Atstake Security Advisory A072303-2 - By sending a large request to a named pipe used by the Microsoft SQL Server, an attacker can render the service unresponsive. Under some circumstances, the host has to be restarted to recover from this situation.
4da882968c57e3021287c2926f476d383da49f08fd6b93c99584ab7e7a62fd5e-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake Inc.
www.atstake.com
Security Advisory
Advisory Name: Microsoft SQL Server DoS
Release Date: 07/23/2003
Application: Microsoft SQL Server 7, 2000, MSDE
Platform: Windows NT/2000/XP
Severity: Denial of Service
Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0231
Reference: www.atstake.com/research/advisories/2003/a072303-2.txt
Overview
Microsoft SQL Server supports named pipes as one way of communicating
with the server. This named pipe allows any user to connect and send
data to it. By sending a large request, an attacker can render the
service unresponsive. Under some circumstances, the host has to be
restarted to recover from this situation.
Detailed Description
Microsoft SQL Server supports SQL queries over a named pipe. This
pipe allows write access to the group "Everyone" and is therefor
accessible to anyone that can authenticate, local or remote. By
sending a large request to this pipe (size depends on service pack
level), the service can be rendered unresponsive. The behavior of
the service depends upon the service pack level.
SQL Server 2000 pre-SP3:
The SQL Server service crashes. A restart of the service recovers
from the situation.
SQL Server 2000 SP3:
The SQL Server service appears to be functioning normal (no abnormal
CPU or memory usage), but it is unresponsive to any type of
requests. It is also impossible to stop the service and the only way
to recover from the situation is to restart the host.
As with most SQL Server issues MSDE is effected. MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:
http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13
Vendor Response
Microsoft was contacted on 01/28/2003
Vendor has a bulletin and a patch available:
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
Recommendation
Install the vendor patch.
Disable named pipes as a SQL Server protocol by using the SQL
Server Network Utility.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0231
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx75Pke9kNIfAm4yEQIHMQCeOJEDixeR/pv4oLrPXlXotZwiDMUAn1Ea
BAyScxbEHPoXDHHma1VFKaa/
=2lzX
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed