June 13, 2001, 10:47 AM — A security flaw in Microsoft Corp.'s SQL Server 7.0 and SQL Server 2000 Gold can allow an attacker to take control of a targeted server, the company said in a security bulletin late Tuesday night. Microsoft issued a patch for the flaw at the same time it released the bulletin.
A hitch in the way database connections are handled by the SQL (Structured Query Language) server could allow an attacker to hijack an administrator's connection, thus gaining administrator privileges, the company said, but added that the vulnerability only exists in servers configured for Mixed Mode authentication, a configuration type Microsoft recommends against, and can only be exploited by users who already have access to the server.
When a user ends a database session with a SQL server, the connection that has just ended is temporarily cached. However, using a special kind of server query, an attacker could exploit this flaw to restart an administrator's connection, thus gaining the administrator's access privileges, according to the bulletin. If this were to occur, the attacker could make any changes to the database, including adding, changing or deleting data, and could run code of the attacker's choice on the server, Microsoft said.
The bug is mitigated, however, due to the necessity that the server be configured for Mixed Mode authentication in order for the flaw to be usable, the company said. Mixed Mode authentication is a process by which the server attempts to authorize a user through Windows methods, but failing that uses SQL. This option is typically used on SQL servers hosted on Windows 95 and 98 systems and the company warns against it, Microsoft said.
Additionally, the bug is mitigated because the attacker would already have to be authorized by the server in order to restart a terminated connection.
The security bulletin and patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-032.asp
