Microsoft Security Bulletin MS02-039 - Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution. Sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service. Overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.
c02fb5e27f8774fa22735471626ebbcec3ae67117a3d248a9a3f34fe3d6b41b2 TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-039
[Print] Print
Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code
Execution (Q323875)
Originally posted: July 24, 2002
Summary
Who should read this bulletin: System administrators using
Microsoft® SQL Server™ 2000 and Microsoft Desktop Engine 2000.
Impact of vulnerability: Three vulnerabilities, the most
serious of which could enable an attacker to gain control over
an affected server.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch
immediately.
Affected Software:
* Microsoft SQL Server 2000
* Microsoft Desktop Engine (MSDE) 2000
Technical details
Technical description:
SQL Server 2000 and MSDE 2000 introduce the ability to host
multiple instances of SQL Server on a single physical machine.
Each instance operates for all intents and purposes as though
it was a separate server. However, the multiple instances
cannot all use the standard SQL Server session port (TCP
1433). While the default instance listens on TCP port 1433,
named instances listen on any port assigned to them. The SQL
Server Resolution Service, which operates on UDP port 1434,
provides a way for clients to query for the appropriate
network endpoints to use for a particular SQL Server instance.
There are three security vulnerabilities here. The first two
are buffer overruns. By sending a carefully crafted packet to
the Resolution Service, an attacker could cause portions of
system memory (the heap in one case, the stack in the other)
to be overwritten. Overwriting it with random data would
likely result in the failure of the SQL Server service;
overwriting it with carefully selected data could allow the
attacker to run code in the security context of the SQL Server
service.
The third vulnerability is a denial of service vulnerability.
SQL uses a keep-alive mechanism to distinguish between active
and passive instances. It is possible to create a keep-alive
packet that, when sent to the Resolution Service, will cause
SQL Server 2000 to respond with the same information. An
attacker who created such a packet, spoofed the source address
so that it appeared to come from a one SQL Server 2000 system,
and sent it to a neighboring SQL Server 2000 system could
cause the two systems to enter a never-ending cycle of
keep-alive packet exchanges. This would consume resources on
both systems, slowing performance considerably.
Mitigating factors:
Buffer Overruns in SQL Server Resolution Service:
* SQL Server 2000 runs in a security context chosen by the
administrator at installation time. By default, it runs
as a Domain User. Thus, although the attacker’s code
could take any desired action on the database, it would
not necessarily have significant privileges at the
operating system level if best practices have been
followed.
* The risk posed by the vulnerability could be mitigated
by, if feasible, blocking port 1434 at the firewall.
Denial of Service via SQL Server Resolution Service:
* An attack could be broken off by restarting the SQL
Server 2000 service on either of the affected systems.
Normal processing on both systems would resume once the
attack ceased.
* The vulnerability provides no way to gain any privileges
on the system. It is a denial of service vulnerability
only.
Severity Rating: Buffer Overruns in SQL Server Resolution
Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
Denial of Service via SQL Server Resolution Service:
Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
The above assessment is based on the types of systems affected
by the vulnerability, their typical deployment patterns, and
the effect that exploiting the vulnerability would have on
them.
Vulnerability identifier:
* Buffer Overruns in SQL Server Resolution Service:
CVE-CAN-2002-0649
* Denial of Service via SQL Server Resolution Service:
CVE-CAN-2002-0650
Tested Versions:
Microsoft tested SQL Server 2000 and 7.0 (and their associated
versions of MSDE) to assess whether they are affected by these
vulnerabilities. Previous versions are no longer supported,
and may or may not be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities does this patch eliminate?
This patch eliminates three vulnerabilities, both involving
the SQL Server 2000 Resolution Service:
* The first two vulnerabilities could enable an attacker to
gain significant, and perhaps complete, control over an
affected SQL Server.
* The third vulnerability could enable an attacker to cause
two affected SQL Servers to engage a never-ending
information exchange, for the purpose of slowing the
performance of the servers.
What is the SQL Server 2000 Resolution Service?
SQL Server 2000 introduces the ability to install multiple
copies of SQL Server on a single machine and have it appear
that the copies are completely separate database servers.
