|
Slammer/Sapphire Worm Analysis
January 25, 2003
To determine if you are vulnerable to the Slammer/Spida Worm, you should
download a free evaluation version of AppDetective™ for Microsoft SQL
Server from http://www.appsecinc.com/products/appdetective/mssql/
Risk Level: High
Summary:
A worm is currently attacking unpatched SQL Server 2000 installations
over the Internet.
Microsoft SQL Server supports many different network libraries and
provides the capability to listen on multiple connection points. These
connection points are often assigned by SQL Server dynamically. In order
for a client to determine which connection points are available, SQL
Server provides a resolution service. This resolution service listens
for requests on UDP port 1434.
The resolution service is vulnerable to a stack-based buffer overflow. A
patch was made available in July of 2002 to fix this buffer overflow.
The patch can be downloaded from the following place:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
This buffer overflow is being used by the Slammer worm to take control
of the server and then the worm uses the SQL Server to propagate to
other SQL Servers. No destructive payload exists in the worm, but the
worm results in a denial of service attack because an infect server
consumes a large amount of network bandwidth attempting to propagate.
Fix:
Install one of the following:
- Service Pack 3 (8.00.760)
- Install hot fix 8.00.636 with Service Pack 2
Service pack 3 can be downloaded from
http://www.microsoft.com/sql/downloads/2000/sp3.asp.
|
