Microsoft sql server multiple vulnerabilities ms03-031

Press ESC to close. Total number of vulnerabilities : 21 Page : 1 This Page. How does it work? Use of this information constitutes acceptance for use in an AS IS condition. A named pipe is a specifically named one-way or two way channel for communication between a pipe server and one or more pipe clients.

The SQL Server named pipe is checked for verification of which connection attempts to the pipe can log into the SQL Server to execute queries against data stored on the server. A flaw exists in the checking method for the named pipe that could allow an attacker local to the SQL Server system to "hijack" control of the named pipe during another client's authenticated login.

This would allow the attacker to gain control of the named pipe at the same privilege level as the user attempting to connect. If the user connecting remotely has higher access rights than the attacker, the attacker will assume those rights when the named pipe is compromised. Millions discover their favorite reads on issuu every month.

Give your content the digital home it deserves. Get it to any device in seconds. How could an attacker exploit this vulnerability? An attacker a low privileged user who was logged on to a system running SQL Server could seek to exploit this vulnerability by creating the same named pipe that the comptuer running SQL Server uses. When a client then connected to the system running SQL Server through the named pipe, and used Windows Authentication, the attacker could then hijack the named pipe and assume the same level of permission over the database as the user who had connected.

Is an attacker limited in any way when attempting this sort of attack? An attacker must be able to log on interactively to the system running SQL Server in order to exploit this flaw. What does the patch do?

The patch addresses the vulnerability by limiting the creation of named pipes to the SQL Server process only. This is a denial of service vulnerability that could cause SQL Server to stop responding hang. To successfully exploit this flaw, an attacker would require access to the local intranet, although it is not necessary for them to be authenticated on the domain.

There is no way for a attacker to use this vulnerability as a means of usurping control over the system, or gaining access to any information on the server. Restarting the SQL Server restores normal functionality. The vulnerability results because of a flaw in the way that SQL Server interprets a return code from a specific named pipes operation.

When more data than expected is received, SQL misinterprets the valid return code as an error. When this occurs, the system stops responding. If an attacker were able to successfully exploit this vulnerability, they could interrupt the normal operations of a system running SQL Server by causing it to stop responding.

This behavior would be temporary and would be corrected when the SQL Server was restarted. An attacker, with access to the local intranet, could seek to exploit this vulnerability by crafting a very large packet and sending it to the named pipe on which SQL Server is listening. This could cause the server to stop responding. You would need to restart the SQL Server to regain functionality.

Why would an attacker need access to the local intranet to exploit this vulnerability? An attacker would need access to a domain trusted by the domain of the system running SQL Server.

They would then need to be able to open a named pipe to a particular SQL Server, thereby creating a connection and then sending the specially crafted packet over that established connection. The patch limits the amount of data read by the system running SQL Server to the size of the established buffer. This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the system to fail, or could cause code of the attacker's choice to be executed with the same permissions as the SQL Server Service account.

Code running with service account permissions could provide an attacker with the ability to take full control over the database and the data contained within it. The vulnerability could only be exploited by an attacker who had valid credentials to interactively log on to the system.

Because LPC can only be used on the local system, this vulnerability could not be exploited remotely. Instead, an attacker could only exploit this on systems that they could log on to interactively. Typically, workstations and terminal servers would be at the greatest risk, because, if ordinary security practices have been followed, ordinary users will not be allowed to log on to critical servers interactively.