TUCoPS :: Web :: Apps :: m-102.txt

Microsoft SQL Server 2000 Resolution Service Buffer Overflow Vulnerabilities (CIAC M-102)

             __________________________________________________________
          
                             The U.S. Department of Energy
                          Computer Incident Advisory Capability
                              ___   __ __     _      ___
                             /        |      /_\    /
                             \___   __|__   /   \   \___
             __________________________________________________________

                                 INFORMATION BULLETIN

                 Microsoft SQL Server 2000 Resolution Service Buffer
                               Overflow Vulnerabilities
                         [Microsoft Security Bulletin MS02-039]

July 26, 2002 15:00 GMT                                         Number M-102
______________________________________________________________________________
PROBLEM:       A buffer overflow vulnerability in the Resolution Service of
               MS SQL Server 2000 could allow portions of the system memory
               to be overwritten.
PLATFORM:      MS SQL Server 2000
DAMAGE:        An attacker could overflow the buffer with carefully selected
               data and run code in the security context of the SQL Server
               service. An easier attack would create a denial of service.
SOLUTION:      Apply the patch as directed by the advisory. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM.  Exploiting the vulnerability would grant
ASSESSMENT:    an attacker full control over the database, not necessarily
               full control of the system.
 ______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:       http://www.ciac.org/ciac/bulletins/m-102.shtml 
 ORIGINAL BULLETIN:   http://www.microsoft.com/technet/treeview/
                      default.asp?url=/technet/security/bulletin/
                      MS02-039.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-039 *****]
    
Microsoft Security Bulletin MS02-039

Originally posted: July 24, 2002

Summary

Who should read this bulletin: System administrators using Microsoft(r) SQL 
Server(tm) 2000 and Microsoft Desktop Engine 2000. 

Impact of vulnerability:  

Three vulnerabilities, the most serious of which could enable an 
attacker to gain control over an affected server. 

Maximum Severity Rating: Critical 

Recommendation: System administrators should install the patch immediately. 

Affected Software: 

Microsoft SQL Server 2000 
Microsoft Desktop Engine (MSDE) 2000 

Technical details 

Technical description: 

       SQL Server 2000 and MSDE 2000 introduce the ability to
       host multiple instances of SQL Server on a single
       physical machine. Each instance operates for all intents
       and purposes as though it was a separate server.
       However, the multiple instances cannot all use the
       standard SQL Server session port (TCP 1433). While the
       default instance listens on TCP port 1433, named
       instances listen on any port assigned to them. The SQL
       Server Resolution Service, which operates on UDP port
       1434, provides a way for clients to query for the
       appropriate network endpoints to use for a particular
       SQL Server instance. 

       There are three security vulnerabilities here. The first
       two are buffer overruns. By sending a carefully crafted
       packet to the Resolution Service, an attacker could
       cause portions of system memory (the heap in one
       case, the stack in the other) to be overwritten.
       Overwriting it with random data would likely result in
       the failure of the SQL Server service; overwriting it with
       carefully selected data could allow the attacker to run
       code in the security context of the SQL Server service. 

       The third vulnerability is a denial of service
       vulnerability. SQL uses a keep-alive mechanism to
       distinguish between active and passive instances. It is
       possible to create a keep-alive packet that, when sent
       to the Resolution Service, will cause SQL Server 2000 to
       respond with the same information. An attacker who
       created such a packet, spoofed the source address so
       that it appeared to come from a one SQL Server 2000
       system, and sent it to a neighboring SQL Server 2000
       system could cause the two systems to enter a
       never-ending cycle of keep-alive packet exchanges. This
       would consume resources on both systems, slowing
       performance considerably. 

Mitigating factors:

Buffer Overruns in SQL Server Resolution Service: 

SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs as a Domain 
User. Thus, although the attacker's code could take any desired action on
the database, it would not necessarily have significant privileges at the
operating system level if best practices have been followed. 
The risk posed by the vulnerability could be mitigated by, if feasible,
blocking port 1434 at the firewall. 

Denial of Service via SQL Server Resolution Service: 

An attack could be broken off by restarting the SQL Server 2000
service on either of the affected systems. Normal processing on both
systems would resume once the attack ceased. 
The vulnerability provides no way to gain any privileges on the system.
It is a denial of service vulnerability only. 

Severity Rating: 
Buffer Overruns in SQL Server Resolution Service: 
                   Internet Servers   Intranet Servers    Client Systems
SQL Server 2000       Critical          Critical             None

Denial of Service via SQL Server Resolution Service: 
                   Internet Servers   Intranet Servers    Client Systems
SQL Server 2000       Critical          Critical             None
                       

The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that exploiting
the vulnerability would have on them. 

Vulnerability identifier: 

    - Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649 
    - Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650 



Tested Versions:
Microsoft tested SQL Server 2000 and 7.0 (and their
associated versions of MSDE) to assess whether they
are affected by these vulnerabilities. Previous versions
are no longer supported, and may or may not be
affected by these vulnerabilities.

Patch availability

       Download locations for this patch 

            Microsoft SQL Server 2000 and MSDE 2000: 
            http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602

Additional information about this patch 

Installation platforms: 
       This patch can be installed on systems running SQL Server 2000 Service
       Pack 2. 

Inclusion in future service packs:
       The fix for this issue will be included in SQL Server
       2000 Service Pack 3. 

Reboot needed: No. The SQL Server service only needs to be restarted after 
                   applying the patch. 

Patch can be uninstalled: Yes. 

Superseded patches: None. 

Verifying patch installation: 

To ensure you have the fix installed properly, verify the individual files
by consulting the date/time stamp of the files listed in the file manifest in
Microsoft Knowledge Base article Q323875. 

Caveats: None 

Localization:
       Localized versions of this patch are available at the
       locations discussed in "Patch Availability". 

Obtaining other security patches: 
       Patches for other security issues are available from the
       following locations: 

       - Security patches are available from the Microsoft Download Center,
         and can be most easily found by doing a keyword search for
         "security_patch". 
       - Patches for consumer platforms are available from the
         WindowsUpdate web site 

Other information: 

Acknowledgments

Microsoft thanks  David Litchfield of Next Generation
Security Software Ltd. for reporting these issues to us
and working with us to protect customers. 

Support: 

- Microsoft Knowledge Base article Q323875 discusses this issue and
will be available approximately 24 hours after the release of this
bulletin. Knowledge Base articles can be found on the Microsoft
Online Support web site. 
- Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with security
patches. 

Security Resources: 
The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Disclaimer: 
       The information provided in the Microsoft Knowledge
       Base is provided "as is" without warranty of any kind.
       Microsoft disclaims all warranties, either express or
       implied, including the warranties of merchantability and
       fitness for a particular purpose. In no event shall
       Microsoft Corporation or its suppliers be liable for any
       damages whatsoever including direct, indirect,
       incidental, consequential, loss of business profits or
       special damages, even if Microsoft Corporation or its
       suppliers have been advised of the possibility of such
       damages. Some states do not allow the exclusion or
       limitation of liability for consequential or incidental
       damages so the foregoing limitation may not apply. 

Revisions: 

       - V1.0 (July 24, 2002): Bulletin Created. 
       - V1.1 (July 25, 2002): Bulletin updated to note that MSDE 2000 is
                               affected by the vulnerabilities.



[***** End Microsoft Security Bulletin MS02-039 *****]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-092: Cisco Buffer Overflow in UNIX VPN Client
M-093: Apache HTTP Server Chunk Encoding Vulnerability
M-094: Microsoft SQL Server 2000 OpenDataSource Buffer Overflow
M-095: OpenSSH Challenge Response Vulnerabilities
M-096: Microsoft Windows Media Player Vulnerabilities
M-097: Cisco ACS Acme.server traversal Vulnerability
M-098: PGP Outlook Encryption Plug-in Vulnerability
M-099: Microsoft Cumulative Patch for SQL Server
M-100: Microsoft Server Response toSMTP Client EHLO Command Results in
         Buffer Overrun
M-101: Microsoft Unchecked Buffer in SQL Server 2000 Utilities 
         Could Allow Code Execution

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH