From da@securityfocus.com Sat Jul 27 18:08:39 2002 From: Dave Ahmad To: bugtraq@securityfocus.com Date: Wed, 24 Jul 2002 23:55:18 -0600 (MDT) Subject: Microsoft Security Bulletin MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875) (fwd) -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875) Date: 24 July 2002 Software: SQL Server 2000 Impact: Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected SQL Server 2000 installation Max Risk: Critical Bulletin: MS02-039 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-039.asp. - ---------------------------------------------------------------------- Issue: ====== SQL Server 2000 introduces the ability to host multiple instances of SQL Server on a single physical machine. Each instance operates for all intents and purposes as though it was a separate server. However, the multiple instances cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance. There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service. The third vulnerability is a denial of service vulnerability. SQL uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges. This would consume resources on both systems, slowing performance considerably. Mitigating Factors: ==================== Buffer Overruns in SQL Server Resolution Service: - SQL Server 2000 runs in a security context chosen by the administrator at installation time. By default, it runs as a Domain User. Thus, although the attacker's code could take any desired action on the database, it would not necessarily have significant privileges at the operating system level if best practices have been followed. - The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall. Denial of Service via SQL Server Resolution Service: - An attack could be broken off by restarting the SQL Server 2000 service on either of the affected systems. Normal processing on both systems would resume once the attack ceased. - The vulnerability provides no way to gain any privileges on the system. It is a denial of service vulnerability only. Maximum Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-039.asp for information on obtaining this patch. Acknowledgment: =============== - David Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com/) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPT810I0ZSRQxA/UrAQHfeggAl7tzuykuTyoNZy2FMvMVcs+5e6PqijaG IB3rDbN0y3O+YLitDD7EGUVWNmRjfcFnZsAELmRwTtVNWXCKnhEuW6hNBIHa4x9V U7KXsnv4aasoUX0477x7EekyTFhLCqit1vHKb46mAr4LhYdqbDF3qWwPhmPgiJWk BV4QR78fdpKFx6RkKof5wMDBG9AFMC1UlD0jEP1LsTeOXkCUL3XEfWjCYnQ+bd2x /NKN4tAszJC/NW0Lq9L7HkPkCUDYRpXLwLmj4qxym+LQiFdVFUgUh/AAI/8j9hUX bPCLvizUwTDnJiZZTo2L4louG1XaEiAJSGJru2eVVEX0EtUgICfKJQ== =6ANq -----END PGP SIGNATURE-----