CERT Advisory CA-2003-04 MS-SQL Server Worm

Original release date: January 25, 2003
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

* Microsoft SQL Server 2000

Overview

The CERT/CC has received reports of self-propagating malicious code
that exploits multiple vulnerabilities in the Resolution Service of
Microsoft SQL Server 2000. The propagation of this worm has caused
varied levels of network degradation across the Internet, in addition
to the compromise of vulnerable machines

I. Description

The worm targeting SQL Server computers is self-propagating malicious
code that most likely exploits two vulnerabilities in the Resolution
Service of Microsoft SQL Server 2000 vulnerabilities. The
vulnerability documented in VU#370308 allows the keep-alive
functionality employed by the SQL Server Resolution Service to launch
a denial of service against other hosts. Either the vulnerability
VU#399260 or VU#484891 allow for the execution of arbitrary code on
the SQL Server computer due to a buffer overflow.

VU#370308 - http://www.kb.cert.org/vuls/id/370308
VU#399260 - http://www.kb.cert.org/vuls/id/399260
VU#484891 - http://www.kb.cert.org/vuls/id/484891

Reports to the CERT/CC indicate that the high volume of 1434/udp
traffic generated between hosts infected with the worm targeting SQL
Server computers may itself lead to performance issues (including
possible denial-of-service conditions) on networks with infected
hosts.

Activity of this worm is readily identifiable on a network by the
presence of small UDP packets (we have received reports of 376-410
byte packets) from seemingly random IP addresses from across the
Internet to port 1434/udp.

II. Impact

Compromise by the worm indicates that a remote attacker can execute
arbitrary code as the local SYSTEM user on the victim system. It may
be possible for an attacker to subsequently leverage a local privilege
escalation exploit in order to gain Administrator access to the victim
system.

The high volume of 1434/udp traffic generated between hosts infected
with the worm may itself lead to performance issues on networks with
both infected and targeted, but non-vulnerable hosts.

III. Solution

Apply a patch

Administrators of all systems running Microsoft SQL Server 2000 are
encouraged to review CA-2002-22 and VU#370308 for detailed vendor
recommendations regarding installing the patch:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

CA-2002-22 - http://www.cert.org/advisories/CA-2002-22.html
VU#370308 - http://www.kb.cert.org/vuls/id/370308


Ingress/Egress filtering

The following steps are only effective in limiting the damage that can
be done by systems already infected with the worm. They provide no
protection whatsoever against the initial infection of systems. As a
result, these steps are only recommended in addition to the
preventative steps outlined above, not in lieu thereof.

Ingress filtering manages the flow of traffic as it enters a network
under your administrative control. Servers are typically the only
machines that need to accept inbound traffic from the public Internet.
In the network usage policy of many sites, external hosts are only
permitted to initiate inbound traffic to machines that provide public
services on specific ports. Thus, ingress filtering should be
performed at the border to prohibit externally initiated inbound
traffic to non-authorized services.

Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need for
machines providing public services to initiate outbound connections to
the Internet.

In the case of this worm, employing ingress and egress filtering can
help prevent compromised systems on your network from attacking
systems elsewhere. Blocking UDP datagrams with both source and
destination ports 1434 from entering or leaving your network reduces
the risk of external infected systems communicating with infected
hosts inside your network.


Recovering from a system compromise

If you believe a system under your administrative control has been
compromised, please follow the steps outlined in:

Steps for Recovering from a UNIX or NT System Compromise
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Lets hear a round of applause for Microsoft!

Now we just need to get together a mob and go looking for whoever made that worm. How dare he deprive us of our precious Planetside!:furious:

Would it work to hold the world hostage for Microsoft to release the needed patches and release finsihed software?..Probably not..

btw IRC is back up for those of you who are not on yet :p

Yay, more good news. BTW, Hamma, do you ahve a plan to kill Bill Gates yet?

Whew, I thought I had already been banned.

this hole is known since over 3 months its your fault if you dont install the security patch or the service pack 3.0 that includes this patch.

Oh, ok, Hello BILL

:lol:

Ummm. Microsoft released the patch a while ago, problem that not many people updated. Quit the MS hate.

Or the problem is that there are so many gaping holes in their software.

Before you bash Bill, you might want to consider that Microsoft made the fix to this vulnerability vaialble for download back in July...shame on those users who didn't bother updating their software until AFTER THE FACT. I know it's fashionable to bash MS...especially if you really don't know what you're talking about. But the fact is, MS has done quite a bit to allow you to have a PS website and the PS game for that matter. Next time, get your facts, then start bitching.

Shark

Microsoft is <u>still</u> the devil.

Heheh...understood Hamma...I like Bill the Devil humor too...just don't care to hear people spout off about MS all the time. It's what I do for a living and I hear to no end in tech circles.

Shark

Yea I have to deal with MS stuff all day long :(

Yeah I have to agree - lazy techs, sloppy work. no need of it. If you're worth your salt as a tech, you protect your company and it's software by patching when security flaws are discovered. Last July was plenty of time to prepare for this. No need of this many intrusions by this worm if techs had done their job. :rolleyes:

I like how people automatically assume that you don't know what you're talking about when you bash something they like. I work with a lot of microsoft software for development and I still think that a large chunk of it is garbage that wouldn't sell a copy if it wasn't automatically leveraged down our collective throat.

I think you should compare the number and severity of known security holes in SQLServer to the ones in MySQL or PostgreSQL and then share your findings with the class.

It is all fine and good to blame the massive crowd of administrators who failed to stay on top their patches, but it is e-tarded to automatically forgive the creators of the software of all responsibility. Nevermind the fact that most administrators have a shload of other things to worry about, each one at the top of someone's BS priority list.

Originally posted by Airlift

I think you should compare the number and severity of known security holes in SQLServer to the ones in MySQL or PostgreSQL and then share your findings with the class.


There are just as many bugs in mySQL et al.

Its just that nobody give a fuck about writing worms for mySQL.

Who should really be blamed is the fuck-tard who decided to let his sql server ports be open outside his firewall.

http://online.securityfocus.com/archive/1/307412

there is a link to a redhat security notice concerning four fixes to mysql. Two of them are remotely exploitably bugs that allow the user to run arbatrary code. Just like the sql server bug.

Oh yea, that patch was on 1-15-03, have you upgraded yet?

apt-get, bitch

Originally posted by Airlift
apt-get, bitch

Granted linux has a better patching system then MS.

Microsoft needs to make Windows Update patch any MS software on the pc.

Microsoft r0x0Rz

:stupid:

Bet some people lost their jobs over this worm. haha

Seems like it should. Heh, one of the big resons it wsa so succesful in Korea as all the Koreans using pirated server software...

Originally posted by Sputty
Seems like it should. Heh, one of the big resons it wsa so succesful in Korea as all the Koreans using pirated server software...

How does that have anything to do with not applying patches and having an open firewall?

I don't think firewalls helped make a difference, also, I'm not sure, updating the server may have required Authorized versions. And old unused servers were part of it too and may have not been updtaed for those reasons. And if you ask me why so many of the Koreans didnb't update their server and you ant a 100% accurate answer expect me, not the people who ran thse servers or Korean, to give you one.

A firewall was a 100% guaranteed way to stop it. The patches can be installed on pirated versions.

I could see that a high rate of piracy resulted in more end users w/o firewalls running the software. They were probably the type of user who just installed it because they had it and then never thought about it again. That would certanly have made the outbreak more severe.