Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft SQL Server Resolution Service Buffer Overflows Let Remote Users Execute Arbitrary Code with the Privileges of the SQL Service
|
|
SecurityTracker Alert ID: 1004829 |
|
CVE Reference: CAN-2002-0649
, CAN-2002-0650
(Links to External Site)
|
Date: Jul 25 2002
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2000
|
Description: Microsoft reported two buffer overflow vulnerabilities and one denial of service vulnerability in SQL Server 2000. A remote user
could execute arbitrary code on the server with the privileges of the database service. A remote user could also cause system performance
to be degraded.
A remote user can reportedly send a specially crafted packet to the SQL Server 2000 Resolution Service on UDP port 1434 to trigger
one of two overflows, a heap overflow or a stack overflow. This could cause the SQL Server service to crash, or it could cause
arbitrary code to be executed in the security context of the SQL Server service. By default, this service runs as a Domain User.
A
remote user also could trigger a packet storm between two servers by sending a spoofed keep-alive packet to the Resolution Service.
As a result, the target SQL Server 2000 will respond with the same information. If the original packet was crafted to appear to
have originated from another SQL Server 2000 system, the two systems could reportedly enter a never-ending cycle of keep-alive packet
exchanges, causing excessive resources to be consumed on both systems.
Microsoft credits David Litchfield of Next Generation
Security Software Ltd. for reporting these issues.
|
Impact: A remote user could cause arbitrary code to be executed on the system with the privileges of the SQL Server service, giving the remote
user full control over the database. A remote user could cause performance on two SQL Server hosts to become degraded.
|
Solution: Microsoft has released a patch for Microsoft SQL Server 2000, available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
This
patch can reportedly be installed on systems running SQL Server 2000 SP2.
Microsoft reports that this fix will be included in
SQL Server 2000 SP3.
Microsoft plans to issue Knowledge Base article Q323875 regarding this issue, to be available shortly on
the Microsoft Online Support web site:
http://search.support.microsoft.com/kb/c.asp?SD=SO&LN=EN-US
|
Vendor URL: www.microsoft.com/technet/ security/bulletin/MS02-039.asp (Links to External Site)
|
Cause: Boundary error, State error
|
Underlying OS: Windows (2000), Windows (XP)
|
Reported By: secnotif@microsoft.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 24 Jul 2002 19:08:55 -0700
From: secnotif@microsoft.com
Subject: Microsoft Security Bulletin MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)
|
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Buffer Overruns in SQL Server 2000 Resolution Service
Could Enable Code Execution (Q323875)
Date: 24 July 2002
Software: SQL Server 2000
Impact: Three vulnerabilities, the most serious of which could
enable an attacker to gain control over an affected
SQL Server 2000 installation
Max Risk: Critical
Bulletin: MS02-039
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp.
- ----------------------------------------------------------------------
Issue:
======
SQL Server 2000 introduces the ability to host multiple instances of
SQL Server on a single physical machine. Each instance operates for
all intents and purposes as though it was a separate server. However,
the multiple instances cannot all use the standard SQL Server session
port (TCP 1433). While the default instance listens on TCP port 1433,
named instances listen on any port assigned to them. The SQL Server
Resolution Service, which operates on UDP port 1434, provides a way
for clients to query for the appropriate network endpoints to use for
a particular SQL Server instance.
There are three security vulnerabilities here. The first two are
buffer overruns. By sending a carefully crafted packet to the
Resolution Service, an attacker could cause portions of system memory
(the heap in one case, the stack in the other) to be overwritten.
Overwriting it with random data would likely result in the failure of
the SQL Server service; overwriting it with carefully selected data
could allow the attacker to run code in the security context of the
SQL Server service.
The third vulnerability is a denial of service vulnerability. SQL
uses a keep-alive mechanism to distinguish between active and passive
instances. It is possible to create a keep-alive packet that, when
sent to the Resolution Service, will cause SQL Server 2000 to respond
with the same information. An attacker who created such a packet,
spoofed the source address so that it appeared to come from a one SQL
Server 2000 system, and sent it to a neighboring SQL Server 2000
system could cause the two systems to enter a never-ending cycle of
keep-alive packet exchanges. This would consume resources on both
systems, slowing performance considerably.
Mitigating Factors:
====================
Buffer Overruns in SQL Server Resolution Service:
- SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs as
a Domain User. Thus, although the attacker's code could take
any desired action on the database, it would not necessarily
have significant privileges at the operating system level if
best practices have been followed.
- The risk posed by the vulnerability could be mitigated by,
if feasible, blocking port 1434 at the firewall.
Denial of Service via SQL Server Resolution Service:
- An attack could be broken off by restarting the SQL Server
2000 service on either of the affected systems. Normal
processing on both systems would resume once the attack ceased.
- The vulnerability provides no way to gain any privileges on the
system. It is a denial of service vulnerability only.
Maximum Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-039.asp
for information on obtaining this patch.
Acknowledgment:
===============
- David Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPT810I0ZSRQxA/UrAQHfeggAl7tzuykuTyoNZy2FMvMVcs+5e6PqijaG
IB3rDbN0y3O+YLitDD7EGUVWNmRjfcFnZsAELmRwTtVNWXCKnhEuW6hNBIHa4x9V
U7KXsnv4aasoUX0477x7EekyTFhLCqit1vHKb46mAr4LhYdqbDF3qWwPhmPgiJWk
BV4QR78fdpKFx6RkKof5wMDBG9AFMC1UlD0jEP1LsTeOXkCUL3XEfWjCYnQ+bd2x
/NKN4tAszJC/NW0Lq9L7HkPkCUDYRpXLwLmj4qxym+LQiFdVFUgUh/AAI/8j9hUX
bPCLvizUwTDnJiZZTo2L4louG1XaEiAJSGJru2eVVEX0EtUgICfKJQ==
=6ANq
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin because of your subscription to the Microsoft Product Security
Notification Service. For more
information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft
.com/technet/security/notify.asp.
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile C
enter at http://register.microsoft.com/regsys/pic.asp
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notific
ation Service via email as described
below:
Send an email to unsubscribe to the Service by following these steps:
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to pr
ocess the subscription request,
and can be anything you like.
b. Send the e-mail.
c. You will receive a response, asking you to verify that you really want to cancel your subscription
. Compose a reply, and put "OK"
in the message body. (Without the quotes). Send the reply.
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
For security-related information about Microsoft products, please visit the Microsoft Security Adviso
r web site at http://www.microsoft.com/security.
|
|
Go to the Top of This SecurityTracker Archive Page
|
