Microsoft KB Archive/815495

= MS03-031: Cumulative security patch for SQL Server =

Article ID: 815495

Article Last Modified on 5/10/2006

-

APPLIES TO


 * Microsoft SQL Server 2000 64-bit Edition
 * Microsoft SQL Server 2000 Service Pack 3
 * Microsoft SQL Server 2000 Service Pack 3a
 * Microsoft SQL Server 7.0 Service Pack 4
 * Microsoft SQL Server 2000 Desktop Engine
 * Microsoft Data Engine 1.0
 * Microsoft Data Engine 1.0

-



SUMMARY
Microsoft has released a security patch to correct vulnerabilities in the following products:
 * Microsoft SQL Server 2000 Service Pack 3 (SP3)
 * Microsoft SQL Server 2000 Desktop Engine (MSDE) Service Pack 3
 * Microsoft SQL Server 2000 64-bit
 * Microsoft SQL Server 7.0 Service Pack 4 (SP4)
 * Microsoft Data Engine 1.0 Service Pack 4 (SP4)

Here is a list of the vulnerabilities that are resolved in this security patch:
 * Named pipe hijacking

When SQL Server starts, it creates and then listens on a specific named pipe for incoming connections to the server. A named pipe is a specifically named one-way or two-way channel for communication between a pipe server and one or more pipe clients. SQL Server checks the named pipe to verify what connections can log on to the system that is running SQL Server to run queries against data that is stored on the server.

A flaw exists in the checking method for the named pipe that might allow an attacker who is local to the system that is running SQL Server to hijack (gain control of) the named pipe when another client uses an authenticated logon password to logon. This would allow the attacker to gain control of the named pipe at the same permission level as the user who is trying to connect. If the user who is trying to connect remotely has a higher level of permissions than the attacker does, the attacker will assume those rights when the named pipe is compromised.
 * Named pipe denial of service

In the same named pipes scenario that is mentioned in the &quot;Named Pipe Hijacking&quot; section of this article, an unauthenticated user who is local to the intranet might be able to send a very large packet to a specific named pipe where the system running SQL Server is listening and cause it to become unresponsive.

This vulnerability does not allow an attacker to run arbitrary code or elevate their permissions; however, a denial of service condition might still exist that requires you to restart the server to restore functionality.
 * SQL Server buffer overrun

A flaw exists in a specific Windows function that may allow an authenticated user who has direct access to log on to the system running SQL Server the ability to create a specially crafted packet that when sent to the listening local procedure call (LPC) port of the system, can cause a buffer overrun. If successfully exploited, this can allow a user who has limited permissions on the system to elevate their permissions to the level of the SQL Server service account, or cause arbitrary code to run.



MORE INFORMATION
For more information about these vulnerabilities and how to obtain the patches, select the Microsoft Knowledge Base article that corresponds with your version of SQL Server from the following list.

SQL Server 2000 Service Pack 3 (SP3) or Microsoft SQL Server 2000 Desktop Engine (MSDE) Service Pack 3 (SP3)
821277 MS03-031: Security patch for SQL Server 2000 Service Pack 3

Important notes
Read these important notes regarding the installation of this security patch on a computer that is running SQL Server 2000 SP3.

Universal Description, Discovery, and Integration (UDDI) Services
If you install this security patch on a computer that is running Microsoft Windows Server 2003 and UDDI Services is installed, you must take one of two actions to restart UDDI Services, depending on your circumstances. UDDI Services will not resume normal functioning until you do.
 * If no other Web service is in use on the computer that is running Windows Server 2003, you can restart the UDDI Services by restarting Microsoft Internet Information Services (IIS). Restarting IIS is the same as first stopping IIS, and then starting it again, except it is done with a single command. There are two ways to restart IIS:
 * Use the IIS Manager graphical user interface.
 * Use the IISReset command-line utility.
 * If other Web services are in use on the computer that is running Windows Server 2003, you may not want to affect their operation. To restart the UDDI Services, follow these steps:
 * Start the IIS Manager utility.
 * Locate the Application Pools folder, and then right-click the MSUDDIAppPool icon.
 * Click to select the Recycle menu option. Doing so will allow UDDI Services to resume operation without affecting any other Web service on the computer.

An error message occurs when you connect to a Microsoft Windows NT 4.0-based computer by using named pipes
When you connect to a Windows NT 4.0-based computer that is running Microsoft SQL Server 2000 by using named pipes, and that connection is made by a non-admin user, you may receive an error message that resembles one of the following:

Message 1

Connection could not be established. SQL Server does not exist

Message 2

Connection could not be established. Access is denied.

To obtain a hotfix to resolve this error message, see the following article in the Microsoft Knowledge Base:

823492 &quot;Connection could not be established&quot; error message when you connect to a Windows NT 4.0-based computer that is running SQL Server 2000 or SQL Server 7.0

SQL Server 2000 64-bit
821280 MS03-031: Security patch for SQL Server 2000 64-bit

SQL Server 7.0 Service Pack 4 (SP4) or Microsoft Data Engine 1.0 Service Pack 4 (SP4)
821279 MS03-031: Security patch for SQL Server 7.0 Service Pack 4

Important notes
Read these important notes about the installation of this security patch on a computer that is running SQL Server 7.0 Service Pack 4 (SP4).

An error message occurs when you connect to a Microsoft Windows NT 4.0-based computer by using named pipes
When you connect to a Windows NT 4.0-based computer that is running Microsoft SQL Server 2000 by using named pipes, and that connection is made by a non-admin user, you may receive an error message that resembles one of the following:

Message 1

Connection could not be established. SQL Server does not exist

Message 2

Connection could not be established. Access is denied.

To obtain a hotfix to resolve this error message, see the following article in the Microsoft Knowledge Base:

823492 &quot;Connection could not be established&quot; error message when you connect to a Windows NT 4.0-based computer that is running SQL Server 2000 or SQL Server 7.0

Additional query words: security patch

Keywords: kbbug kbfix kbsqlserv2000presp4fea kbqfe kbsqlserv700presp5fix KB815495

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.