----------------------------------------------------------------------

Want a new job?

http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/

International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/

----------------------------------------------------------------------

TITLE:
Microsoft SQL Server and MSDE Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA30970

VERIFY ADVISORY:
http://secunia.com/advisories/30970/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information, Privilege escalation

WHERE:
>From local network

OPERATING SYSTEM:
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows Server 2008
http://secunia.com/product/18255/

SOFTWARE:
Microsoft Data Engine (MSDE) 1.0
http://secunia.com/product/416/
Microsoft SQL Server 2000
http://secunia.com/product/7/
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
http://secunia.com/product/417/
Microsoft SQL Server 2005
http://secunia.com/product/6782/
Microsoft SQL Server 2005 Express Edition
http://secunia.com/product/6479/
Microsoft SQL Server 7
http://secunia.com/product/8/

DESCRIPTION:
Four vulnerabilities have been reported in Microsoft SQL Server,
which can be exploited by malicious users to gain escalated
privileges.

1) An error in the way memory page reuse is managed can be exploited
by users with database operator access to gain knowledge of
potentially sensitive information (e.g. data from another user's
session).

2) A boundary error in the convert function when converting SQL
expressions from one data type to another can be exploited to cause a
buffer overflow via an overly long, specially crafted expression.

Successful exploitation may allow execution of arbitrary code with
escalated privileges.

3) A boundary error in the way data structures in on-disk files are
validated can be exploited to cause a buffer overflow by loading a
specially crafted file.

Successful exploitation may allow execution of arbitrary code with
escalated privileges.

4) A boundary error when handling insert statements can be exploited
to cause a buffer overflow via a specially crafted insert statement.

Successful exploitation may allow execution of arbitrary code with
escalated privileges.

SOLUTION:
Apply patches.

-- SQL Server (GDR) --

SQL Server 7.0 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=C95B2CB3-51A4-44E4-B9F4-9416E9CE16A0

SQL Server 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=4FD1F86A-94A2-43D8-9B0A-774C81426D9E

SQL Server 2000 Itanium-based Edition SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=4FD1F86A-94A2-43D8-9B0A-774C81426D9E

SQL Server 2005 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=4C9851CC-2C4C-4190-872C-84993A7623B7

SQL Server 2005 x64 Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=4C9851CC-2C4C-4190-872C-84993A7623B7

SQL Server 2005 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=4C9851CC-2C4C-4190-872C-84993A7623B7

Microsoft Data Engine (MSDE) 1.0 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=C95B2CB3-51A4-44E4-B9F4-9416E9CE16A0

Microsoft SQL Server 2005 Express Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=4C9851CC-2C4C-4190-872C-84993A7623B7

Microsoft SQL Server 2005 Express Edition with Advanced Services
SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=4C9851CC-2C4C-4190-872C-84993A7623B7


-- SQL Server (QFE) --

SQL Server 7.0 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=C95B2CB3-51A4-44E4-B9F4-9416E9CE16A0

SQL Server 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=8316BC5E-8C2D-4710-8ACC-B815CCC81CD4

SQL Server 2000 Itanium-based Edition SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=8316BC5E-8C2D-4710-8ACC-B815CCC81CD4

SQL Server 2005 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=A60BB7E7-EF4E-4CBD-B63A-0AD7BD1402B3

SQL Server 2005 x64 Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=A60BB7E7-EF4E-4CBD-B63A-0AD7BD1402B3

SQL Server 2005 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=A60BB7E7-EF4E-4CBD-B63A-0AD7BD1402B3

Microsoft Data Engine (MSDE) 1.0 SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=C95B2CB3-51A4-44E4-B9F4-9416E9CE16A0

Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4:
http://www.microsoft.com/downloads/details.aspx?familyid=8316BC5E-8C2D-4710-8ACC-B815CCC81CD4

Microsoft SQL Server 2005 Express Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=A60BB7E7-EF4E-4CBD-B63A-0AD7BD1402B3

Microsoft SQL Server 2005 Express Edition with Advanced Services
SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=A60BB7E7-EF4E-4CBD-B63A-0AD7BD1402B3


-- Windows Components --

Windows 2000 SP4 with Microsoft SQL Server 2000 Desktop Engine:
http://www.microsoft.com/downloads/details.aspx?familyid=1c0ae18b-1f17-44b3-a337-b36e7de437a7

Windows Server 2003 SP1/SP2 with Microsoft SQL Server 2000 Desktop
Engine:
http://www.microsoft.com/downloads/details.aspx?familyid=1c0ae18b-1f17-44b3-a337-b36e7de437a7

Windows Server 2003 SP1/SP2 with Windows Internal Database (WYukon)
SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=48f6aaa5-49fc-4a16-bc34-8514e214b8cf

Windows Server 2003 x64 Edition (optionally with SP2) and SQL Server
2000 Desktop Engine (WMSDE):
http://www.microsoft.com/downloads/details.aspx?familyid=1c0ae18b-1f17-44b3-a337-b36e7de437a7

Windows Server 2003 x64 Edition (optionally with SP2) and Windows
Internal Database (WYukon) x64 Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=48f6aaa5-49fc-4a16-bc34-8514e214b8cf

Windows Server 2008 for 32-bit Systems and Windows Internal Database
(WYukon) SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=48f6aaa5-49fc-4a16-bc34-8514e214b8cf

Windows Server 2008 for x64-based Systems and Windows Internal
Database (WYukon) x64 Edition SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=48f6aaa5-49fc-4a16-bc34-8514e214b8cf

PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits an anonymous person.
2) The vendor credits an anonymous person.
3) The vendor credits Brett Moore, Insomnia Security via iDefense.
4) The vendor credits an anonymous person.

ORIGINAL ADVISORY:
MS08-040 (KB941203):
http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------