Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Buffer Overruns in SQL Server 2000 Resolution Service

Buffer Overruns in SQL Server 2000 Resolution Service

by Nikola Strahija on July 25th, 2002 Date: 24 July 2002 Software: SQL Server 2000 Impact: Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected SQL Server 2000 installation Max Risk: Critical Bulletin: MS02-039


Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp.
- ----------------------------------------------------------------------

Issue:
======
SQL Server 2000 introduces the ability to host multiple instances of
SQL Server on a single physical machine. Each instance operates for
all intents and purposes as though it was a separate server. However,
the multiple instances cannot all use the standard SQL Server session
port (TCP 1433). While the default instance listens on TCP port 1433,
named instances listen on any port assigned to them. The SQL Server
Resolution Service, which operates on UDP port 1434, provides a way
for clients to query for the appropriate network endpoints to use for
a particular SQL Server instance.

There are three security vulnerabilities here. The first two are
buffer overruns. By sending a carefully crafted packet to the
Resolution Service, an attacker could cause portions of system memory
(the heap in one case, the stack in the other) to be overwritten.
Overwriting it with random data would likely result in the failure of
the SQL Server service; overwriting it with carefully selected data
could allow the attacker to run code in the security context of the
SQL Server service.

The third vulnerability is a denial of service vulnerability. SQL
uses a keep-alive mechanism to distinguish between active and passive
instances. It is possible to create a keep-alive packet that, when
sent to the Resolution Service, will cause SQL Server 2000 to respond
with the same information. An attacker who created such a packet,
spoofed the source address so that it appeared to come from a one SQL
Server 2000 system, and sent it to a neighboring SQL Server 2000
system could cause the two systems to enter a never-ending cycle of
keep-alive packet exchanges. This would consume resources on both
systems, slowing performance considerably.

Mitigating Factors:
====================
Buffer Overruns in SQL Server Resolution Service:
- SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs as
a Domain User. Thus, although the attacker's code could take
any desired action on the database, it would not necessarily
have significant privileges at the operating system level if
best practices have been followed.
- The risk posed by the vulnerability could be mitigated by,
if feasible, blocking port 1434 at the firewall.

Denial of Service via SQL Server Resolution Service:
- An attack could be broken off by restarting the SQL Server
2000 service on either of the affected systems. Normal
processing on both systems would resume once the attack ceased.
- The vulnerability provides no way to gain any privileges on the
system. It is a denial of service vulnerability only.

Maximum Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-039.asp
for information on obtaining this patch.

Acknowledgment:
===============
- David Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/)


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »