Microsoft SQL Server stored backup file data structure buffer overflow
| mssql-data-structure-bo (41461) |  High Risk |
Description:
Microsoft SQL Server is vulnerable to a buffer overflow, caused by an integer underflow that can occur when parsing a stored backup file. By forcing SQL Server to load a malicious file, a remote or local attacker with valid authentication credentials could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the SQL Server process to crash.
*CVSS:
| Base Score: | 6.5 |
| Access Vector: | Network |
| Access Complexity: | Low |
| Authentication: | Single |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 4.8 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Privileges
Remedy:
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- HPSBST02350 SSRT080102 rev.1: Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-037 to MS08-040.
- iDefense Labs PUBLIC ADVISORY: 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability.
- Insomnia Security Vulnerability Advisory: ISVA-080709.1: Microsoft SQL Server - Corrupt Backup File Heap Overflow.
- Microsoft Security Bulletin MS08-040: Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203).
- Microsoft Security Bulletin MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420).
- NORTEL BULLETIN ID: 2008008958, Rev 1: Centrex IP Client Manager (CICM) response to Microsoft July security bulletin .
- VMSA-2011-0003: Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX.
- ASA-2008-291: MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
- BID-30119: Microsoft SQL Server On-Disk MTF Data Structures Remote Memory Corruption Vulnerability
- CVE-2008-0107: Integer underflow in SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 allows remote authenticated users to execute arbitrary code via a (1) SMB or (2) WebDAV pathname for an on-disk file (aka stored backup file) with a crafted record size value, which triggers a heap-based buffer overflow, aka SQL Server Memory Corruption Vulnerability.
- SA30970: Microsoft SQL Server and MSDE Multiple Vulnerabilities
- SA43206: VMware vCenter Server / Update Manager SQL Express Multiple Vulnerabilities
- SECTRACK ID: 1020441: Microsoft SQL Server Bugs Let Remote Authenticated Users Obtain Information and Execute Arbitrary Code
- VUPEN/ADV-2008-2022: Microsoft SQL Server Privilege Escalation Vulnerabilities (MS08-040)
Platforms Affected:
- HP Storage Management Appliance 2.1
- Microsoft Data Engine 1.0 SP4
- Microsoft SQL Server 2000 SP4 Itanium
- Microsoft SQL Server 2000 SP4
- Microsoft SQL Server 2005 SP2 Itanium
- Microsoft SQL Server 2005 SP1 Itanium
- Microsoft SQL Server 2005 SP1 x64
- Microsoft SQL Server 2005 SP2 x64
- Microsoft SQL Server 2005 SP2
- Microsoft SQL Server 2005 SP1
- Microsoft SQL Server 2005 SP2 Express
- Microsoft SQL Server 2005 SP1 Express
- Microsoft SQL Server 7.0 SP4
- Microsoft SQL Server Advanced Services 2005 SP1 Express
- Microsoft SQL Server Advanced Services 2005 SP2 Express
- Microsoft SQL Server Desktop Engine 2000
- Microsoft SQL Server Desktop Engine 2000 SP4
- Microsoft Windows Internal Database SP2 x64
- Microsoft Windows Internal Database SP2
- VMware vCenter Server 4.1
- VMware vCenter Update Manager 1.0
- VMware vCenter Update Manager 4.0
Reported:
Jul 08, 2008
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.