Article ID: 256052 - View products that this article applies to.
This article was previously published under Q256052
This article has been archived. It is offered "as is" and will no longer be updated.
BUG #: 57634 (SQLBUG_70)
If a user is able to submit a particular form of a SQL SELECT statement to SQL Server, it is possible to take actions on the SQL database. If the SQL Server is operating in an account with elevated privileges on the underlying system, it is possible to take actions on the underlying operating system.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To work around this issue without the fix, you can disallow ad-hoc through the OpenRowset() function as discussed in the SQL Server Books Online topic Configuring OLE DB Providers for Distributed Queries.
To automate the workaround copy the following and create a .reg file, and then double-click the .reg file. This disables all ad-hoc query access through OLE DB providers from your SQL Server or Microsoft Data Engine (MSDE) installation. You may also manually add each of these registry keys. For more information about using regedit .reg files, see the Help menu of regedit for your Microsoft Windows NT or Microsoft Windows 2000 documentation.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\Microsoft.Jet.OLEDB.4.0] "DisallowAdhocAccess"=dword:00000001
Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 2 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
254561For more information, contact your primary support provider.
(http://support.microsoft.com/kb/254561/ )INF: How to Obtain Service Pack 2 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0
Instructions to Microsoft Customers for Applying the Sqlservr.exe HotfixPlease read through this file thoroughly before proceeding with any steps of the hotfix installation.
Hotfixes are intended for interim use until the next service pack is available, at which point you should upgrade immediately.
While running a hotfix, if conditions arise requiring assistance from Microsoft product support, you may be asked to upgrade immediately to a newer hotfix or the next service pack. Performing this upgrade may be required in order to expedite troubleshooting and problem resolution.
IMPORTANT: This hotfix requires the installation of 7.0 Service Pack 1. You MUST install 7.0 Service Pack 1 before applying this hotfix. If you are running 7.0 Service Pack 2 or later, you do not need this hotfix.
This hotfix contains the following files:
Sqlservr.exe - Main SQL Server ExecutableIf you are installing this hotfix on a server running SQL 7.0 Enterprise Edition with clustering enabled, please use the section titled "Hotfix Installation Steps for SQL 7.0 EE with Clustering Enabled" for installation instructions. All other environments should use the section titled "Standard Hotfix Installation Steps".
Sqlservr.dbg - SQL Server symbol file
Sqlservr.pdb - SQL Server symbol file
Standard Hotfix Installation Steps
Hotfix Installation Steps for SQL 7.0 EE with Clustering Enabled
For example, to shut down the server, just use a SELECT statement like the following:
If the SQL Server database administrator account is also the administrator account, or a highly privileged account on the server platform, then this vulnerability may be exploited to assume control of the underlying platform. If the database administrator account is an ordinary user account, or does not have such privileges, then exploitation of the vulnerability is limited to the database itself.
Users who have SQL Server databases that are accessible through DB-Library, ODBC or OLE-DB should install the patch. Alternatively, users may install SQL Server 7.0 Service Pack 2, which also contains code that eliminates this vulnerability.
The patch eliminates the vulnerability by preventing standard security users from becoming trusted users when connecting back into SQL Server.
For additional security-related information about Microsoft products, visit the following Microsoft Web site: