Flaw Puts SQL Servers at Risk | eWeek

Flaw Puts SQL Servers at Risk

Écrit par
Dennis Fisher
Dennis Fisher
Jun 14, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A Russian security researcher claims he has discovered a flaw in Microsoft Corp.s SQL Server 2000 which gives an attacker the ability to either crash the server or execute malicious code on the machine.

Microsoft is aware of the advisory and is investigating the issue, the company said.

The vulnerability is in the “pwdencrypt” hashing function, which is included with SQL. A buffer overrun flaw in this function enables an attacker to overwrite a portion of the heap memory, which could either result in the SQL Server application crashing or the attacker being able to execute code on the machine.

The researcher, Martin Rakhmanoff, posted his advisory to the Bugtraq security mailing list, along with instructions on how to exploit the flaw. Rakhmanoff is the author of a freeware Windows password-recovery tool called BehindTheAsterisks that displays the plain-text instead of the asterisks in the Windows log-on password field.

A Microsoft spokesman said in a statement that the company is concerned that Rakhmanoffs bulletin puts users at risk of attack.

“The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products,” the statement said.

“At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers information. Microsoft is moving forward on the investigation with all due speed and, when it is completed, we will take the action that best serves Microsofts customers.

“We are concerned by the way this report has been handled. Publishing the report may put computer users at risk–or at the very least could cause needless confusion and apprehension.”

This is the third serious flaw in SQL Server 2000 thats been disclosed this week. On Wednesday Microsoft issued patches for two problems in the database softwares SQLXML service.

There is an unchecked buffer in an ISAPI extension which could enable an attacker to run code on the IIS server, as well as a vulnerability in a function that specifies an XML tag. This second flaw could allow an attacker to run scripts on the vulnerable machine with escalated privileges, Microsoft officials said.

Related Stories:

  • Microsoft Mends More Security Flaws
  • Flaw Threatens SQL Server
  • SQL Worm Still Making Noise
  • Trusting in Microsoft
  • On the Mend?
  • More Security Coverage
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.