GEN:SID | 1:2329 |
Message | MS-SQL probe response overflow attempt |
Summary | This event is generated when an attempt is made to exploit a known vulnerability in Microsoft Windows Data Access Components.
|
Impact | Serious. Execution of arbitrary code is possible. Denial of Service (DoS)
|
Detailed Information | It may be possible for an attacker to send a specially crafted response to a client broadcast query searching for an SQL server. This response could take advantage of a buffer overrun condition in an MDAC component which may result in the attacker being presented with the opportunity to execute code of their choosing with the privileges of the user running the service on the client system.
A DoS condition may also manifest in MDAC version 2.8.
MDAC is included by default on many Microsoft Windows systems. Client workstations may make regular broadcast announcements in an attempt to find SQL servers.
|
Affected Systems | Microsoft Data Access Components 2.5 Microsoft Data Access Components 2.6 Microsoft Data Access Components 2.7 Microsoft Data Access Components 2.8
|
Attack Scenarios | The attacker may spoof the response from an SQL server to exploit the vulnerability.
|
Ease of Attack | Moderate..
|
Corrective Action | Apply the appropriate vendor supplied patches and service packs.
Use a packet filtering firewall to block access to port 1434 for UDP traffic
Use IPsec to block incoming requests on UDP port 1434 on the SQL server
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/9407
CERT: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903
Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-003.asp
|
Rule References | bugtraq: 9407
cve: 2003-0903
url: www.microsoft.com/technet/security/bulletin/MS04-003.mspx
|