Info

Disclosure

Jul 23, 2003

Discovery

Jan 28, 2003

Dates

Exploit

Unknown

Solution

Unknown

Description

SQL Server, SQL Server Desktop Engine, and Desktop Engine contains a flaw that may allow a remote denial of service. The issue is triggered when an attackers sends a large packet to a specific named pipe and will result in loss of availability for the service.

Classification

Location: Remote/Network Access Required
Attack Type: Denial of Service
Impact: Loss of Availability
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft Corporation has released a patch to address this vulnerability. Additionally, disable named pipes as a SQL Server protocol by using the SQL Server Network Utility.

Products

Microsoft Corporation	Desktop Engine (MSDE)	1.0
		2000
	SQL Server	7.0
		2000
	SQL Server Desktop Engine	2000

References

Security Tracker: 1007279 1007280 1007304
ISS X-Force ID: 12700
CVE ID: 2003-0231 (see also: NVD)
Bugtraq ID: 8274
CERT VU: 918652
Other Advisory URL: http://oval.mitre.org/oval/definitions/pseudo/OVAL299.html
http://www.atstake.com/research/advisories/2003/a072303-2.txt
Vendor Specific News/Changelog Entry: http://support.microsoft.com/kb/821280/
Generic Exploit URL: http://www.xfocus.org/exploits/200307/expMS0331.cpp
Microsoft Security Bulletin: MS03-031
CIAC Advisory: n-125

Credit

Andreas Junestam - andreasatstake.com - @stake Inc.

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Desktop Engine (MSDE)

SQL Server

SQL Server Desktop Engine

References

Credit