MS03-031: Security Patch for SQL Server 2000 64-bit (821280)

SUMMARY

Here is a list of the vulnerabilities that are resolved in this security patch:

Named Pipe Hijacking
When SQL Server starts, it creates and then listens on a specific named pipe for incoming connections to the server. A named pipe is a specifically named one-way or two-way channel for communication between a pipe server and one or more pipe clients. SQL Server checks the named pipe to verify what connections can log on to the system that is running SQL Server to run queries against data that is stored on the server.

A flaw exists in the checking method for the named pipe that might allow an attacker who is local to the system that is running SQL Server to hijack (gain control of) the named pipe when another client uses an authenticated logon password to logon. This would allow the attacker to gain control of the named pipe at the same permission level as the user who is trying to connect. If the user who is trying to connect remotely has a higher level of permissions than the attacker does, the attacker will assume those rights when the named pipe is compromised.
Named Pipe Denial of Service
In the same named pipes scenario that is mentioned in the "Named Pipe Hijacking" section of this article, an unauthenticated user who is local to the intranet might be able to send a very large packet to a specific named pipe where the system running SQL Server is listening and cause it to become unresponsive.

This vulnerability does not allow an attacker to run arbitrary code or elevate their permissions; however, a denial of service condition might still exist that requires you to restart the server to restore functionality.
SQL Server Buffer Overrun
A flaw exists in a specific Windows function that may allow an authenticated user who has direct access to log on to the system running SQL Server the ability to create a specially crafted packet that when sent to the listening local procedure call (LPC) port of the system, can cause a buffer overrun. If successfully exploited, this can allow a user who has limited permissions on the system to elevate their permissions to the level of the SQL Server service account, or cause arbitrary code to run.

For more information about the latest service pack for Microsoft SQL Server 2000, click the following article number to view the article in the Microsoft Knowledge Base:

290211 How to obtain the latest SQL Server 2000 service pack

MORE INFORMATION

Download Information

The following file is available for download from the Microsoft Download Center:
SQL Server 2000(64-bit) Security Patch MS03-031

Release Date: 23 July 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires SQL Server 2000 64-bit.

Installation Information

This patch supports the following Setup switches:

Switch	Description
/s	Disables the Self Extraction progress dialog box. Must come before the /a switch.
/a	This parameter must come before all parameters except /s if you are running the hotfix by using the self-extracting EXE, and you want to include parameters for unattended installations. This is a mandatory parameter for the installer to run in the unattended mode.
/q	This switch causes the Setup program to run in silent mode with no user interface.
INSTANCENAME	Name of the instance of SQL Server. You must enter it as follows: `INSTANCENAME=yourinstancename`
BLANKSAPWD	Means a blank sa password for SQL Authentication. If you enter this parameter on computers that are running Microsoft Windows NT or Microsoft Windows 2000, the default Windows Authentication logon is overridden and it tries to log on with a blank sa password. The correct format for this parameter is `BLANKSAPWD=1`. This parameter is recognized only for unattended installations.
SAPWD	Non-blank sa password. If you enter this parameter, it must be in the form of SAPWD=`yoursapassword`. This parameter overrides the default Windows Authentication on computers that are running Windows NT or Windows 2000, or BLANKSAPWD, if entered.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

330391 SQL Server hotfix installer

Restart Requirement

You do not have to restart your computer after you apply this security patch unless the hotfix installer prompts you to.

Removal Information

The removal of this patch is not supported unless certain catalogs were backed up before the installation of this security patch. For more information, see the "How to Remove or Rollback the Hotfix" section in the following Microsoft Knowledge Base article:

330391 SQL Server hotfix installer

Patch Replacement Information

This patch does not replace any other SQL Server 2000 64 bit security patches.

File Information

The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

    Date         Time   Version        Size            File name
   ---------------------------------------------------------------------------
   25-Jun-2003  01:13  2000.80.818.0      56,832 bytes  Dbmslpcn.dll     IA64
   25-Jun-2003  01:12                    159,744 bytes  Dbmslpcn.pdb
   08-Feb-2003  05:43                    786,432 bytes  Distmdl.ldf
   08-Feb-2003  05:43                  2,359,296 bytes  Distmdl.mdf
   30-Jan-2003  01:55                        180 bytes  Drop_repl_hotfix.sql
   30-Jan-2003  05:18                    746,470 bytes  Instdist.sql
   03-May-2003  01:56                      1,581 bytes  Inst_repl_hotfix.sql
   31-Mar-2003  21:27  2000.80.765.0     185,856 bytes  Msgprox.dll      IA64
   16-Jul-2003  18:55  2000.80.818.0     150,528 bytes  Odsole70.dll     IA64
   16-Jul-2003  19:27  2000.80.818.0     149,504 bytes  Osql.exe         IA64
   08-Feb-2003  03:53                  1,065,895 bytes  Replmerg.sql
   31-Mar-2003  21:27  2000.80.765.0     533,504 bytes  Replprov.dll     IA64
   31-Mar-2003  21:27  2000.80.765.0     767,488 bytes  Replrec.dll      IA64
   05-May-2003  00:05                  1,085,874 bytes  Replsys.sql
   29-May-2003  00:29                    115,944 bytes  Sp3_serv_uni.sql
   01-Jun-2003  22:18  2000.80.818.0  13,845,504 bytes  Sqldmo.dll       IA64
   16-Jul-2003  19:13                     39,936 bytes  Sqldumper.exe    IA64
   31-Mar-2003  21:24  2000.80.789.0      19,968 bytes  Sqlevn70.rll
   31-Mar-2003  21:27  2000.80.778.0      23,040 bytes  Sqlmap70.dll     IA64
   31-Mar-2003  21:27  2000.80.765.0     152,064 bytes  Sqlrepss.dll     IA64
   02-Jun-2003  20:37  2000.80.818.0  24,750,592 bytes  Sqlservr.exe     IA64
   02-Jun-2003  20:26                 20,859,904 bytes  Sqlservr.pdb
   31-Mar-2003  21:27  2000.80.765.0     120,320 bytes  Sqlvdi.dll       IA64
   25-Jun-2003  01:13  2000.80.818.0      53,760 bytes  Ssmslpcn.dll     IA64
   25-Jun-2003  01:12                    159,744 bytes  Ssmslpcn.pdb
   01-Jun-2003  21:51  2000.80.818.0     254,976 bytes  Ssnetlib.dll     IA64
   01-Jun-2003  21:51                    339,968 bytes  Ssnetlib.pdb
   02-Jun-2003  00:41  2000.80.818.0      20,992 bytes  Ssnmpn70.dll     IA64
   02-Jun-2003  00:40                    135,168 bytes  Ssnmpn70.pdb
   01-Jun-2003  21:48  2000.80.818.0     430,080 bytes  Svrnetcn.dll     IA64
   01-Jun-2003  21:48  2000.80.818.0     185,856 bytes  Svrnetcn.exe     IA64
   01-Jun-2003  21:46                    495,616 bytes  Svrnetcn.pdb
   31-Mar-2003  21:27  2000.80.778.0     186,368 bytes  Xpweb70.dll      IA64

Verification

Use the information in the following Microsoft Knowledge Base article to determine what version of SQL Server you are running:

321185 How to identify your SQL Server version and edition

After you apply this security patch, when you run

SELECT serverproperty('productversion')

-or-

SELECT @@Version

the following should be returned:

8.00.0818