1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. MS SQL PacketResolution DoS

MS SQL PacketResolution DoS

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects an attempt to exploit a denial of service vulnerability in MS SQL.

Additional Information

A vulnerability has been discovered in Microsoft SQL Server 2000 that could make it possible for remote attackers to gain access to target hosts.

A problem in the SQL Server Resolution Service makes it possible for a remote user to execute arbitrary code on a vulnerable host. An attacker could exploit a heap-based overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434.

UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients connect to this port to discover how connections to SQL Server should be made. When SQL Server receives a packet that starts with byte 0x08 followed by an overly long string and ending with a ':' and terminated by a number, the heap overflow is triggered. This causes key memory structures necessary for normal operations to be corrupted.

If the packet consists of data not specifically designed to cause code execution, a denial of service may result. It may be possible to custom-craft the exploit code to execute arbitrary instructions in the security context of the SQL Server. This may provide a remote attacker with local access on the underlying host.

***UPDATE:

On January 25 2003, DeepSight TMS detected a significant increase in UDP traffic destined for port 1434. Port 1434 is associated with Microsoft SQL Server. Initial analysis has suggested the presence of a new worm that is propagating rapidly through hosts running SQL Server.

The worm can use significant amounts of bandwidth. It was originally suspected that this was due to a denial of service attack built into the worm. It has turned out that this is not the case -- the bandwidth consumption is due to aggressive propagation.

At this time it is suspected that the worm may exploit BID 5310 or 5311. This is not yet confirmed.

Administrators are advised to block all external access to database servers until more information is available. Access to TCP and UDP ports 1434 should be denied completely. Additionally, implementing filter rules for other ports may also decrease the chances of compromise through yet unknown avenues. This should be done even if the patch for this particular vulnerability has been installed.

Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

Affected

  • Microsoft Data Engine 2000
  • Microsoft SQL Server 2000 SP1, SP2
  • Veritas Software Backup Exec for Windows Servers 9.0

Response

Prior to installing the fixes, administrators are advised to ensure that all SQL Server processes are inactive. Ensure that all installations of SQL server are patched and reboot the system before restarting the SQL server.

Veritas Software Backup Exec 9.0 ships with some MSDE components and may therefore be prone to this vulnerability. Users are advised to apply the Microsoft fixes to address this vulnerability for Backup Exec.

A specific fix has been released for the Microsoft .NET Framework SDK. See the References section for a link to Microsoft Knowledge Base article 813850 for instructions and download information.

Fixes available:


Microsoft SQL Server 2000:
Microsoft Patch Q280380
Microsoft Patch Q299717
Microsoft Patch Q298012
Microsoft Upgrade sql2ksp2
Microsoft Hotfix KillPwd.exe
Microsoft Service Pack sql2ksp3

Microsoft Data Engine 2000:
Microsoft Patch Q323875_SQL2000_SP2_en

Microsoft SQL Server 2000 SP1:
Microsoft Patch Q299717
Microsoft Patch Q298012
Microsoft Hotfix s80428i
Microsoft Upgrade sql2ksp2
Microsoft Service Pack sql2ksp3

Microsoft SQL Server 2000 SP2:
Microsoft Patch Q316333
Microsoft Patch Q316333
Microsoft Patch SQLXML2_Q321460
Microsoft Patch Q321858_SQL_Security_MDAC26
Microsoft Patch Q321858_SQL_Security_MDAC27
Microsoft Patch SQLXML3_Q320833
Microsoft Patch Q316333
Microsoft Patch Q316333
Microsoft Patch Q316333
Microsoft Patch Q323875_SQL2000_SP2_en
Microsoft Patch Q316333
Microsoft Patch Q316333
Microsoft Patch Q316333
Microsoft Service Pack sql2ksp3
Microsoft Patch Q316333
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube