FIX: Denial of Service Attack with NULL Bytes in RPC Request

This article was previously published under Q277640
This article has been archived. It is offered "as is" and will no longer be updated.
BUG #: 58466 (SQLBUG_70), 236457 (SHILOH)
SYMPTOMS
Multi-protocol (RPC) requests transported by way of TCP/IP Sockets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. The last line in the errorlog reports the following message:
2000-10-20 12:59:07.56 server SQL Server is aborting. Fatal exception c0000005 caught.
RESOLUTION

SQL Server 2000

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
290211 INF: How to Obtain the Latest SQL Server 2000 Service Pack

SQL Server 7.0

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 7.0.
WORKAROUND
You can work around this problem in the following ways:
  • Disable the Multi-protocol Net-Library by using the Server Network Utility.
  • If you are using SQL Server 2000, disable the Multi-protocol Net-Library from using TCP/IP Sockets as a transport with the following steps:
    1. Use the Server Network Utility.
    2. Select Multi-protocol.
    3. Click the Properties button
    4. Remove the "ncacn_ip_tcp" entry from the RPC Protocols text box.
STATUS

SQL Server 2000

Microsoft has confirmed this to be a problem in SQL Server 2000. This problem was first corrected in Microsoft SQL Server 2000 Service Pack 1.

SQL Server 7.0

Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 3 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
274799 INF: How to Obtain Service Pack 3 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0
For more information, contact your primary support provider.
MORE INFORMATION
This situation can only be encountered by using a malicious nonclient application, because a normal client application will not have null values as part of the RPC request in the manner that this problem requires.For additional information about Microsoft Security Bulletin MS01-041, see the following article in the Microsoft Knowledge Base:
298012 Malformed RPC Request Can Cause Service Problems
Properties

Article ID: 277640 - Last Review: 01/16/2015 20:57:02 - Revision: 4.1

Microsoft SQL Server 7.0 Standard Edition, Microsoft SQL Server 2000 Standard Edition

  • kbnosurvey kbarchive kbbug kbfix KB277640
Feedback