Snort-alerts/MS-SQL-version-overflow-attempt
MS-SQL version overflow attempt
Trigger
Versions of Microsofts implementation of SQL server running the resolution service are subject to multiple buffer overflows.
It is possible to overwrite memory with data of the attackers choosing, resulting in a denial of service or possible code execution. This is done by sending carefully crafted packets to the resolution service running on the server.
It is also possible for the attacker to cause a denial of service by sending a spoofed packet purporting to be from one SQL server to another. The resulting exchange between the two servers could result in a denial of service.
Affected systems
- Cisco BBSM 5.0
- Cisco BBSM 5.1
- Cisco CallManager 3.3.x
- Cisco Unity 3.x
- Cisco Unity 4.x
- Microsoft .NET Framework 1.0
- Microsoft SQL Server 2000
- Windows 2000 Any version
- Windows NT Any version
Scenario
The SQL Slammer (Sapphire) worm exploited the vulnerabilities in this service.
False positives
This rule can be triggered by UDP responses to requests originating from ephemeral port 1434. Example: a DNS response with transaction ID between 0x0400 and 0x04FF.
Example
Thank you for your comprehension.
Corrective Actions
- Update all instances of the vulnerable systems with patches from the vendor.
- Use a firewall to deny access to ports used by the SQL server, usually 1433 and 1434, from the Internet.