Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)



Update to SEC Consult Security Advisory 20081210-0
(Microsoft SQL Server sp_replwritetovarbin limited memory overwrite
vulnerability)
===================================================================

Summary:
------------

By calling the extended stored procedure sp_replwritetovarbin, an
attacker can write limited values to arbitrary locations in process
memory. This vulnerability has been described in a prior security
advisory for MS SQL Server 2000:

http://www.securityfocus.com/archive/1/499042

Moreno Zilli of Swisscom has reported that MS SQL Server 2005 is
vulnerable to the same attack. This has been confirmed in a lab test
conducted by SEC Consult.
Our public security advisory has been updated accordingly:

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt



Workaround:
-----------

Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

See also:

"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx


Patch:
------

According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.


Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 12-09-2008
Update (added MS-SQL 2005): 12-10-2008

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008



Relevant Pages

  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • [NT] SQL Server 2000 Buffer Overflows and SQL Injection Vulnerabilities
    ... allow maintenance and other operations to be performed on a SQL Server, ... fixed database role can run this command. ... Buffer Overrun Vulnerability in Database Consistency Checkers: ... privileges, and only should be granted to trusted users. ...
    (Securiteam)
  • [NT] Cumulative Patch for SQL Server
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... released patches for SQL Server 2000. ... * A buffer overrun vulnerability in a procedure used to encrypt SQL ... An attacker who was able to successfully ...
    (Securiteam)
  • [NT] Another Cumulative Patch for SQL Server Released
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... previously released patches for SQL Server 7.0, SQL Server 2000, and ... malformed login request to an affected server, an attacker could either ... * A buffer overrun vulnerability that occurs in one of the Database ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #96
    ... MICROSOFT VULNERABILITY SUMMARY ... W3C Jigsaw Device Name Path Disclosure Vulnerability ... Microsoft SQL Server 2000 Incorrect Registry Key Permissions... ... Mirabilis ICQ Sound Scheme Remote Configuration Modification Vulnerability ...
    (Focus-Microsoft)