New Patch Eliminates Elevated Privileges Scare

MS/SQL Plugs Security Hole Late last night, Microsoft posted a Security Bulletin exposing a security risk that affects Microsoft SQL Server 7 and 2000. This security hole could allow a malicious user to commandeer a terminated, but cached, administrator connection. This would enable the hacker not only to execute queries in privileged mode, but could ultimately grant control of the server itself. Microsoft has posted a patch that eliminates this problem. With lab help from KeyLabs, BugNet was able to test the patch on both Windows NT 4 and Windows 2000.? SQL Server, like many other server applications, caches connections as a way to boost performance. Every time a user connects to a server, the applications must expend resources in establishing and maintaining that connection. When

a user terminates a connection with an application, eventually all the resources associated with the connection are returned to the system so that they can be used for other processes and connections. Sometimes connections are terminated unintentionally by client application errors, network failure, etc. By caching a terminated connection, server-based applications can eliminate the hassle of rebuilding a new link by reusing the resources of the cached connection. Mixed Mode This vulnerability doesn't affect all installations of SQL Server. Specifically, this security lapse affects systems configured for Mixed Mode authentication, which is enabled by default. Systems configured for Windows Authentication Mode will not be affected. Mixed Mode allows the SQL Server to try to authenticate a client using Windows Authentication. If that doesn't work, then the client is authenticated via SQL Server Authentication, using the username and password that are stored locally on the server. According to Microsoft, database administrators are "strongly recommended" to use Windows Authentication whenever possible. Mixed Mode authentication, along with a faulty SQL query method, could allow an attacker to reuse a cached connection, presumably one that was created by an administrator. With this elevated privilege, the attacker could run any query against the database, including creating, modifying, or deleting records from the database. Using extended stored procedures, the attacker could essentially gain complete control over the server itself. It's important to note that in order to run a privilege-elevating query against the server, the user must already be authenticated. By limiting the potential risk to authenticated users, the offending query could conceivably be tracked and logged. Also, since the terminated connections are only cached for a short period of time, the attacker would only have a short window of opportunity to exploit this hole. Patch Sequels Microsoft's 5 MB patch is available for SQL Server 7 with Service Pack 3 and SQL Server 2000. It eliminates this vulnerability by repairing the defective query method. The patch is currently available for download at Microsoft's web site. For those not wanting to patch their systems, there are workarounds available. The first is to disable Mixed Mode authentication. Since it is enabled by default, many users might have it enabled unintentionally, not knowing that it can be disabled. A second workaround involves disabling ad hoc queries. To disable or disallow ad hoc queries, select the security tab under the SQL Server instance. Right click on the linked servers to bring up the general properties tab, and select the radio button next to "Other Data Source." Choose "Microsoft OLE DB Provider for SQL Server" from the Provider Name drop down list, and click on the "Provider Options" button. Lastly, check the "disallow Ad Hoc queries" box.