MS03-031: Security patch for SQL Server 7.0 Service Pack 4 (821279)


The information in this article applies to:

  • Microsoft SQL Server 7.0 Service Pack 4
  • Microsoft Data Engine (MSDE) 1.0
  • Microsoft Data Engine (MSDE) 1.0 SP4

SUMMARY

This Microsoft Knowledge Base article contains information about the release of a SQL Server 7.0 Service Pack 4 (SP4) and Microsoft Data Engine 1.0 SP4 security patch. This security patch supersedes all previous security patches that are documented in the following Microsoft Knowledge Base article, including the security patch for Microsoft Security Bulletin MS02-061 for SQL Server 7.0:

327068 SQL Server 7.0 security update for Service Pack 4

Important notes

This package does not contain the security fixes that are in Microsoft Data Access Components (MDAC) and SQL Server Analysis Services.

This security patch resolves the following vulnerabilities:
  • Named pipe hijacking
    When SQL Server starts, it creates and then listens on a specific named pipe for incoming connections to the server. A named pipe is a specifically named one-way or two-way channel for communication between a pipe server and one or more pipe clients. SQL Server checks the named pipe to verify what connections can log on to the system that is running SQL Server to run queries against data that is stored on the server.

    A flaw exists in the checking method for the named pipe that might allow an attacker who is local to the system that is running SQL Server to hijack (gain control of) the named pipe when another client uses an authenticated logon password to logon. This would allow the attacker to gain control of the named pipe at the same permission level as the user who is trying to connect. If the user who is trying to connect remotely has a higher level of permissions than the attacker does, the attacker will assume those rights when the named pipe is compromised.
  • Named pipe denial of service
    In the same named pipes scenario that is mentioned in the "Named Pipe Hijacking" section of this bulletin, it is possible for an unauthenticated user who is local to the intranet to send a very large packet to a specific named pipe where the computer running SQL Server is listening and cause it to become unresponsive.

    This vulnerability would not allow an attacker to run arbitrary code or elevate their permissions, but it may still be possible for a denial of service condition to exist that would require that the server be restarted to restore functionality.
  • SQL Server Buffer Overrun
    A flaw exists in a specific Windows function that may allow an authenticated user who has direct access to log on to the system running SQL Server the ability to create a specially crafted packet that when sent to the listening local procedure call (LPC) port of the system, can cause a buffer overrun. If successfully exploited, this can allow a user who has limited permissions on the system to elevate their permissions to the level of the SQL Server service account, or cause arbitrary code to run.

MORE INFORMATION

Important notes

Read the following important notes about installing this security patch on a computer that is running SQL Server 7.0 SP4.

An error message occurs when you connect to a Microsoft Windows NT 4.0-based computer by using named pipes

When you connect to a Windows NT 4.0-based computer that is running SQL Server 7.0 by using named pipes, and that connection is made by a non-admin user, you may receive an error message that is similar to one of the following:

Message 1

Connection could not be established. SQL Server does not exist

Message 2

Connection could not be established. Access is denied.
To obtain a hotfix to resolve this error message, see the following article in the Microsoft Knowledge Base:

823492 "Connection could not be established" error message when you connect to a Windows NT 4.0-based computer that is running SQL Server 2000 or SQL Server 7.0

Prerequisites

This security patch requires SQL Server 7.0 SP4.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

301511 How to obtain the latest SQL Server 7.0 service pack

For clustered SQL Server 7.0 installations, you must first uncluster SQL Server by running the SQL Server Failover Wizard from the primary cluster node of each virtual SQL Server. Active/Active Follow these steps for an Active/Active installation:
  1. Make sure that the computer node where SQL Server 7.0 was originally installed controls both the SQL Server resource groups.
  2. On each node of the cluster, run the Failover Setup Wizard utility to remove that virtual SQL Server.
  3. After you uncluster SQL Server, you must run the hotfix executable file on both the nodes, and complete the hotfix installation successfully before you re-cluster SQL Server.
Active/Passive Follow these steps for an Active/Passive installation:
  1. Make sure that the computer node where SQL Server 7.0 was originally installed controls the SQL Server resources.
  2. On this same computer node, run the Failover Setup Wizard utility to remove that virtual SQL Server.
  3. After you uncluster SQL Server, you must run the hotfix executable file on the primary node only, and complete the hotfix installation successfully before you re-cluster SQL Server.

Download information

The following file is available for download from the Microsoft Download Center:

DownloadDownload the SQL Server 7.0 security patch MS03-031 package now.

