FIX: Possible Denial of Service Attack with Appropriate NULL Bytes in TDS Header

ID: Q248749

The information in this article applies to:
  • Microsoft SQL Server version 7.0
BUG #: 53910 (SQLBUG_70)

SYMPTOMS

Network packets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. Prior to terminating, SQL Server will print a stack dump to the error log with text similar to the text shown below. Note that the Exception Address is in IGetFullEvent.

1999-12-17 09:22:13.20 server Using 'sqlimage.dll' version '4.0.5
Stack Dump being sent to d:\MSSQL7\log\SQL00009.dmp
1999-12-17 09:22:23.78 server process_commands: Process 496 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.
**********************************************************************
*
*
* BEGIN STACK DUMP:
* 12/17/99 09:22:23 spid 0
*
* Exception Address = 41061E40 (IGetFullEvent + 103)
* Exception Code = c0000005 E
* Access Violation occurred reading address 120B0000


CAUSE

The length of data in each Tabular Data Stream (TDS) packet is encoded in the packet header. SQL Server fails to handle a situation where the packet length encoded in the TDS header is less than the number of bytes already read from the network. In attempting to determine what events are contained within the packet, a signed arithmetic problem allows the server to read past the bounds of the network buffer size allocated for the client, causing the exception.

This exploit does not allow any data to be overwritten within the SQL Server address space. SQL Server correctly limits the number of bytes read to the network packet size, thus preventing any possible exploits due to a buffer overflow.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next SQL Server service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English version of this fix should have the following file attributes or later: 

   Version        File name    Platform
   ------------------------------------

   7.00.761      S70761i.exe   Intel
   7.00.761      S70761a.exe   Alpha
NOTE: Due to file dependencies, the most recent hotfix or feature that contains the above files may also contain additional files.

To install this fix, perform the following steps:
  1. After downloading one of the above executable files (depending on your processor architecture, Intel or Alpha), double-click it to expand the necessary fix files.


  2. Locate your existing copies of these files (they are located in the Mssql7\Binn directory by default).


  3. Replace those existing copies of the files with the ones that were included in the S70761i.exe or S70761a.exe files.



WORKAROUND

To work around this problem, prevent access to the server from untrusted client computers. For example, if the server is used as part of an Internet Web site, place the SQL Server behind a firewall and filter any traffic to that host from untrusted computers. By default, SQL Server listens on TCP port 1433.


STATUS

Microsoft has confirmed this to be a problem in SQL Server version 7.0.


MORE INFORMATION

TDS, Tabular Data Stream, is the proprietary format used to describe the data contained in all transmissions between a SQL Server client and the server.

The original report of this problem indicated that SQL Server would crash any time that three or more contiguous NULL bytes were in a TDS packet. This is not the case. In fact, many packets contain many more NULL bytes than this. The problem is specific to overwriting the portion of the TDS header that contains the packet length.

Dependencies

  • You must be running SQL Server 7.0 Service Pack 1 before applying this fix. The fix will be included in Service Pack 2 and later releases, so no action will be required when the system is upgraded to one of those releases.


  • Due to a prior change in Opends60.dll that the multiprotocol network library is dependent on, if you use this network library to make a trusted connection to SQL Server, you must also update the Ssmsrp70.dll file with the one included. If the two DLLs are not updated at the same time, all clients attempting a trusted multiprotocol connection to SQL Server will fail.


Additional query words: attack denial crash av errorlog

Keywords : SSrvLAN kbbug7.00
Version : winnt:7.0
Platform : winnt
Issue type : kbbug


Last Reviewed: January 3, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.