Rule:

--
Sid:
2329

--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Windows Data Access Components.

--
Impact:
Serious. Execution of arbitrary code is possible. Denial of Service
(DoS)

--
Detailed Information:
It may be possible for an attacker to send a specially crafted response
to a client broadcast query searching for an SQL server. This response
could take advantage of a buffer overrun condition in an MDAC component
which may result in the attacker being presented with the opportunity to 
execute code of their choosing with the privileges of the user running
the service on the client system.

A DoS condition may also manifest in MDAC version 2.8.

MDAC is included by default on many Microsoft Windows systems. Client
workstations may make regular broadcast announcements in an attempt to
find SQL servers.

--
Affected Systems:
	Microsoft Data Access Components 2.5
	Microsoft Data Access Components 2.6
	Microsoft Data Access Components 2.7
	Microsoft Data Access Components 2.8

--
Attack Scenarios:
The attacker may spoof the response from an SQL server to exploit the
vulnerability.

--
Ease of Attack:
Moderate..

--
False Positives:
The networked game "Joint Operations" is reported to generate traffic
that may generate events from this rule. The $SQL_SERVERS variable in
snort.conf should be configured correctly to eliminate this behavior.

--
False Negatives:
None known

--
Corrective Action:
Apply the appropriate vendor supplied patches and service packs.

Use a packet filtering firewall to block access to port 1434 for UDP traffic

Use IPsec to block incoming requests on UDP port 1434 on the SQL server

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/9407

CERT:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903

Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-003.asp

--
