Flaw Found in SQL Server 2000 Profiler

 
 
By Lisa Vaas  |  Posted 2005-12-05
 
 
 
A recently discovered vulnerability in Microsoft Corp.s SQL Server 2000 database allows users to mask their log-in names.

The vulnerability was discovered by Imperva, a researcher and vendor of data-center security products.

The flaw shows up in the use of SQL Profiler in Microsoft SQL Server 2000 to audit connections to SQL Server 2000 by using the Audit Login event class. When log-in names contain leading zero characters, those names are not visible in the contexts of the SQL Profiler graphical user interface, a trace file that is saved by SQL Profiler, and in a trace table that is saved by SQL Profiler.

Microsoft put out an advisory that stated that the problem only applies to the Profiler in SQL Server 2000. The problem is fixed in the Profiler in SQL Server 2005 when users use the Profiler to audit connections to SQL Server 2005.

The problem also crops up when using other methods to audit connections to SQL Server 2000, including calling the sp_who or sp_who2 system stored procedures, selecting the log-in name column from the master.dbo.sysprocesses system table, or when viewing the result set is returned by the fn_trace_gettable function in SQL Server 2000 Enterprise Manager.

Microsofts advisory gave this example: When using SELECT * FROM ::fn_trace_gettable(c:\my_trace.trc, default),

Microsoft recommends that users audit connections to SQL Server 2000 by using server-side tracing and by loading the resulting data from a server-side trace file into a database table by using the fn_trace_gettable function.

Check out eWEEK.coms for the latest database news, reviews and analysis.

Rocket Fuel