4578 : Microsoft SQL Resolution Service Monitor Thread Registry Key Name Overflow
Printer | http://osvdb.org/4578 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
17	2402	over 10 years ago	over 2 years ago	3 times	90%

Timeline

Disclosure Date
2002-07-24

Description

Microsoft SQL Server and Desktop Engine contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to the SQL Server Resolution Service not properly sanitizing remote user input. If an attacker sends a specially crafted request (first byte set to 0x04 followed by a large string) they may be able to execute arbitrary code with the privileges of the SQL server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Products

Cisco Systems, Inc.	BBSM	5.0
		5.1
	CallManager	3.3.x
	Unity	3.x
		4.x

Microsoft Corporation	Desktop Engine (MSDE)	2000
Microsoft Corporation	SQL Server	2000

References

CVE ID: 2002-0649 (see also: NVD)
Microsoft Knowledge Base Article: 317748
Related OSVDB ID: 4577 878
Metasploit ID: 4578
CERT VU: 484891
Bugtraq ID: 5311
ISS X-Force ID: 9661
CERT: CA-2002-22 CA-2003-04
Keyword: DDOS.SQLP1434.A Sapphire Slammer SQL Slammer Worm UDP Port 1434 W32/SQLSlam-A W32/SQLSlammer
Generic Informational URL: http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
Other Advisory URL: http://www.nextgenss.com/advisories/mssql-udp.txt
Microsoft Security Bulletin: MS02-039

Tools & Filters

	11214
Snort	2003 2004 2050 4989 4990

Credit

David Litchfield - davidngssoftware.com - NGSSoftware

CVSSv2 Score

CVSSv2 Base Score = 7.5
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Description

Classification

Solution

Products

Cisco Systems, Inc.

BBSM

CallManager

Unity

Microsoft Corporation

Desktop Engine (MSDE)

SQL Server

References

Tools & Filters

Credit

CVSSv2 Score

Comments