Release Date: July 23, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Installation information

This security patch supports the following Setup switches.
SwitchDescription
/sDisables the Self Extraction progress dialog box. Must come before the /a switch.
/aThis parameter must come before all the other parameters except /s if you are running the hotfix by using the self-extracting EXE, and you want to include parameters for unattended installations. This is a mandatory parameter for the installer to run in the unattended mode.
/qThis switch causes the Setup program to run in silent mode with no user interface.
BLANKSAPWD This parameter means that the sa password for SQL Authentication is blank. If you enter this parameter on computers that are running Windows NT or Windows 2000, the default Windows Authentication logon is overridden and it tries to log on with a blank sa password. The correct format for this parameter is BLANKSAPWD=1. This parameter is recognized only for unattended installations.
SAPWDNon-blank sa password. If you enter this parameter, it must be in the form of SAPWD=yoursapassword. This parameter overrides default Windows Authentication on computers that are running Windows NT or Windows 2000, or BLANKSAPWD, if entered.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

330391 SQL Server hotfix installer

Restart requirement

You do not have to restart your computer after you apply this security patch unless the hotfix installer prompts you to.

Removal information

The removal of this security patch is not supported unless certain catalogs were backed up before you installed the security patch. For more information, see the "How to Remove or Rollback the Hotfix" section in the following Microsoft Knowledge Base article:

330391 SQL Server hotfix installer

Security patch replacement information

This security patch supersedes all previous security patches that are documented in the following Microsoft Knowledge Base article, including the security patch for Microsoft Security Bulletin MS02-061 for SQL Server 7.0:

327068 SQL Server 7.0 security update for Service Pack 4

File information

The English version of this package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
   Date         Time   Version         Size             File name
   -----------------------------------------------------------------------
   04-Oct-2002  23:59  2000.34.4.0        28,944 bytes  Dbmssocn.dll     
   06-Sep-2002  23:55  2000.33.6.0        53,520 bytes  Distrib.exe      
   06-Sep-2002  23:55  2000.33.6.0        98,576 bytes  Logread.exe      
   05-May-2003  18:34                     54,904 bytes  Opends60.dbg
   05-May-2003  18:34  2000.41.2.0       155,920 bytes  Opends60.dll     
   05-May-2003  18:34                    132,096 bytes  Opends60.pdb
   06-Sep-2002  23:56  2000.33.6.0       250,128 bytes  Rdistcom.dll     
   06-Sep-2002  23:55  2000.33.6.0        82,192 bytes  Replmerg.exe     
   06-Sep-2002  23:56  2000.33.6.0        78,096 bytes  Replres.dll      
   17-Sep-2002  22:52                      7,941 bytes  Securityhotfix.sql
   06-Sep-2002  23:56  2000.33.6.0       160,016 bytes  Snapshot.exe     
   30-May-2003  04:21                     59,214 bytes  Sp4_serv_uni.sql
   15-Jan-2003  01:33  2000.37.13.0      344,064 bytes  Sqlagent.exe     
   06-Sep-2002  23:55  2000.33.6.0        45,056 bytes  Sqlcmdss.dll     
   16-May-2003  00:18  2000.41.14.0    2,629,632 bytes  Sqldmo.dll       
   16-May-2003  13:29  2000.41.14.0       81,920 bytes  Sqlmap70.dll     
   29-May-2003  23:11                  4,370,404 bytes  Sqlservr.dbg
   30-May-2003  02:44  2000.41.28.0    5,062,928 bytes  Sqlservr.exe     
   29-May-2003  23:11                  3,589,120 bytes  Sqlservr.pdb
   04-Oct-2002  23:59  2000.34.4.0        45,328 bytes  Ssmsso70.dll     
   16-May-2003  00:18  2000.41.14.0       24,848 bytes  Ssnmpn70.dll     
   26-Sep-2002  20:30                     28,408 bytes  Ums.dbg
   26-Sep-2002  20:27  2000.33.25.0       57,616 bytes  Ums.dll          
   26-Sep-2002  20:29                     99,328 bytes  Ums.pdb
   16-May-2003  13:31  2000.41.14.0      151,552 bytes  Xpweb70.dll

Verification

To determine the version of SQL Server that you are running, use the information in the following Microsoft Knowledge Base article:

321185 How to identify your SQL Server version and edition

After you apply this security patch, "7.00.1094" should be returned when you run one of the following SELECT statements:
SELECT serverproperty('productversion') 
SELECT @@Version

REFERENCES

For more information about this security patch, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-031.mspx

Modification Type:MajorLast Reviewed:5/11/2006
Keywords:ATdownload kbfix kbBug kbSQLServ700preSP5fix KB821279 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.