Signature Detail

DB: MS-SQL Server Resolution Service Heap Overflow

This signature detects attempts to exploit a known vulnerability against the Resolution Service in Microsoft SQL Server 2000. Attackers can send a maliciously crafted packet to the server on UDP/1434 to create a heap-based buffer overflow. A successful attack can allow unauthorized execution of arbitrary code in the context of the SQL Server service and access to a vulnerable system.

Extended Description

A vulnerability in Microsoft SQL Server 2000 could allow remote attackers to access target hosts. A problem in the SQL Server Resolution Service allows a remote attacker to execute arbitrary code on a vulnerable host. The attacker could exploit a heap-based buffer overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434. ***UPDATE: A worm that may exploit this vulnerability has been detected in the wild. Administrators are advised to: - Block all external access to database servers until more information is available. - Deny access to TCP and UDP ports 1434 completely - Implement filter rules for other ports to decrease the chances of compromise through yet unknown avenues, even if the patch for this particular vulnerability has been installed. Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

Affected Products

• Microsoft Data Engine 2000
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SQL Server 2000
• Microsoft SQL Server 2000 Desktop Engine
• Veritas Software Backup Exec for Windows Servers 9.0.0

References

• BugTraq: 5310
• CVE: CVE-2002-0649
• URL: http://secunia.com/advisories/7945
• URL: http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
• URL: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=DCFDCBE9-B4EB-4446-9BE7-2DE45CFA6A89