These copies, known as instances, run independently of each
other. The default instance listens on TCP port 1433. Other
instances cannot share this same port and require a port of
their own.
The challenge is how to enable SQL Server clients to find the
port that a particular instance is operating on; the solution
is the SQL Server Resolution Service. The first instance on a
SQL Server always operates over port 1433. Additional
instances are allocated their own port numbers dynamically.
When a SQL client needs to connect to an additional instance
on the SQL Server, it queries the SQL Server Resolution
Service (which operates on UDP port 1434), which tells it
which port the requested instance is using.
Is the UDP 1434 port typically blocked at the firewall?
It depends on the particular deployment scenario.
* If a network doesn’t host any Internet-connected SQL
Servers, the port associated with the SQL Server
Resolution Service (and all other ports associated with
SQL Server) should be blocked.
* If a network offers SQL Server services to the Internet
but there’s only a single instance on the server, the SQL
Resolution Service can and should be blocked.
* If a network offers SQL Server services to the Internet
and has more than one instance, the SQL Resolution
Service must be accessible through the firewall.
Does the SQL Server Resolution Service exist on previous
versions of SQL Server?
No. Previous versions of SQL Server didn’t support multiple
instances, and the SQL Server Resolution Service didn’t exist.
As a result, no other versions of SQL Server are affected by
the vulnerabilities.
The Affected Versions section says that Microsoft Desktop
Engine (MSDE) is also affected by these vulnerabilities. What
is MSDE?
MSDE is a database engine that’s built and based on SQL Server
2000 technology, and which ships as part of several Microsoft
products, including Microsoft Visual Studio and Microsoft
Office Developer Edition. There is a direct connection between
versions of MSDE and versions of SQL Server. MSDE 2000 is
based on SQL Server 2000.
Buffer Overruns in SQL Server Resolution Service
(CVE-CAN-2002-0649):
What’s the scope of this vulnerability?
There are actually two vulnerabilities here, both of which are
buffer overrun vulnerabilities. An attacker who successfully
exploited either vulnerability could gain the ability to cause
the server to fail, or to run code using the privileges of the
SQL Server.
Although exploiting the vulnerabilities would grant the
attacker full control over the database, it would not
necessarily convey full control over the system itself. SQL
Server 2000 can be configured to run with varying levels of
privilege; by default, it runs with the privileges of a domain
user, rather than an administrator.
What causes the vulnerabilities?
The vulnerabilities result because a pair of function offered
by the SQL Server Resolution Service contain unchecked
buffers. By sending a specially formatted request to UDP 1434
port, it could be possible to overrun the buffers associated
with either of the functions.
What would this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to take either of
two actions:
* Cause SQL Server to fail. This would be the easiest type
of attack to mount, and would require only that the
attacker overrun the buffer with random data.
* Modify the functioning of SQL Server, in order to perform
functions of the attacker’s choosing. This would require
that the attacker overrun the buffer with precisely
chosen data.
Who could exploit the vulnerability?
Any user who could deliver a request to the SQL Server (over
UDP port 1434) on an affected server could exploit the
vulnerability.
If the attacker exploited the vulnerability to cause SQL
Server to fail, what would the administrator need to do in
order to restore normal operation?
The administrator could resume normal operation by restarting
the SQL Server service.
If the attacker exploited the vulnerability to cause SQL
Server to perform functions of his choice, what privileges
would the attacker’s code run in?
Clearly, the attacker’s code would have full control over the
database functions, since it would run in the security context
of SQL Server itself. But it might have few privileges outside
of SQL Server. During SQL Server 2000 setup, the administrator
must choose what Windows account SQL Server should run within.
By default, the SQL Server service runs as a Domain User. If
best practices were followed and a normal user context was
chosen, the attacker would not gain administrative control
over the operating system, nor administrative privileges over
the domain.
How does the patch eliminate the vulnerabilities?
The patch ensures that the SQL Server Resolution Service
correctly limits the size of input data and prevents it from
overrunning any of its buffers.
Denial of Service via SQL Server Resolution Service
(CVE-CAN-2002-0650):
What’s the scope of this vulnerability?
This is a denial of service vulnerability. An attacker could
use the vulnerability to slow the performance of an affected
SQL Server. The precise amount by which the system’s
performance would be slowed would depend on a number of
factors, such as the processor speed and memory on the SQL
Server, the number of systems attacking the server, and so
forth.
