MS SQL Worm propagation attempt

Trigger

The Monitor Service provided by MS SQL and MSDE uses unchecked client provided data in an SQL version check function.

The worm attempts to exploit a buffer overflow in this version request. If the worm sends too many bytes in the request that triggers the version check, then a buffer overflow condition is triggered resulting in a potential compromise of the SQL Server.

Affected systems

This vulnerability is present in unpatched MS SQL Servers. The following unpatched services containing MS SQL or Microsoft Desktop Engine (MSDE) may potentially be compromised by this worm:

• SQL Server 2000 (Developer, Standard, and Enterprise Editions)
• Visual Studio .NET (Architect, Developer, and Professional Editions)
• ASP.NET Web Matrix Tool
• Office XP Developer Edition
• MSDN Universal and Enterprise subscriptions

Impacts

A worm targeting a vulnerability in the MS SQL Server 2000 Resolution Service was released on January 25th, 2003. The worm attempts to exploit a buffer overflow in the Resolution Service. Because of the nature of the vulnerability, the worm is able to attempt to compromise other machines very rapidly.

False positives

None known.

Scenario

This is worm activity.

Example

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Corrective actions

• Block external access to the MS SQL services on port 1433 and 1434 if possible.
• Patches from Microsoft are available that fix this vulnerability. The patches are available from http://www.microsoft.com/technet/security/bulletin/MS02-039.asp