This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects any attempts to overflow the Microsoft SQL Server Resolution Service.
A vulnerability has been discovered in Microsoft SQL Server 2000 that could allow remote attackers to gain access to the target hosts.
A problem in the SQL Server Resolution Service makes it possible for a remote user to execute arbitrary code on a vulnerable host. An attacker could exploit a stack-based overflow in the resolution service, by sending a maliciously crafted UDP packet to port 1434.
UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients connect to this port to discover how connections to the SQL Server should be made. When the SQL Server receives a packet starting with byte 0x04, any characters following this character it are appended to a string attempting to open the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\(appended characters here)\MSSQLServer\CurrentVersion.
If a large number of bytes are appended to the packet, the buffer overflow condition is triggered, and as a result, the attacker can overwrite the key areas in memory and obtain control over the SQL Server process. Custom crafting the exploit code to execute the arbitrary instructions in the security context of the SQL Server may be possible. This action may provide a remote attacker with local access on the underlying host.
The W32.SQLEXP.Worm Microsoft SQL Server exploited this vulnerability.
- Microsoft Data Engine 2000
- Microsoft SQL Server 2000 SP1, SP2
- Veritas Software Backup Exec for Windows Servers 9.0