• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft SQL Server On-Disk MTF Data Structures Remote Memory Corruption Vulnerability

Severity: HIGH

Description:

Microsoft SQL Server is prone to a remote memory-corruption vulnerability because it fails to perform adequate boundary checks when handling user-supplied input.

An integer underflow affects the server when handling specially crafted MTF (Microsoft Tape Format) files. This occurs when the server uses a 32-bit integer (representing the size of a record in the file) in calculations for allocating heap-based memory.

Attackers could exploit this issues by hosting a malicious SQL database backup file (MTF file) in a remote location and triggering a restore procedure on an affected server.

NOTE: Attackers must supply a path to a malicious file via SMB or WebDAV to have the server load the file.

Authenticated attackers can exploit this issue to execute arbitrary code in the context of the server. Failed attacks will likely cause denial-of-service conditions.

Affected Products:

• Affymetrix Microarray Suite Software 5.0.0
• Affymetrix Microarray Suite Software 5.0.1
• Akiva WebBoard 6.1.0
• Altiris Deployment Server 5.0.1
• Altiris Deployment Server 5.5.0
• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Centennial UK Ltd Centennial Discovery 4.4.0
• Compaq Insight Manager 7.0.0
• Compaq Insight Manager 7.0.0SP1
• Gerber Technology WebPDM 3.9.0
• McAfee ePolicy Orchestrator 1.0.0
• McAfee ePolicy Orchestrator 1.1.0
• McAfee ePolicy Orchestrator 2.0.0
• McAfee ePolicy Orchestrator 2.5.0
• McAfee ePolicy Orchestrator 2.5.0 SP1
• Microsoft Access 2000
• Microsoft Application Center 2000
• Microsoft BizTalk Server 2000 Developer Edition
• Microsoft BizTalk Server 2000 Enterprise Edition
• Microsoft BizTalk Server 2000 Standard Edition
• Microsoft BizTalk Server 2002 Developer Edition
• Microsoft BizTalk Server 2002 Enterprise Edition
• Microsoft Data Engine (MSDE) 1.0 SP1
• Microsoft Data Engine (MSDE) 1.0 SP2
• Microsoft Data Engine (MSDE) 1.0 SP3
• Microsoft Data Engine (MSDE) 1.0 SP4
• Microsoft Data Engine 1.0.0
• Microsoft Office 2000
• Microsoft Project Central Server
• Microsoft SQL Server 2000
• Microsoft SQL Server 2000 Desktop Engine
• Microsoft SQL Server 2000 Desktop Engine SP1
• Microsoft SQL Server 2000 Desktop Engine SP2
• Microsoft SQL Server 2000 Desktop Engine SP3
• Microsoft SQL Server 2000 Desktop Engine SP4
• Microsoft SQL Server 2000 Itanium Edition
• Microsoft SQL Server 2000 Itanium Edition SP1
• Microsoft SQL Server 2000 Itanium Edition SP2
• Microsoft SQL Server 2000 Itanium Edition SP3
• Microsoft SQL Server 2000 Itanium Edition SP4
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SQL Server 2000 SP3
• Microsoft SQL Server 2000 SP4
• Microsoft SQL Server 2005 Express Edition SP1
• Microsoft SQL Server 2005 Express Edition SP2
• Microsoft SQL Server 2005 Express Edition with Advanced Serv SP1
• Microsoft SQL Server 2005 Express Edition with Advanced Serv SP2
• Microsoft SQL Server 2005 Itanium Edition SP1
• Microsoft SQL Server 2005 Itanium Edition SP2
• Microsoft SQL Server 2005 SP1
• Microsoft SQL Server 2005 SP2
• Microsoft SQL Server 2005 x64 Edition SP1
• Microsoft SQL Server 2005 x64 Edition SP2
• Microsoft SQL Server 7.0.0
• Microsoft SQL Server 7.0.0SP1
• Microsoft SQL Server 7.0.0SP2
• Microsoft SQL Server 7.0.0SP3
• Microsoft SQL Server 7.0.0SP4
• Microsoft SharePoint Team Services from Microsoft
• Microsoft Visio 2000 Enterprise Edition
• Microsoft Visio Enterprise Network Tools
• Microsoft Visual FoxPro 6.0
• Microsoft Visual Studio .NET Academic Edition
• Microsoft Visual Studio .NET Enterprise Architect Edition
• Microsoft Visual Studio .NET Enterprise Developer Edition
• Microsoft Visual Studio .NET Professional Edition
• Microsoft Visual Studio 6.0
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server SP3
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server SP3
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Professional SP3
• Microsoft Windows 2000 Professional SP4
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server SP3
• Microsoft Windows 2000 Server SP4
• Microsoft Windows 2000 Terminal Services
• Microsoft Windows 2000 Terminal Services SP1
• Microsoft Windows 2000 Terminal Services SP2
• Microsoft Windows Internal Database (WYukon)
• Microsoft Windows Internal Database (WYukon) SP1
• Microsoft Windows Internal Database (WYukon) SP2
• Microsoft Windows Internal Database (WYukon) x64
• Microsoft Windows Internal Database (WYukon) x64 SP1
• Microsoft Windows Internal Database (WYukon) x64 SP2
• Microsoft Windows Server 2003 Enterprise x64 Edition
• Microsoft Windows Server 2003 Enterprise x64 Edition SP2
• Microsoft Windows Server 2003 SP1
• Microsoft Windows Server 2003 SP2
• Microsoft Windows Server 2008 for 32-bit Systems
• Microsoft Windows Server 2008 for x64-based Systems
• PPM 2000 Incident Reporting and Investigation Management 5.1.0
• PowerQuest ControlCenter ST 2.0.0
• Research In Motion Blackberry Enterprise Server 2.0.0 .0.65
• SmartMax Software MailMax 5.0.0
• Trend Micro Control Manager 2.5.0
• Trend Micro Damage Cleanup Server 1.0.0
• Veritas Software Backup Exec 9.0.0
• Veritas Software Backup Exec for Windows Servers 9.0.0
• Vital Processing Services LLC POS-partner 2000 4.1.11
• Vital Processing Services LLC POS-partner 2000 5.0.13
• Websense Reporter 6.3.1

References:

• Brett Moore: Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
• Microsoft: Microsoft SQL Server Homepage
• Microsoft: Microsoft Security Bulletin MS08-040
• Security Vulnerability Research & Defense: MS08-040: How to spot MTF files crossing network boundary
• iDefense Labs: Microsoft SQL Server Restore Integer Underflow Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.