The vulnerability could not be used to cause the server to
fail altogether, nor would it provide the attacker with any
privileges on the system. The server would resume normal
operation as soon as the attack was broken off.
What causes the vulnerability?
The vulnerability results because of a flaw in the SQL Server
2000 keep-alive mechanism,which operates via the Resolution
Service. If a particular data packet is sent to the SQL Server
2000 keep-alive function, it will reply to the sender with an
identical packet. By spoofing the source address of such a
packet, it would be possible to cause two SQL Server 2000
systems to start an endless cycle of packet exchanges.
What’s the keep-alive function in SQL Server 2000?
SQL Server 2000 includes a mechanism by which it can determine
whether a server is active or not. It does this by sending a
so-called keep-alive packet to the SQL Server Resolution
Service on UDP port 1434 and listening for a reply.
What's wrong with the implementation of the keep-alive
function in SQL Server 2000?
It’s possible to create a keep-alive packet whose response
will be identical to the request. If one SQL Server were to
send such a packet to another SQL Server, they would enter an
unending cycle of sending the same packet back and forth to
each other. This activity could consume most or all of the
available bandwidth on the two machines.
Could this situation occur naturally?
No. The situation involved in the vulnerability could not
occur under normal conditions. SQL Server does not normally
generate a keep-alive packet with the needed characteristics.
However, it could be possible for an attacker to introduce
such a packet in order to initiate an exchange, which would
thereafter be self-sustaining.
How might an attacker do this?
Suppose there were two SQL Servers with the vulnerability,
Server 1 and Server 2. Now suppose the attacker created the
needed keep-alive packet and modified the source address so
that it contained Server 1’s address, then sent the packet to
Server 2. This would initiate the exchange, because Server 2
would reply to Server 1, which would reply to Server 2, ad
infinitum.
What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to consume resources
on two SQL Server 2000 systems at the same time.
Who could exploit the vulnerability?
Any user who could send data to an affected SQL Server’s
Resolution Service port could exploit the vulnerability.
How long would an attack last?
Once started, an attack would continue until one of the
machines stopped sending packets. This could happen because
the system had been rebooted, the SQL Server service had been
restarted, or connectivity between the two servers had been
lost.
Once the attack was over, would the server resume normal
operation by itself?
Yes.
How much of a system’s resources could be monopolized through
such an attack?
It would depend on the specifics of the attack. For instance,
it would be possible to engage multiple servers in an attack
against a single one. Likewise, it would depend on the network
bandwidth between the systems, the processor speed on the
respective machines, and so forth.
How does the patch eliminate the vulnerability?
The patch eliminates the current keep-alive mechanism, and
determines which servers are active and which are passive via
a different mechanism. After applying the patch, a SQL Server
2000 system will no longer respond to keep-alive packets.
Patch availability
Download locations for this patch
* Microsoft SQL Server 2000 and MSDE 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
Additional information about this patch
Installation platforms:
This patch can be installed on systems running SQL Server 2000
Service Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in SQL Server 2000
Service Pack 3.
Reboot needed: No. The SQL Server service only needs to be
restarted after applying the patch.
Patch can be uninstalled: Yes.
Superseded patches: None.
Verifying patch installation:
* To ensure you have the fix installed properly, verify the
individual files by consulting the date/time stamp of the
files listed in the file manifest in Microsoft Knowledge
Base article Q323875.
Caveats:
None
Localization:
Localized versions of this patch are available at the
locations discussed in “Patch Availability”.
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
* Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a
keyword search for "security_patch".
* Patches for consumer platforms are available from the
WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks David Litchfield of Next Generation Security
Software Ltd. for reporting these issues to us and working
with us to protect customers.
Support:
* Microsoft Knowledge Base article Q323875 discusses this
issue and will be available approximately 24 hours after
the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product
Support Services. There is no charge for support calls
associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft
products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft
disclaims all warranties, either express or implied, including
the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (July 24, 2002): Bulletin Created.
* V1.1 (July 25, 2002): Bulletin updated to note that MSDE
2000 is affected by the vulnerabilities.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed