Advisories
ANALYSIS: Microsoft SQL Server Sapphire Worm
Release Date:
January 25, 2003
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
Overview:
Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks.
We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm
trying to re-infect new systems.
Corrective Action:
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Technical Details:
The following is a quick run-down of what the worm's payload is doing after infection:
In Closing:
We have provided brief information here as we are currently working to understand more of the worm's internal behavior. We will provide updates as they become available.
This worm has been dubbed the "Sapphire Worm" by eEye due to the fact that several engineers had to be pulled away from local bars to begin the investigation/dissection process.
Credit:
Riley Hassell
Related Links:
Microsoft's Vulnerability Information & Patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
Next Generation Security Software SQL Server Advisory
http://www.nextgenss.com/advisories/mssql-udp.txt
SQLSecurity.com
http://sqlsecurity.com/
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
January 25, 2003
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP3
Microsoft Desktop Engine (MSDE) 2000
Overview:
Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to infect with its payload. The worm payload does not contain any additional malicious content (in the form of backdoors etc.); however, because of the nature of the worm and the speed at which it attempts to re-infect systems, it can potentially create a denial-of-service attack against infected networks.
We have been able to verify that multiple points of connectivity on the Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL worm that used the SA/nopassword SQL vulnerability as its spread vector. This is a new worm is more devastating as it is taking advantage of a software-specific flaw rather than a configuration error. We have already had many reports of smaller networks brought down due to the flood of data from the Sapphire Worm
trying to re-infect new systems.
Corrective Action:
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that has had a patch available for many months. Microsoft has also released a recent service pack for SQL (Service Pack 3) that includes a fix for this vulnerability.
Standalone patch:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Technical Details:
The following is a quick run-down of what the worm's payload is doing after infection:
- Retrieves the address of GetProcAddress and Loadlibrary from the IAT in sqlsort.dll. It then snags the necessary library base addresses and function entry points.
- Calls gettickcount, and uses returned count as a pseudo-random seed.
- Creates a UDP socket.
- Performs a simple pseudo-random number generation formula using the returned gettickcount value to generate an IP address that will later be used as the target.
- Sends worm payload in a SQL Server Resolution Service request to the pseudo-random target address, on port 1434 (UDP).
- Returns back to formula and continues to generate new pseudo-random IP addresses.
In Closing:
We have provided brief information here as we are currently working to understand more of the worm's internal behavior. We will provide updates as they become available.
This worm has been dubbed the "Sapphire Worm" by eEye due to the fact that several engineers had to be pulled away from local bars to begin the investigation/dissection process.
Credit:
Riley Hassell
Related Links:
Microsoft's Vulnerability Information & Patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
Next Generation Security Software SQL Server Advisory
http://www.nextgenss.com/advisories/mssql-udp.txt
SQLSecurity.com
http://sqlsecurity.com/
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
