Help and Support
 

powered byLive Search

FIX: MS02-039: Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution

View products that this article applies to.
Article ID:323875
Last Review:October 29, 2007
Revision:6.5
This article was previously published under Q323875
On This Page

SYMPTOMS

SQL Server 2000 introduces the ability to host multiple instances of SQL Server on a single physical computer. Each instance operates for all intents and purposes as though it was a separate server. However, the multiple instances cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular instance of SQL Server.

There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker might cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data might allow the attacker to run code in the security context of the SQL Server service.

The third vulnerability is a denial of service vulnerability. SQL Server uses a keep-alive mechanism to distinguish between active and passive instances. It is possible to create a keep-alive packet that, when sent to the Resolution Service, will cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from one SQL Server 2000 system, and then sent it to a neighboring SQL Server 2000 system, which caused the two systems to enter a never-ending cycle of keep-alive packet exchanges. This consumes resources on both systems and slows performance considerably.

Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
290211 (http://support.microsoft.com/kb/290211/EN-US/) INF: How To Obtain the Latest SQL Server 2000 Service Pack

Back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Microsoft SQL Server 2000 Service Pack 3.

Back to the top

REFERENCES

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx)

Back to the top

APPLIES TO
Microsoft SQL Server 2000 Standard Edition
Microsoft SQL Server 2000 Desktop Engine (Windows)

Back to the top

Keywords: 
kbproductlink kbhotfixserver kbqfe kbsqlserv2000sp3fix kbbug kbfix kbsecbulletin kbsechack kbsecurity kbsecvulnerability kbsqlserv2000presp3fix KB323875

Back to the top

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.