Microsoft KB Archive/248749

= FIX: Possible Denial of Service Attack with Appropriate NULL Bytes in TDS Header =

Article ID: 248749

Article Last Modified on 3/14/2006

-

APPLIES TO


 * Microsoft SQL Server 7.0 Standard Edition

-



This article was previously published under Q248749



BUG #: 53910 (SQLBUG_70)



SYMPTOMS
Network packets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. Prior to terminating, SQL Server will print a stack dump to the error log with text similar to the text shown below. Note that the Exception Address is in IGetFullEvent.

1999-12-17 09:22:13.20 server Using 'sqlimage.dll' version '4.0.5

Stack Dump being sent to d:\MSSQL7\log\SQL00009.dmp

1999-12-17 09:22:23.78 server process_commands: Process 496 generated fatal exception c0000005 EXCEPTION_ACCESS_VIOLATION. SQL Server is terminating this process.








 * BEGIN STACK DUMP:


 * 12/17/99 09:22:23 spid 0




 * Exception Address = 41061E40 (IGetFullEvent + 103)


 * Exception Code = c0000005 E


 * Access Violation occurred reading address 120B0000



CAUSE
The length of data in each Tabular Data Stream (TDS) packet is encoded in the packet header. SQL Server fails to handle a situation where the packet length encoded in the TDS header is less than the number of bytes already read from the network. In attempting to determine what events are contained within the packet, a signed arithmetic problem allows the server to read past the bounds of the network buffer size allocated for the client, causing the exception.

This exploit does not allow any data to be overwritten within the SQL Server address space. SQL Server correctly limits the number of bytes read to the network packet size, thus preventing any possible exploits due to a buffer overflow.



WORKAROUND
To work around this problem, prevent access to the server from untrusted client computers. For example, if the server is used as part of an Internet Web site, place the SQL Server behind a firewall and filter any traffic to that host from untrusted computers. By default, SQL Server listens on TCP port 1433.



STATUS
Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 2 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

254561 INF: How to Obtain Service Pack 2 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

For more information, contact your primary support provider.



MORE INFORMATION
TDS, Tabular Data Stream, is the proprietary format used to describe the data contained in all transmissions between a SQL Server client and the server.

The original report of this problem indicated that SQL Server would crash any time that three or more contiguous NULL bytes were in a TDS packet. This is not the case. In fact, many packets contain many more NULL bytes than this. The problem is specific to overwriting the portion of the TDS header that contains the packet length.

Dependencies

 * You must be running SQL Server 7.0 Service Pack 1 before applying this fix. The fix will be included in Service Pack 2 and later releases, so no action will be required when the system is upgraded to one of those releases.
 * Due to a prior change in Opends60.dll that the multiprotocol network library is dependent on, if you use this network library to make a trusted connection to SQL Server, you must also update the Ssmsrp70.dll file with the one included. If the two DLLs are not updated at the same time, all clients attempting a trusted multiprotocol connection to SQL Server will fail.