So, unless I'm mistaken, there's no way to patch MS Desktop Engine for this bug. Unless someone can point out a way to get it to SP2, since the SQL Server SP2 installer won't work for it.
Also, does anyone find it odd that you have to literally copy a dll over another dll to apply the hotfix? Not even Linux makes you do that. -dave On Fri, 2002-08-02 at 20:55, NGSSoftware Insight Security Research wrote: > NGSSoftware Insight Security Research Advisory > > Name: OpenRowSet Buffer Overflows > Systems: Microsoft SQL Server 2000 and 7, all Service Packs > Severity: High Risk > Category: Remote Buffer Overrun Vulnerability > Vendor URL: http://www.microsoft.com/ > Author: David Litchfield ([EMAIL PROTECTED]) > Advisory URL: http://www.ngssoftware.com/advisories/mssql-ors.txt > Date: 2nd July 2002 > Advisory number: #NISR02072002 > VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt > > This advisory covers the solution to one of the problems mentioned in the > above VNA URL. > > Description > *********** > Microsoft's database servers SQL Server 2000 and 7 have a remotely > exploitable buffer overrun vulnerability in the OpenRowSet function. > OpenRowSet allows users to run ad hoc queries on the server. > > Details > ******* > By passing overly parameters to certain Providers using the OpenRowSet > functions an attacker can overwrite program control data, such as saved > return addresses on the stack. This allows an attacker to gain control over > the SQL Server process and run arbitrary code. Any code provided by an > attacker will execute in the secuirty context of the account used to run SQL > Server. Often this is the powerful local SYSTEM account and in this case an > attacker can not only compromise all SQL Server data but completely control > the operating system too. Where SQL Server is running in the context of a > domain user they will only gain access to the server's data. Neither of > these two situations are desirable and as such SQL Server administrators > should patch this as soon as they can. > > > Fix Information > *************** > NGSSoftware alerted Microsoft to this problem on the 15th of May 2002 and > they have since released a patch to resolve this problem. Please see > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ > bulletin/MS02-040.asp > > for more details. Further one can prevent users from running adhoc queries > by setting DisallowAdhocAccess to 1 for each provider under the following > registry key HKLM\Software\Microsoft\MSSQLServer\Providers\. If the value > does not exist already then it can be created as a new DWORD value. > > > A check for this vulnerability has been added to Typhon II, NGSSoftware's > vulnerability assessment scanner, of which, more information is available > from the NGSSite, http://www.ngssoftware.com/ > > Further Information > ******************** > For more information regarding SQL Injection please read > > http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf > http://www.ngssoftware.com/papers/advanced_sql_injection.pdf > > and for more information about buffer overflows please read > > http://www.ngssoftware.com/papers/ntbufferoverflow.html > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > http://www.ngssoftware.com/papers/unicodebo.pdf > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > > > > > > > > >
signature.asc
Description: This is a digitally signed message part
