SQL Server Springs Another Leak

 
 
By Dennis Fisher  |  Posted 2002-08-20 Email Print this article Print
 
 
 
 
 
 
 

Security researchers in July warned Microsoft of flaw in SQL Server agent; no patch is available yet.

Security researchers have found a new flaw in Microsoft Corp.s SQL Server database software. The problem lies in the SQL Server agent, which is responsible for various functions, including running scheduled jobs and restarting the database service if it stops. By default, low privileged users can add jobs to the SQL queue and specify the name of a file to output the results of the job to. If specifying a file name that already exists, a user can overwrite that file. If it is a new file name, the database will simply create a new file.
By carefully crafting the database query for a given job, a user can place any contents in this file, according to a bulletin released Monday by Next Generation Security Software Ltd.
And, if the SQL Server agent is running with local system privileges, the user could overwrite operating system files and render a vulnerable machine unbootable, the advisory said. The flaw affects SQL Server 7 and 2000. Next Generation said they alerted Microsoft to the problem in July, and that no patch has been produced to fix the problem yet.
Related Stories:
  • Microsoft Scrambles to Patch SQL Server Holes
  • Microsoft Warns of SQL Server Flaws
  • MS Fixes More Holes in SQL Server
  •  
     
     
     
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...

     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel