Signature Detail

SMB: MS-SQL Declare Exec Command Injection

This signature detects attempts to exploit a known vulnerability against Microsoft MS-SQL server. A successful attack can lead to arbitrary code execution. This attack is an encoded attack using the "DECLARE" and "EXEC" functions of MS-SQL to encode the attack and send it through SMB. This signature can false positive on normal DB administration traffic and should be exempted from any policy monitoring sessions between trusted hosts. Use this signature only to monitor sessions between your MS-SQL Servers and untrusted or unknown hosts.

Extended Description

Microsoft SQL Server is prone to a remote memory-corruption vulnerability because it fails to properly handle user-supplied input. Authenticated attackers can exploit this issue to execute arbitrary code and completely compromise affected computers. Failed attacks will likely cause denial-of-service conditions. The issue affects the following: Microsoft SQL Server 2000 Microsoft SQL Server 2005

Affected Products

• Microsoft SQL Server 2000 8.00.194
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SQL Server 2000 SP3
• Microsoft SQL Server 2000 Sp3a
• Microsoft SQL Server 2000 SP4
• Microsoft SQL Server 2000
• Microsoft SQL Server 2000 Desktop Engine SP1
• Microsoft SQL Server 2000 Desktop Engine SP2
• Microsoft SQL Server 2000 Desktop Engine SP3
• Microsoft SQL Server 2000 Desktop Engine SP4
• Microsoft SQL Server 2000 Desktop Engine
• Microsoft SQL Server 2000 Desktop Engine
• Microsoft SQL Server 2000 Itanium Edition SP1
• Microsoft SQL Server 2000 Itanium Edition SP2
• Microsoft SQL Server 2000 Itanium Edition SP3
• Microsoft SQL Server 2000 Itanium Edition SP4
• Microsoft SQL Server 2000 Itanium Edition
• Microsoft SQL Server 2005 SP1
• Microsoft SQL Server 2005 SP2
• Microsoft SQL Server 2005 Yukon
• Microsoft SQL Server 2005
• Microsoft SQL Server 2005 Backward Compatibility 8.05.1054
• Microsoft SQL Server 2005 Books Online 9.00.1399.06
• Microsoft SQL Server 2005 Express Edition SP1
• Microsoft SQL Server 2005 Express Edition SP2
• Microsoft SQL Server 2005 Express Edition
• Microsoft SQL Server 2005 Express Edition with Advanced Serv SP1
• Microsoft SQL Server 2005 Express Edition with Advanced Serv SP2
• Microsoft SQL Server 2005 Integration Services 9.1.2047.00
• Microsoft SQL Server 2005 Itanium Edition SP1
• Microsoft SQL Server 2005 Itanium Edition SP2
• Microsoft SQL Server 2005 Itanium Edition
• Microsoft SQL Server 2005 Reporting Services 9.00.1399.06
• Microsoft SQL Server 2005 Tools 9.00.1399.06
• Microsoft SQL Server 2005 Upgrade Advisor 9.00.2407.00
• Microsoft SQL Server 2005 x64 Edition SP1
• Microsoft SQL Server 2005 x64 Edition SP2
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Professional SP4
• Microsoft Windows 2000 Server SP4
• Microsoft Windows Internal Database (WYukon) SP1
• Microsoft Windows Internal Database (WYukon) SP2
• Microsoft Windows Internal Database (WYukon)
• Microsoft Windows Internal Database (WYukon) x64 SP1
• Microsoft Windows Internal Database (WYukon) x64 SP2
• Microsoft Windows Internal Database (WYukon) x64
• VMWare vCenter 4.0
• VMWare vCenter 4.1
• VMWare Vcenter Update Manager 1.0
• VMWare Vcenter Update Manager 4.0
• VMWare Vcenter Update Manager 4.1
• VMWare VirtualCenter 2.5
• VMWare VirtualCenter 2.5 Update 1
• VMWare VirtualCenter 2.5 Update 2
• VMWare VirtualCenter 2.5.Update 3 Build 11983
• VMWare VirtualCenter 2.5 Update 4
• VMWare VirtualCenter 2.5 Update 5
• VMWare VirtualCenter 2.5 Update 6

References

• BugTraq: 32710
• URL: http://www.microsoft.com/technet/security/advisory/961040.mspx