MS08-040: How to spot MTF files crossing network boundary

Today we released MS08-040 to patch several vulnerabilities in the SQL Server Database Engine; one of them involves the SQL Server backup file format.  The format is also known as MTF (Microsoft Tape Format).  The vulnerability requires an attacker to be able to force the SQL Server to load a malicious MTF file from the local drive or from the network.

Under normal circumstances (and by default), only authenticated SQL Server users can load an MTF file.  In order to remotely exploit this vulnerability, the attacker could leverage a separate SQL injection vulnerability and then trigger the SQL Server to load a malicious MTF file from the Internet; the SQL Server will then try to access the file using the Server Message Block (SMB) protocol or WebDAV. Web-based Distributed Authoring and Versioning (WebDAV) is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.)  Consequently, you will see SQL Server make an outbound connection to the Internet on ports 80, 443, 139, or 445.  In most cases, the Database Engine (sqlservr.exe) should not talk to the Internet on these ports so you should block them both inbound and outbound at the firewall  unless they are needed by other components.  Therefore, if you see SQL Server loading MTF files from the Internet, it is probably bad news.  You can fingerprint an MTF file on the network by looking at its header which is a 94-byte structure defined as follows:

typedef struct {
0x00: UINT32 dblktype;

0x56: UINT16 svid;

0x5D: UINT8 mver;

dblktype” should always be 0x45504154 (“TAPE”).  The “svid” field indicates the vendor and it should be 0x1200 (Microsoft).  An example header with the two fields highlighted is shown below.

You should always set up your SQL server with best security practices as outlined in and

– Security Vulnerability Research & Defense Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*