J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability

Severity: CRITICAL

Description:

A vulnerability has been discovered in Microsoft SQL Server 2000 that could make it possible for remote attackers to gain access to target hosts.

A problem in the SQL Server Resolution Service makes it possible for a remote user to execute arbitrary code on a vulnerable host. An attacker could exploit a stack-based overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434.

UDP port 1434 is designated as the Microsoft SQL Monitor port. Clients connect to this port to discover how connections to SQL Server should be made. When SQL Server receives a packet that starts with byte 0x04 followed by four 'A' characters, SQL Server attempts to open the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\AAAA\MSSQLServer\CurrentVersion.

If a large number of bytes are appended to the packet the buffer overflow condition is triggered resulting in the attacker overwriting key areas in memory and obtaining control over the SQL Server process. It may be possible to custom-craft the exploit code to execute arbitrary instructions in the security context of the SQL server. This may provide a remote attacker with local access on the underlying host.

**It has also been reported that a vulnerable version of MSDE 2000 is automatically installed with Internet Explorer 6 on .NET servers.

***UPDATE:

On January 25 2003, DeepSight TMS detected a significant increase in UDP traffic destined for port 1434. Port 1434 is associated with Microsoft SQL Server. Initial analysis has suggested the presence of a new worm that is propagating rapidly through hosts running SQL Server.

The worm can use significant amounts of bandwidth. It was originally suspected that this was due to a denial of service attack built into the worm. It has turned out that this is not the case -- the bandwidth consumption is due to aggressive propagation.

At this time it is suspected that the worm may exploit BID 5310 or 5311. This is not yet confirmed.

Administrators are advised to block all external access to database servers until more information is available. Access to TCP and UDP ports 1434 should be denied completely. Additionally, implementing filter rules for other ports may also decrease the chances of compromise through yet unknown avenues. This should be done even if the patch for this particular vulnerability has been installed.

Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

BlackBoard 5.5.1 Level 3 users can apply SQL Server 2000 Service Pack 3. Users are advised to contact BlackBoard for further information.

Affected Products:

  • Akiva WebBoard 6.1.0
  • BindView bv-Admin for Microsoft Exchange
  • BindView bv-Admin for Windows 7.0.0
  • BindView bv-Admin for Windows Migration
  • BindView bv-Control for Internet Security 7.0.1
  • BindView bv-Control for Microsoft Exchange 7.0.0
  • BindView bv-Control for Microsoft SQL Server 7.0.0
  • BindView bv-Control for Microsoft SQL Server 7.0.1
  • BindView bv-Control for Windows 7.0.2
  • BindView bv-control for Active Directory 7.0.2
  • CARI-RUSCO Secure Perfect 3.0.0
  • CCH Equity Compliance Insider Reporting Module
  • CSIRO BioLink Software 1.5.0
  • Collins Medical Plus 2000
  • Computer Associates Unicenter
  • Computer Associates Unicenter RC/Update 6.0.0
  • Computer Associates Unicenter RC/Update 6.1.0
  • DATA.TXT Corporation Time Matters 3.0.0
  • DATA.TXT Corporation Time Matters 4.0.0
  • Dell OpenManage IT Assistant 5.0.0
  • Dell OpenManage IT Assistant 6.0.0
  • Express Metrix Express Software Manager 5.0.0
  • Express Metrix Express Software Manager 6.0.0
  • Express Metrix Express Software Manager 6.0.1
  • Express Metrix Express Software Manager 6.0.2
  • Fluke Networks Optiview Network Inspector 5.0.0
  • HP Openview Internet Services 4.0.0
  • HP Openview Internet Services 4.5.0
  • HP Openview Operations for Windows 6.0.0
  • HP Openview Operations for Windows 7.0.0
  • HP Openview Operations for Windows 7.1.0
  • HP Openview Reporter 2.0.2
  • HP Openview Reporter 3.0.0
  • ISI Infortel for Windows 4.0.0
  • ISI Infortel for Windows 5.1.0
  • ISI Infortel for Windows 5.2.0
  • ISI Infortel for Windows 5.4.0
  • Journyx Timesheet 2.0.0
  • Journyx Timesheet 4.5.0
  • Journyx Timesheet 4.5.0 m2
  • Journyx Timesheet 4.5.0 m3
  • Journyx Timesheet 4.6.0
  • Journyx Timesheet 5.0.0
  • MIP NonProfit Series Pro 4.3.0
  • MIP NonProfit Series Pro 4.4.0
  • MIP NonProfit Series Pro 4.5.0
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 SP1
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework SDK 1.0
  • Microsoft Access 2000
  • Microsoft Application Center 2000
  • Microsoft BizTalk Server 2000 Developer Edition
  • Microsoft BizTalk Server 2000 Enterprise Edition
  • Microsoft BizTalk Server 2000 Standard Edition
  • Microsoft BizTalk Server 2002 Developer Edition
  • Microsoft BizTalk Server 2002 Enterprise Edition
  • Microsoft Biztalk Server 2002 Partner Edition
  • Microsoft Data Engine 2000
  • Microsoft FrontPage 2000 Server Extensions SR 1.0
  • Microsoft FrontPage 2000 Server Extensions SR 1.1
  • Microsoft FrontPage 2000 Server Extensions SR 1.2
  • Microsoft FrontPage 2000 Server Extensions SR 1.3
  • Microsoft Great Plains 5.0
  • Microsoft Great Plains 5.5
  • Microsoft Great Plains 5.5.1
  • Microsoft Great Plains 7.0
  • Microsoft Office 2000
  • Microsoft Office 2000 Chinese Version
  • Microsoft Office 2000 Japanese Version
  • Microsoft Office 2000 Korean Version
  • Microsoft Office 2000 SP1
  • Microsoft Office 2000 SP2
  • Microsoft Office 2000 SP2
  • Microsoft Office XP
  • Microsoft Office XP Developer Edition
  • Microsoft Office XP SP1
  • Microsoft Project Central Server
  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2000 Desktop Engine
  • Microsoft SQL Server 2000 SP1
  • Microsoft SQL Server 2000 SP2
  • Microsoft SQL Server 2000 SP3
  • Microsoft SharePoint Portal Server 2001
  • Microsoft SharePoint Portal Server 2001 SP1
  • Microsoft SharePoint Team Services from Microsoft
  • Microsoft Visio 2000 Enterprise Edition
  • Microsoft Visio Enterprise Network Tools
  • Microsoft Visual FoxPro 6.0
  • Microsoft Visual FoxPro 7.0
  • Microsoft Visual FoxPro 7.0 SP1
  • Microsoft Visual Studio .NET Academic Edition
  • Microsoft Visual Studio .NET Enterprise Architect Edition
  • Microsoft Visual Studio .NET Enterprise Developer Edition
  • Microsoft Visual Studio .NET Professional Edition
  • Microsoft Visual Studio .NET Trial Edition
  • Microsoft Visual Studio 6.0
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows XP Embedded
  • Microsoft Windows XP Embedded SP1
  • NetSupport NetSupport TCO 4.5.0
  • NetSupport NetSupport TCO 4.5.1
  • Network Associates SupportMagic SQL 4.5.0
  • Okena StormWatch
  • Peachtree Software Timeslips 10.0.0
  • Peachtree Software Timeslips 11.0.0
  • Peachtree Software Timeslips 6.0.0
  • Peachtree Software Timeslips 7.0.0
  • Peachtree Software Timeslips 8.0.0
  • Peachtree Software Timeslips 9.0.0
  • Peachtree Software Timeslips 9.0.0
  • QiNetix CommVault Galaxy 4.0.1
  • SalesLogix Corporation SalesLogix 2000.0.0
  • SmartMax Software MailMax 5.0.0
  • TeleStream FlipFactory 1.2.0
  • TeleStream FlipFactory 2.0.0
  • TeleStream FlipFactory 3.0.0
  • VIGILANTe SecureScan NX 2.5.0
  • Veritas Software Backup Exec 9.0.0
  • Veritas Software Backup Exec for Windows Servers 9.0.0
  • Visionary Systems Firehouse Software 3.0.5
  • Visionary Systems Firehouse Software 5.0.0
  • Visionary Systems Firehouse Software 5.0.2 5
  • Visionary Systems Firehouse Software 5.4.0
  • Websense Reporter 6.3.1
  • Wonderware InTouch 7.11.0
  • Xerox CentreWare Web 1.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.