Rule Category

SERVER-MSSQL -- Snort has detected traffic exploiting vulnerabilities in Microsoft SQL Server servers.

Alert Message

SERVER-MSSQL xp_oasetproperty unicode vulnerable function attempt

Rule Explanation

This event is generated when an attempt is made to exploit a known vulnerability in Microsoft systems using Microsoft SQL Server. Impact: Serious. Denial of Service. Code execution may be possible. Details: Microsoft SQL Server is a database platform for use on hosts using the Microsoft Windows operating system. A vulnerability in the handling of functions available through the Extended Stored Procedures API may allow an attacker to overflow a fixed length buffer and execute code of their choosing on an affected host. A DoS condition may also result due to the server failing to handle a memory copy routine properly which may cause the server to crash. In particular this rule generates an event when an attempt is made to exploit the function "xp_oasetproperty". Ease of Attack: Simple. Exploit code exists.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Brian Caswell Nigel Houghton

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

CVE Additional Information