Arguably the most famous bug in this class is the bug exploited by the SQL Server “Slammer” worm. The SQL
Server Resolution Service operates over a UDP protocol, by default on port 1434. It exposes a number of
functions, two of which were vulnerable to buffer overflow issues (CAN-2002-0649). These bugs were
discovered by David Litchfield of NGS. Another SQL Server problem in the same category was the “hello”
bug (CAN-2002-1123) discovered by Dave Aitel of Immunity, Inc., which exploited a flaw in the initial
session setup code on TCP port 1433.
Oracle has not been immune to this category — most recently, David Litchfield found an issue with
environment variable expansion in Oracle’s “extproc” mechanism that can be exploited without a username
or password (CAN-2004-1363). Chris Anley of NGS discovered an earlier flaw in Oracle’s extproc
mechanism (CAN-2003-0634) that allowed for a remote, unauthenticated buffer overflow. Mark Litchfield
of NGS discovered a flaw in Oracle’s authentication handling code whereby an overly long username
would trigger an exploitable stack overflow (CAN-2003-0095). David Litchfield also found a flaw in
DB2’s JDBC Applet Server (no CVE, but bugtraq id 11401) that allows a remote, unauthenticated user
to trigger a buffer overflow.