FIX: Denial of Service Attack with NULL Bytes in RPC Request (277640)


The information in this article applies to:

  • Microsoft SQL Server 7.0
  • Microsoft SQL Server 2000 (all editions)
This article was previously published under Q277640
BUG #: 58466 (SQLBUG_70), 236457 (SHILOH)

SYMPTOMS

Multi-protocol (RPC) requests transported by way of TCP/IP Sockets filled with appropriately placed NULL bytes may cause an access violation (AV) within SQL Server, causing the process to terminate. The last line in the errorlog reports the following message:
2000-10-20 12:59:07.56 server SQL Server is aborting. Fatal exception c0000005 caught.

RESOLUTION

SQL Server 2000

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

290211 INF: How to Obtain the Latest SQL Server 2000 Service Pack

SQL Server 7.0

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 7.0.

WORKAROUND

You can work around this problem in the following ways:
  • Disable the Multi-protocol Net-Library by using the Server Network Utility.
  • If you are using SQL Server 2000, disable the Multi-protocol Net-Library from using TCP/IP Sockets as a transport with the following steps:
    1. Use the Server Network Utility.
    2. Select Multi-protocol.
    3. Click the Properties button
    4. Remove the "ncacn_ip_tcp" entry from the RPC Protocols text box.

STATUS

SQL Server 2000

Microsoft has confirmed this to be a problem in SQL Server 2000. This problem was first corrected in Microsoft SQL Server 2000 Service Pack 1.

SQL Server 7.0

Microsoft has confirmed this to be a problem in SQL Server 7.0. This problem has been corrected in U.S. Service Pack 3 for Microsoft SQL Server 7.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

274799 INF: How to Obtain Service Pack 3 for Microsoft SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0

For more information, contact your primary support provider.

MORE INFORMATION

This situation can only be encountered by using a malicious nonclient application, because a normal client application will not have null values as part of the RPC request in the manner that this problem requires. For additional information about Microsoft Security Bulletin MS01-041, see the following article in the Microsoft Knowledge Base:

298012 Malformed RPC Request Can Cause Service Problems

Modification Type:MajorLast Reviewed:3/14/2006
Keywords:kbBug kbfix KB277640
©2004 Microsoft Corporation. All rights reserved.