FIX: MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution (323875)
The information in this article applies to:
- Microsoft SQL Server 2000 (all editions)
- Microsoft SQL Server 2000 Desktop Engine (MSDE)
This article was previously published under Q323875 SYMPTOMS SQL Server 2000 introduces the ability to host multiple
instances of SQL Server on a single physical computer. Each instance operates
for all intents and purposes as though it was a separate server. However, the
multiple instances cannot all use the standard SQL Server session port (TCP
1433). While the default instance listens on TCP port 1433, named instances
listen on any port assigned to them. The SQL Server Resolution Service, which
operates on UDP port 1434, provides a way for clients to query for the
appropriate network endpoints to use for a particular instance of SQL
Server.
There are three security vulnerabilities here. The first two
are buffer overruns. By sending a carefully crafted packet to the Resolution
Service, an attacker might cause portions of system memory (the heap in one
case, the stack in the other) to be overwritten. Overwriting it with random
data would likely result in the failure of the SQL Server service; overwriting
it with carefully selected data might allow the attacker to run code in the
security context of the SQL Server service.
The third vulnerability
is a denial of service vulnerability. SQL Server uses a keep-alive mechanism to
distinguish between active and passive instances. It is possible to create a
keep-alive packet that, when sent to the Resolution Service, will cause SQL
Server 2000 to respond with the same information. An attacker who created such
a packet, spoofed the source address so that it appeared to come from one SQL
Server 2000 system, and then sent it to a neighboring SQL Server 2000 system,
which caused the two systems to enter a never-ending cycle of keep-alive packet
exchanges. This consumes resources on both systems and slows performance
considerably. RESOLUTION To resolve this problem, obtain the latest
service pack for Microsoft SQL Server 2000. For additional information, click
the following article number to view the article in the Microsoft Knowledge
Base: 290211 INF: How To Obtain the Latest SQL Server 2000 Service Pack STATUSMicrosoft has confirmed that this problem
may cause a degree of security vulnerability in the Microsoft products that are
listed at the beginning of this article. This problem was first
corrected in Microsoft SQL Server 2000 Service Pack 3. REFERENCES For more information about this vulnerability, visit the
following Microsoft Web site:
Modification Type: | Minor | Last Reviewed: | 9/27/2005 |
---|
Keywords: | kbHotfixServer kbQFE kbSQLServ2000sp3fix kbbug kbfix KbSECBulletin KbSECHack kbSecurity KbSECVulnerability kbSQLServ2000preSP3fix KB323875 |
---|
|