----- Original Message ----- 
From: "@stake Advisories" <advisories@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, July 23, 2003 1:09 PM
Subject: Microsoft SQL Server DoS


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>                              @stake Inc.
>                            www.atstake.com 
> 
>                           Security Advisory
> 
>  
> Advisory Name: Microsoft SQL Server DoS
>  Release Date: 07/23/2003
>   Application: Microsoft SQL Server 7, 2000, MSDE
>      Platform: Windows NT/2000/XP
>      Severity: Denial of Service
>        Author: Andreas Junestam (andreas@atstake.com)
> Vendor Status: Microsoft has patch available
> CVE Candidate: CAN-2003-0231
>     Reference: www.atstake.com/research/advisories/2003/a072303-2.txt
> 
> 
> Overview
> 
> Microsoft SQL Server supports named pipes as one way of communicating
> with the server. This named pipe allows any user to connect and send
> data to it. By sending a large request, an attacker can render the
> service unresponsive. Under some circumstances, the host has to be
> restarted to recover from this situation.
> 
> 
> Detailed Description
> 
> Microsoft SQL Server supports SQL queries over a named pipe. This
> pipe allows write access to the group "Everyone" and is therefor
> accessible to anyone that can authenticate, local or remote. By
> sending a large request to this pipe (size depends on service pack
> level), the service can be rendered unresponsive. The behavior of
> the service depends upon the service pack level.
> 
> SQL Server 2000 pre-SP3:
> The SQL Server service crashes. A restart of the service recovers
> from the situation.
> 
> SQL Server 2000 SP3:
> The SQL Server service appears to be functioning normal (no abnormal
> CPU or memory usage), but it is unresponsive to any type of
> requests. It is also impossible to stop the service and the only way
> to recover from the situation is to restart the host.
> 
> As with most SQL Server issues MSDE is effected.  MSDE is
> included in many Microsoft and non-Microsoft products. A list
> of products that includes MSDE is here:
> 
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13
> 
> 
> Vendor Response
> 
> Microsoft was contacted on 01/28/2003
> 
> Vendor has a bulletin and a patch available:
> 
> http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
> 
> 
> Recommendation
> 
> Install the vendor patch.
> 
> Disable named pipes as a SQL Server protocol by using the SQL
> Server Network Utility.
> 
> 
> Common Vulnerabilities and Exposures (CVE) Information:
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
> 
>   CAN-2003-0231
> 
> 
> @stake Vulnerability Reporting Policy:
> http://www.atstake.com/research/policy/
> 
> @stake Advisory Archive:
> http://www.atstake.com/research/advisories/
> 
> PGP Key:
> http://www.atstake.com/research/pgp_key.asc
> 
> Copyright 2003 @stake, Inc. All rights reserved.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> 
> iQA/AwUBPx75Pke9kNIfAm4yEQIHMQCeOJEDixeR/pv4oLrPXlXotZwiDMUAn1Ea
> BAyScxbEHPoXDHHma1VFKaa/
> =2lzX
> -----END PGP SIGNATURE-----
> 
>