OVAL291 for CAN-2002-0624 (SQL Server 2000)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL291 for CAN-2002-0624 (SQL Server 2000)

Yi-Fang Koh
Microsoft Security Bulletin MS02-034: Cumulative Patch for SQL Server
(Q316333)


OVAL ID: OVAL291
CVE ID: CAN-2002-0624
Description:
Buffer overflow in the password encryption function of Microsoft SQL
Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000,
allows remote attackers to gain control of the database and execute
arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in
Password Encryption Procedure."

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2002-0624
This is a buffer overrun vulnerability. It caused by an unchecked buffer
in the SQL Server pwdencrypt()  function that handles the encryption of
passwords for SQL Server accounts.  This vulnerability occurs only if
the SQL Server was configured to use the SQL Server Authentication. A
remote attacker could overflow the buffer by passing carefully selected
parameters to this function to crash SQL Server services, and it also
may lead to arbitrary code execution.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-034.asp

The patch 8.00.0650_enu.exe includes 13 files. After the patch is
installed the file version of these files are:
* xpstar.dll file version = 2000.80.628.0
* sqlservr.exe file version = 2000.80.650.0
* Odsole70.dll file version = 2000.80.606.0
* xplog70.dll file version = 2000.80.606.0
* xpqueue.dll file version = 2000.80.606.0
* xprepl.dll file version = 2000.80.606.0
* xpweb70.dll file version = 2000.80.606.0
* impprov.dll file version = 2000.80.650.0 (this file is used to fix the
second vulnerability in this security bulletin)
* sqlservr.pdb, Qfe356326.sql, uninstall.sql, Qfe356938.sql,
servpriv.exe: No version number
The server.exe is the main SQL Server executable file. This patch is
superseded by several later released cumulative patches. If this patch
was not installed, the sqlserver.exe file version < 2000.80.650.0, this
vulnerability exists in the system.
 The fix is also included in the SQL Server Service Pack 3. After the
SP3 installed, the sqlservr.exe file version = 2000.80.760.0. If the
sqlserver.exe file version < 2000.80.650.0, it means the SP3 was not
installed

If the SQL Server was configured to use the SQL Server Authentication,
the LoginMode = 2.

Query Synopsis:

--Vulnerable software exists:

* SQL Server 2000 (all editions) installed
* Patch 8.00.0650_enu.exe (or later released cumulative patches) not
installed
     Affected files: xpstar.dll, sqlservr.exe, Odsole70.dll,
xplog70.dll, xpqueue.dll, xprepl.dll, xpweb70.dll
* SQL Server 2000 Service Pack 3 (or later) not installed

-- Vulnerable configuration
* SQL Server Authentication enabled, LoginMode = 2

Query:

SELECT 'CAN-2002-0624' FROM Placeholder WHERE
EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Check SQL Server 2000 (all editions) installed

 (SELECT 'SQL Server 2000 installed' FROM Win2K_RegistryKeys
 WHERE
RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion'
AND
 EntryName = 'CurrentVersion' AND
 EntryValue = '8.00.194')

AND EXISTS

         -- Patch 8.00.0650_enu.exe not installed,  the file version of
sqlservr.exe < 2000.80.650.0
         -- Check sqlservr.exe file version3 < 650 exist

 (SELECT 'File sqlservr.exe version3 < 650' FROM Win2K_FileAttributes
 WHERE
 FilePath= (SELECT EntryValue || 'sqlservr.exe' FROM Win2K_RegistryKeys
WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
  EntryName = 'Path') AND
 (Version1 = 2000 AND Version2 = 80 AND Version3  < 650 ))

AND EXISTS

-- Check odsole70.dll file Version3 < 606 exist

(SELECT 'File odsole70.dll Version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'odsole70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS
-- Check xpqueue.dll file version3 < 606

(SELECT 'File xpqueue.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpqueue.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)
AND EXISTS

-- Check xprepl.dll file version3 < 606 exist

(SELECT 'File xprepl.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xprepl.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xplog70.dll file version3 < 606 exist

(SELECT 'File xplog70.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xplog70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xpweb70.dll file version3 < 606 exist

(SELECT 'File xpweb70.dll version3 < 606' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpweb70.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 606)
)

AND EXISTS

-- Check xpstar.dll file version3 < 628 exist

(SELECT 'File xpstar.dll version3 < 628' FROM Win2K_FileAttributes
        WHERE
        FilePath= (SELECT EntryValue || 'xpstar.dll' FROM
Win2K_RegistryKeys
        WHERE RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\sqlservr.exe' AND
        EntryName = 'Path') AND
        (Version1 = 2000 AND Version2 = 80 AND Version3 < 628)
)


-- ### END VULNERABLE SOFTWARE EXISTS
-- ### BEGIN VULNERABLE CONFIGURATION


AND EXISTS

-- If SQL Server authentication enabled, the loginMode =2

(SELECT  'SQL Server authentication Enabled' FROM Win2K_RegistryKeys
WHERE
RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer'  AND
EntryName = 'LoginMode' AND
EntryValue = 2)

-- ### END VULNERABLE CONFIGURATION
;

-- Insert statements
-- ============================================================
-- Registry Keys

INSERT89
-- SQL Server
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion')

;

INSERT163
-- SQL Server authentication mode
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer')
;
--==================================================================
-- File Attributes

INSERT129
-- odsole70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\odsole70.dll')
;

INSERT157
-- xpqueue.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpqueue.dll')
;

INSERT174
-- xprepl.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xprepl.dll')
;

INSERT98
-- xplog70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xplog70.dll')
;

INSERT164
-- xpweb70.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpweb70.dll')
;

INSERT202
-- xpstar.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\xpstar.dll')
;


INSERT256
-- sqlservr.exe
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%ProgramFiles%\Microsoft SQL Server\MSSQL\BINN\sqlservr.exe')
;

-- ==============================================================