BorderLayoutBoxedLayoutOpenLayoutMaximum textMedium textSmall text


Register
Thursday, November 20, 2008

SQL Server News & Information

tsql, performance tuning, industry trends, & bad jokes

exec spSubscribeMinimize
Print  
tblMashedUpMinimize
Print  
sp_help 'jmassie'Minimize

This site is maintained by Jason Massie. He has 10 years experience as a DBA and has specialized in performance tuning for the last five. He was recognized by Microsoft as a SQL Server MVP. Jason has spoken at the Professional Association of SQL Server Conference, the North Texas SQL Server Users Group, SQL Connections and TechED. He has worked at Terremark (formerly Data Return) for nearly a decade.

You can contact him at jason@statisticsio.com or 469.569.5965

Jason has the following certifications:
  • Microsoft Certified IT Professional Database Administrator (early adopter)
  • Microsoft Certified IT Professional Database Developer
  • MCDBA (7.0 and 2000)
  • MCSE
  • MCSD
Print  
tblTagCloudMinimize

Abstracts addition Affinity Aggregation allocation Always Analysis Announced another API Appending article Authentication backup be Behavior between Bootstrapper Breaking Build Cache Caching Check checksums Codeplex collection Connecting contest Controller Creating CTEs CTP CUBE cursors Data Database DATALENGTH Debugging Design Diagnosing Diagnostic Differences Documentation DTS Emergency enhancement Entity ETW Exchange execution Express Extensions Fall February Filestream Filtered group GROUPING have Hosting Idle impact Improvement Increase Index Indexes Inserts Instances Interoperability Introduction IO large Late LOB local Localized Magazine Maintaining Maintenance Management maps March Microsoft minutes missing Mix Never November Offline OLE Online operations operators optimizations Optimized Overlapping Package Page Paging Panacea parallel part Partial Partition partitioned Partitioning PASS Performance PFS plan Plans Practices problem Problems Procedure Program programmatically Programming Protection Queries query read recent Recursive Related released Reports Restore return ROLLUP ROWCOUNT Runtime Security Select Sequence sequential Server Services set SETS Shooting shorts sizes Solutions Sortable SPARSE Spool SQL SQLIOSim SSIS Stalled Star Statement Statements stats Stored strategy Stuck Studio Submission Subreports Suggested Summarizing system Table Tables Tampa Task Than there through Timeouts Total Traces Transaction transfer Tricks Trouble TSQL turning understand Understanding undocumented Unique unused upgrade Upgrading Useful Value variables VDI Vista Will Windows Wireless

Print  
::fn_BlogRoll()Minimize
Print  

More on the SQL Security Issue

Posted by Jason on Tuesday, July 08, 2008 to bugfix, SQL Server 2005, security
279 Views | 3 Comments | Article Rating

One of the security vulnerabilities was discovered by iDefense. They released their public advisory today with more details here. Here is an excerpt:

Remote exploitation of an integer underflow vulnerability within Microsoft Corp.'s SQL Server could allow a remote attacker to execute arbitrary code with the privileges of the SQL Server.

The vulnerability exists within the code responsible for parsing a stored backup file. A 32-bit integer value, representing the size of a record, is taken from the file and used to calculate the number of bytes to read into a heap buffer. This calculation can underflow, which leads to insufficient memory being allocated. The buffer is subsequently overfilled leading to an exploitable condition.

The Microsoft Security Vulnerability Research & Defense blog provided even more info later today. The full post is here. Lets look at 3 sentences from this post that tells us this is really only dangerous if you are not following best practices to begin with.

  1. The vulnerability requires an attacker to be able to force the SQL Server to load a malicious MTF file from the local drive or from the network.
  2. In order to remotely exploit this vulnerability, the attacker could leverage a separate SQL injection vulnerability and then trigger the SQL Server to load a malicious MTF file from the Internet.
  3. Therefore, if you see SQL Server loading MTF files from the Internet, it is probably bad news.

Your app has to be injectable and it has to be open to port 80. If that is true, you are probably already running SQL as a domain admin or SA has a blank password. ;)

You should still test and deploy the hotfix ASAP. Do you trust all of the variables? Your code, MS's code, the disclosure.... Even if you do, there are still 3 other undisclosed vulnerabilities so get to patching. 

email it! |   |   |   |  | 
Permalink     3 Comments  

Rate this Post:
COMMENTS:

Thanks, Jason, for bringing this to our attention. Saw your tweet about it. Our databases sit behind 4 layered firewalls and they have no routes to the Internet. But, to follow your advice, how would we "see" MTF files being loaded?

posted @ Wednesday, July 09, 2008 12:08 AM by Kevin Hazzard

You would have to set your firewall or IDS to look for the fingerprint. That's a little over my head but I assume a network security guy should be able to figure it out from the description in this post:
http://blogs.technet.com/swi/archive/2008/07/08/ms08-040-how-to-spot-potentially-dangerous-mtf-files-crossing-network-boundary.aspx

posted @ Wednesday, July 09, 2008 12:34 AM by Jason

Thanks, Jason. I'll have the networking team write the appropriate rules and filters today.

Kevin

posted @ Wednesday, July 09, 2008 6:05 AM by Kevin Hazzard

Name (required)

Email (required)

Website


Simple BBCode can be used like [URL]...[/URL] and [B]

Home|Upcoming Events|Feeds | Privacy Statement | Terms Of Use
Copyright 2006 by Statistics IO, My SQL Server Blog