• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft SQL Server 2000 sp_MScopyscript SQL Injection Vulnerability

Severity: HIGH

Description:

Microsoft SQL Server 2000 uses various extended stored procedures to allow database designers to create their own external routines.

A vulnerability exists in some stored procedures used by Microsoft SQL Server 2000.

The Microsoft SQL Server 2000 sp_MScopyscript stored procedure does not sufficiently validate input before passing it to the xp_cmdshell extended stored procedure. An attacker with the ability to execute a query or pass malicious input to a query may be able to execute operating system commands via xp_cmdshell with the privileges of the SQL Server.

The sp_MScopyscript stored procedure may be executed by the 'public' role by default, so it is possible that a database user with low privileges may potentially exploit this issue.

The Microsoft SQL Server must be configured to function as a distributor for this issue to be exploited. Certain other conditions must be satisfied for exploitation to succeed, such as the SQL Server running in the context of a domain user. If the SQL Server is running in the LocalSystem context, then it is not capable of creating a network share on the distributor, which is required for the vulnerable stored procedure to execute the attacker-supplied commands. Replication must also be properly configured for the attack to succeed.

** This issue was also documented as BID 5546. That entry has now been deprecated in favor of the original report.

Affected Products:

• Akiva WebBoard 6.1.0
• Microsoft Access 2000
• Microsoft Application Center 2000
• Microsoft BizTalk Server 2000 Developer Edition
• Microsoft BizTalk Server 2000 Enterprise Edition
• Microsoft BizTalk Server 2000 Standard Edition
• Microsoft BizTalk Server 2002 Developer Edition
• Microsoft BizTalk Server 2002 Enterprise Edition
• Microsoft Office 2000
• Microsoft Project Central Server
• Microsoft SQL Server 2000
• Microsoft SQL Server 2000 Desktop Engine
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SharePoint Team Services from Microsoft
• Microsoft Visio 2000 Enterprise Edition
• Microsoft Visio Enterprise Network Tools
• Microsoft Visual FoxPro 6.0
• Microsoft Visual Studio .NET Academic Edition
• Microsoft Visual Studio .NET Enterprise Architect Edition
• Microsoft Visual Studio .NET Enterprise Developer Edition
• Microsoft Visual Studio .NET Professional Edition
• Microsoft Visual Studio 6.0
• SmartMax Software MailMax 5.0.0
• Veritas Software Backup Exec 9.0.0
• Veritas Software Backup Exec for Windows Servers 9.0.0

References:

• CERT/CC: Vulnerability Note VU#508387
• Microsoft: Microsoft SQL Server Homepage
• Microsoft: Microsoft Security Bulletin MS02-038

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.