M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability

M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability Privacy and Legal Notice INFORMATION BULLETIN M-091: Microsoft Unchecked Buffer in SQLXML Vulnerability [Microsoft Security Bulletin MS02-030] June 13, 2002 19:00 GMT


PROBLEM:	Two vulnerabilities exist in Microsoft's SQLXML. The first vulnerability is an unchecked buffer in an ISAPI extension that could allow an attacker to run code of their choice on Microsoft's IIS Server. The second vulnerability is a function specifying an XML tag that could allow an attacker to run script on a user's computer with higher privileges.
PLATFORM:	Microsoft SQL Server 2000
DAMAGE:	Exploiting these vulnerabilities can lead to an attacker running code of choice, or an attacker to run script on a user's computer, therefore escalating his or her privileges.
SOLUTION:	Apply appropriate patches as prescribed by Microsoft.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. An administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server. An attacker must know the location of the virtual directory on the IIS Server in order to exploit it.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/m-091.shtml
ORIGINAL BULLETIN:	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-030.asp

[***** Start Microsoft Security Bulletin MS02-030 *****]

Microsoft Security Bulletin MS02-030

Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
Originally posted: June 12, 2002

Summary
Who should read this bulletin: System administrators using Microsoft®
SQL Server™ 2000.

Impact of vulnerability: Two vulnerabilities, the most serious of which could run
code of attacker’s choice.

Maximum Severity Rating: Moderate

Recommendation: System administrators who have enabled SQLXML and enabled data
queries over HTTP should install the patch immediately.

Affected Software:

Microsoft SQLXML, which ships as part of SQL Server 2000 and can be downloaded
separately.

Technical details

Technical description:

SQLXML enables the transfer of XML data to and from SQL Server 2000. Database
queries can be returned in the form of XML documents which can then be stored or
transferred easily. Using SQLXML, you can access SQL Server 2000 using XML
through your browser over HTTP.

Two vulnerabilities exist in SQLXML:

An unchecked buffer vulnerability in an ISAPI extension that could, in the worst
case, allow an attacker to run code of their choice on the Microsoft Internet
Information Services (IIS) Server.
A vulnerability in a function specifying an XML tag that could allow an attacker
to run script on the user’s computer with higher privilege. For example, a script
might be able to be run in the Intranet Zone instead of the Internet Zone.

Mitigating factors:

Unchecked buffer in SQLXML ISAPI extension:

The administrator must have set up a virtual directory structure and naming used by
the SQLXML HTTP components on an IIS Server. The vulnerability gives no means for an
attacker to obtain the directory structure.
The attacker must know the location of the virtual directory on the IIS Server that
has been specifically set up for SQLXML.

Script injection via XML tag:

For an attack to succeed, the user must have privileges on the SQL Server.
The attacker must know the address of the SQL Server on which the user has privileges.
The attacker must lure the user to a website under their control.
Queries submitted via HTTP are not enabled by default.
Microsoft best practices recommends against allowing ad hoc URL queries against the
database through a virtual root.
The script will run in the user’s browser according to the IE security zone used to
connect with the IIS Server hosting the SQLXML components. In most cases, this will be
the Intranet Zone.

Severity Rating:

Unchecked buffer in SQLXML ISAPI extension: Internet Servers Intranet Servers Client Systems
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version shipped with SQL
Server 2000 Gold Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version 2 Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML versions 3 Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Script injection via XML tag: Internet Servers Intranet Servers Client Systems
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version
shipped with SQL Server 2000
Gold Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML version 2 Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Microsoft SQLXML versions 3 Moderate Moderate None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above assessment is based on the types of systems affected by the vulnerability, their
typical deployment patterns, and the effect that exploiting the vulnerability would have
on them. The criticality is reckoned due to the possibility of remotely running code in the
security context of the operating system and the possibility of running script on a user’s
system with elevated privileges.

Vulnerability identifiers:

Unchecked buffer in SQLXML ISAPI extension - CAN-2002-0186
Script injection via XML tag - CAN-2002-0187

Tested Versions:
Microsoft tested the original SQLXML version shipping with SQL Server 2000 Gold as well as
SQLXML versions 1, 2 and 3 to assess whether they are affected by this vulnerability.
SQLXML version 1 is no longer supported, and should be upgraded to a later version as
discussed in the FAQ below.

Patch availability

Download locations for this patch

Microsoft SQLXML version shipping with SQL 2000 Gold:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39547
Microsoft SQLXML version 2:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38480
Microsoft SQLXML version 3:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38481

Additional information about this patch

Installation platforms:
This patch can be installed on systems running SQL Server 2000 SP2

Inclusion in future service packs:
The fix for this issue will be included in SQL Server 2000 SP3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

SQLXML shipping with SQL Server 2000 Gold:

To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q321858

SQLXML Version 2.0:

To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 2.0\Q321460

SQLXML Version 3.0:

To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SQLXML 3.0\Q320833

Caveats:
None

Localization:
This patch can be applied on all language versions.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the ">Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form
from the WindowsUpdate Corporate site.

Other information:

Acknowledgments
Microsoft thanks Matt Moore of Westpoint Ltd. for reporting this issue to us and working
with us to protect customers.

Support:

Microsoft Knowledge Base article Q321599 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.

Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (June 12, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-030 *****]

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/