More Vulnerabilities for Microsoft

Security experts discover new flaws in SQL Server, Exchange Server and Metadirectory Services.
Three new flaws were discovered in Microsoft products that could allow a malicious user to cause havoc on your machine.

The flaws were discovered in SQL Server 2000, Microsoft Exchange Server, and Metadirectory Services 2.2, and would allow a hacker to accomplish a variety of attacks.

The most serious threat comes from the vulnerability in the SQL Server 2000 resolution service, which could enable code execution by an attacker.

The vulnerability was identified Wednesday by David Litchfield of Next Generation Security Software Ltd.

SQL Server 2000 introduces the ability to host multiple instances of SQL Server on a single physical machine. Each instance operates for all intents and purposes as though it was a separate server.

The multiple instances, however, cannot all use the standard SQL Server session port (TCP 1433). While the default instance listens on TCP port 1433, named instances listen on any port assigned to them. The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

By sending a carefully crafted packet to the Resolution Service, an attacker could cause portions of system memory to be overwritten. Overwriting it with random data would likely result in the failure of the SQL Server service, while overwriting it with carefully selected data could allow the attacker to run code in the security context of the SQL Server service.

The vulnerability also could allow for a denial of service attack . SQL uses a keep-alive mechanism to distinguish between active and passive instances. A hacker could cause a DoS by creating a keep-alive packet that, when sent to the Resolution Service, would cause SQL Server 2000 to respond with the same information. An attacker who created such a packet, spoofed the source address so that it appeared to come from a one SQL Server 2000 system, and sent it to a neighboring SQL Server 2000 system could cause the two systems to enter a never-ending cycle of keep-alive packet exchanges.

A patch for the vulnerability is available here.

The second vulnerability, discovered by Internet Security Systems, effects Microsoft Exchange Server v.5.5 Internet Mail Connector, which provides Simple Mail Transfer Protocol functionality. It is possible for remote attackers to formulate a request to trigger a buffer overflow on a vulnerable Exchange server. This flaw may allow an attacker to either crash Exchange and block all inbound and outbound e-mail delivery or allow an attacker to gain complete control of the server.

Two major concerns regarding this vulnerability are the widespread deployment of version 5.5 and the fact that successful exploitation of this vulnerability can occur through properly configured firewalls.

A patch for the Exchange Server 5.5 vulnerability is available here.

The last vulnerability, discovered by Pascal Huijbers and Thomas de Klerk of Info Support, appears to pose only a moderate threat. The vulnerability occurs in Microsoft Metadirectory Services, a centralized metadirectory service that provides connectivity, management, and interoperability functions to help unify fragmented directory and database environments.

A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories.

According to Microsoft's security bulletin, an attack on MMS would be extremely difficult. The bulletin notes that if normal security practices have been followed, the vulnerability could not be exploited from the Internet. In addition, the vulnerability could only be exploited by an attacker who had significant technical expertise at a protocol level, because the vulnerability does not provide access to MMS itself, but rather to the MMS data repository. Determining what data to change, and how to change it in order to cause a desired effect could be quite difficult.

The MMS vulnerability also appears to be only vulnerable to an attacker who had insider knowledge about the specific enterprise, as a successful attack would require a detailed understanding of the specific way MMS had been configured, as well as information about all of the other directories and database it was being used to manage.

A patch for the MMS vulnerability is available here.

The new vulnerabilities for Microsoft come in a year when the company's software has been plagued by various flaws. This year alone, the Redmond, Wash. giant has acknowledged 39 vulnerabilities across their product line.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.