Buffer Overflow Vulnerability in Microsoft SQL Server 2000 and MSDE
CVE-2002-0649

Currently unrated

Key Information:

Vendor
Microsoft
Status
Sql Server
Data Engine
Vendor
CVE Published:
12 August 2002

Summary

Multiple buffer overflow vulnerabilities exist in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000. These vulnerabilities can be exploited remotely by sending specially crafted UDP packets to port 1434. The first vulnerability involves sending a 0x04 byte, which triggers the SQL Monitor thread to create an excessively long registry key name. The second vulnerability stems from sending a 0x08 byte containing a long string, leading to heap corruption. This flaw has been utilized by the Slammer/Sapphire worm, resulting in widespread disruptions and denial of service.

References

http://www.securityfocus.com/archive/1/308396/30/26150/th...
mailing-listx_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/308418/30/26150/th...
mailing-listx_refsource_BUGTRAQ
https://oval.cisecurity.org/repository/search/definition/...
vdb-entrysignaturex_refsource_OVAL

EPSS Score

86% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2002-0649 : Buffer Overflow Vulnerability in Microsoft SQL Server 2000 and MSDE | SecurityVulnerability.io