protegrity Secure.Data for Microsoft SQL Server 2000 includes several extended stored procedures that contain buffer overflow vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary code, gain access to databases, or cause a denial of service.
Description
Protegrity Secure.Data for Microsoft SQL Server 2000 provides access control and encryption for individual data records. Secure.Data interacts with Microsoft SQL Server via extended stored procedures that are part of the Secure.Data Extension Feature (SEF). From Microsoft Knowledge Base Article 190987: “Extended stored procedures provide a way to dynamically load and execute a function within a dynamic-link library (DLL) in a manner similar to that of a stored procedure, seamlessly extending SQL Server functionality.” Extended stored procedures execute under the security context and in the process space of SQL Server. By default, the SQL Server 2000 service runs as a Windows domain user.
Several extended stored procedures (xp_pty_checkusers, xp_pty_insert, and xp_pty_select) included as part of the SEF contain buffer overflow vulnerabilities. These extended stored procedures could be exploited by specially crafted SQL commands.
Impact
A remote attacker could execute arbitrary code with the privileges of the SQL Server process or cause a denial of service. This could give an attacker full access to databases stored on a vulnerable system.
Solution
Upgrade
Protegrity has issued an updated version of protegrity.dll (2.2.3.9) that resolves these vulnerabilities.
Restrict Access
Using firewall or similar technology, restrict direct access to SQL servers to only those hosts and networks that require it. By default, SQL Server 2000 listens on port 1433/tcp. Named/clustered SQL instances may require special configuration. See Microsoft Knowledge Base Article 287932 for more information. Note that this will only limit the possible sources of attacks.
Vendor Information
247545
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Protegrity __ Affected
Notified: January 09, 2003 Updated: March 13, 2003
Status
Affected
Vendor Statement
Vulnerability Note VU#247545
Buffer overflow vulnerability in Protegrity Secure.Data for Microsoft SQL Server
Overview
Protegrity Secure.Data for Microsoft SQL Server 2000 exposes a buffer overflow vulnerability in the Microsoft SQL extended stored procedures xp_pty_checkusers, xp_pty_insert, and xp_pty_select.
I. Description
Here’s an example of a possible buffer overflow situation in which Secure.Data for Microsoft SQL Server 2000 could be vulnerable:
DECLARE @test varchar(8000)
SET @test = (SELECT replicate(‘x’,1926))
execute master.dbo.xp_pty_checkusers ‘as’, @test
DECLARE @test varchar(8000)
SET @test = (SELECT replicate(‘x’,850))
execute master.dbo.xp_pty_insert @test, @test, @test
DECLARE @test varchar(8000)
SET @test = (SELECT replicate(‘x’,850))
execute master.dbo.xp_pty_select @test, @test, @test
II. Impact
A non-privileged user can gain administrative access to the database and cause a denial of service attack.
III. Solution
- The following Secure.Data for SQL Server 2000 releases are affected by this vulnerability.
> Secure.Data version 2.2.2.0 for SQL Server 2000
Secure.Data version 2.2.3.0 for SQL Server 2000
- A patch release is now available for the above mentioned releases. All Protegrity customers having one or both of these releases will automatically receive the patch from our Global Support Team along with installation instructions. Following are the installation instructions for applying the patch to Secure.Data version 2.2.3.0 for SQL Server 2000.
Purpose
This patch release is for Secure.Data Server version 2.2.3.0 for SQL Server 2000. The patch includes a new protegrity.dll file which fixes a buffer overflow vulnerability in the extended store procedures xp_pty_checkusers, xp_pty_insert, and xp_pty_select. (TD4182)
How to check if this patch should be installed
This patch should be installed if the version number of the existing protegrity.dll is less than 2.2.3.9. Follow these simple steps to check the version number of the existing protegrity.dll file.
1. Locate the file protegrity.dll. In a default installation the file is found in C:\Program Files\Protegrity\Secure.Data Server\Cartridge\Lib.
2. Right click on the file and choose Properties.
3. Click on the version tab.
4. If the file has a version less than 2.2.3.9 this patch must be applied. (i.e if the last digit is less than 9.)
How to install the patch
To install the patch the new protegrity.dll must replace the old one:
1. Shut down the Protegrity Secure.Data Server from the Control Panel.
2. Shut down the SQL Server.
3. Replace the old protegrity.dll by copying the new file to the same location as the old. In a default installation the file is found in C:\Program Files\Protegrity\Secure.Data Server\Cartridge\Lib.
4. Start the SQL Server.
5. Start the Protegrity Secure.Data Server.
- Any customers that purchase Protegrity Secure.Data for SQL Server 2000 after 2/21/2003 will not be affected by this vulnerability, as the patch has already been included in a new service release, Secure.Data version 2.2.3.1 for SQL Server 2000.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23247545 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.protegrity.com/The_Secure.Data_Suite.html>
- <http://support.microsoft.com/default.aspx?scid=kb;en-us;287932>
- <http://support.microsoft.com/default.aspx?scid=kb;en-us;243428>
- <http://support.microsoft.com/default.aspx?scid=kb;EN-US;190987>
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odssql/ods_6_con_00_6p9v.asp>
- <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odssql/ods_6_con_01_9rxv.asp>
Acknowledgements
This vulnerability was reported by .
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2003-0030 |
|---|---|
| Severity Metric: | 7.52 Date Public: |
References
msdn.microsoft.com/library/default.asp?url=/library/en-us/odssql/ods_6_con_00_6p9v.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/odssql/ods_6_con_01_9rxv.asp
support.microsoft.com/default.aspx?scid=kb;EN-US;190987
support.microsoft.com/default.aspx?scid=kb;en-us;243428
support.microsoft.com/default.aspx?scid=kb;en-us;287932
www.protegrity.com/The_Secure.Data_Suite.html
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
86.9%