MS-ISAC ADVISORY NUMBER:
2008-045 Updated

DATE(S) ISSUED:
12/10/2008
12/26/2008 - Updated

SUBJECT:
Microsoft SQL Server Remote Memory Corruption Vulnerability

ORIGINAL OVERVIEW:

A vulnerability has been discovered in Microsoft SQL Server. Successful exploitation will result in an attacker gaining the same privileges as the MS SQL Server process. The attacker could then potentially access sensitive or confidential information, install programs, view, change, or delete data, or create new accounts. There is no patch available at this time.

UPDATED OVERVIEW:
There are currently no reports of active exploits. However, proof of concept code for this vulnerability has been publicly released and verified in our lab. There is still no patch available at this time.

ORIGINAL SYSTEMS AFFECTED:

  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2005

UPDATED SYSTEMS AFFECTED:

  • Microsoft SQL Server 2005 SP1 and SP2 only
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
  • Microsoft SQL Server 2000 Desktop Engine (WMSDE)
  • Windows Internal Database (WYukon)

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: Low

ORIGINAL DESCRIPTION:
Microsoft SQL Server 2000 and 2005 are prone to a remote memory-corruption vulnerability because they fail to properly handle user-supplied input. This vulnerability has been confirmed on SQL Server 2000 and 2005. There is no information available regarding SQL Server 2008.

The vulnerability is caused due to a boundary error in the implementation of the 'sp_replwritetovarbin' SQL stored procedure. By calling the extended stored procedure 'sp_replwritetovarbin', and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. It may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. If the principle of Least Privilege has been followed, it would minimize the amount of damage an attacker could achieve.

In a default configuration, the 'sp_replwritetovarbin' stored procedure is accessible by any authenticated user. This vulnerability therefore may be exploited by any authenticated user with a direct database connection, or via SQL injection through a vulnerable application that connects to a vulnerable Microsoft SQL Server.

Proof of concept code for this vulnerability has been publicly released and verified in our lab. Reportedly, the researcher who discovered this issue has developed a working code-execution exploit for this issue. However, the exploit is not publicly available at this time. With a working code-execution exploit, authenticated attackers may be able to exploit this issue in order to execute arbitrary code and compromise affected computers. Failed attacks will likely cause denial-of-service conditions.

It should be noted that applications with a SQL injection vulnerability may be able to be leveraged to exploit this vulnerability by anonymous attackers.

There is no patch available at this time.

UPDATED DESCRIPTION:
Microsoft has released a Security Advisory and a Knowledge Base article for this vulnerability.  The advisory provides details for a work around to this vulnerability, and the knowledge base article provides code which will implement the work around.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Remove the 'sp_replwritetovarbin' extended stored procedure unless it is being used for critical business function.
  • Remove any stored procedures that are not being used.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.
  • Restrict SQL access to trusted users only.
  • Apply the principle of Least Privilege to all services.
  • Ensure that all web applications that connect to vulnerable MS SQL Servers are not vulnerable to SQL Injection attacks.

UPDATED RECOMMENDATIONS:
We recommend the following additional actions be taken:

  • Implement the work around described in the Microsoft Security Advisory or Knowledge Base article.

ORIGINAL REFERENCES:

SEC-CONSULT:
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txtdoc

Microsoft:
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/32710/info(New Window)

Secunia:
http://secunia.com/Advisories/33034/(New Window)

UPDATED REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/961040.mspx(New Window)
http://support.microsoft.com/kb/961040(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.