Re: MS SQL Server Worm?

From: Marc Maiffret (marc@EEYE.COM)
Date: 01/25/03

  • Next message: Russ: "Re: W32/SQLSlammer" 
    Date:         Sat, 25 Jan 2003 08:40:41 -0800
From: Marc Maiffret <marc@EEYE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Sorry about that. We referenced the correct service pack in the Corrective
    Action section but for whatever reason the top header was fudged. We have
    updated the advisory on our site at
    http://www.eeye.com/html/Research/Flash/AL20030125.html which will always
    have the latest information.

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    | -----Original Message-----
    | From: Windows NTBugtraq Mailing List
    | [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Ivan Mason
    | Sent: Saturday, January 25, 2003 7:05 AM
    | To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    | Subject: Re: MS SQL Server Worm?
    |
    |
    | Russ,
    |
    | I have noted that two of the postings that you have allowed through to the
    | list allude that this 'worm vulnerability' affects pre SQL2K SP2?
    |
    | Marc Maiffret [marc@EEYE.COM],
    | "Systems Affected: Microsoft SQL Server 2000 pre SP 2"
    | (Good analysis of the payload, all the same...)
    |
    | Ben Koshy [ben@W3MEDIA.NET],
    | "Those SQL Servers running Service Pack 2 or Service Pack 3
    | (released Jan 17
    | with little/no notice from MS!) were immune to the worm."
    |
    | I would just like to say again that: "We believe that MS SQL
    | Server 2000 SP2
    | without the post SP2 security rollups would be vulnerable to this attack"
    |
    | We have tested Q323875 and it does stop the 'worm vulnerability'.
    |
    | Can we seek clarification regarding this: Is SQL2K with only SP2 safe?
    |
    | It's getting to be a rather long night...
    | Regards Ivie..... :-)
    |
    | oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    | oooooooooo
    | Delivery co-sponsored by TruSecure Corporation
    | oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    | oooooooooo
    | TICSA - Anniversary Special - Limited Time
    |
    | Become TICSA certified for just $221.25 US when you register
    | before 3/31/03
    | with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    | good for 2 years. Price for international delivery just $296.25 US, with
    | this offer. Offer cannot be combined with any other special and expires
    | 3/31/03. Visit www.trusecure.com/ticsa for full details.
    |
    | oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    | oooooooooo
    |

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo