[VulnWatch] Microsoft SQL Server DoS
From: _at_stake Advisories (_at_stake)
Date: Wed, 23 Jul 2003 17:08:49 -0400 To: firstname.lastname@example.org
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: Microsoft SQL Server DoS
Release Date: 07/23/2003
Application: Microsoft SQL Server 7, 2000, MSDE
Platform: Windows NT/2000/XP
Severity: Denial of Service
Author: Andreas Junestam (email@example.com)
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0231
Microsoft SQL Server supports named pipes as one way of communicating
with the server. This named pipe allows any user to connect and send
data to it. By sending a large request, an attacker can render the
service unresponsive. Under some circumstances, the host has to be
restarted to recover from this situation.
Microsoft SQL Server supports SQL queries over a named pipe. This
pipe allows write access to the group "Everyone" and is therefor
accessible to anyone that can authenticate, local or remote. By
sending a large request to this pipe (size depends on service pack
level), the service can be rendered unresponsive. The behavior of
the service depends upon the service pack level.
SQL Server 2000 pre-SP3:
The SQL Server service crashes. A restart of the service recovers
from the situation.
SQL Server 2000 SP3:
The SQL Server service appears to be functioning normal (no abnormal
CPU or memory usage), but it is unresponsive to any type of
requests. It is also impossible to stop the service and the only way
to recover from the situation is to restart the host.
As with most SQL Server issues MSDE is effected. MSDE is
included in many Microsoft and non-Microsoft products. A list
of products that includes MSDE is here:
Microsoft was contacted on 01/28/2003
Vendor has a bulletin and a patch available:
Install the vendor patch.
Disable named pipes as a SQL Server protocol by using the SQL
Server Network Utility.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
@stake Vulnerability Reporting Policy:
@stake Advisory Archive:
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----