[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)
From: Bernhard Mueller <research@xxxxxxxxxxxxxxx>
Date: Wed, 10 Dec 2008 13:45:02 +0100

Update to SEC Consult Security Advisory 20081210-0
(Microsoft SQL Server sp_replwritetovarbin limited memory overwrite
vulnerability)
===================================================================

Summary:
------------

By calling the extended stored procedure sp_replwritetovarbin, an
attacker can write limited values to arbitrary locations in process
memory. This vulnerability has been described in a prior security
advisory for MS SQL Server 2000:

http://www.securityfocus.com/archive/1/499042

Moreno Zilli of Swisscom has reported that MS SQL Server 2005 is
vulnerable to the same attack. This has been confirmed in a lab test
conducted by SEC Consult.
Our public security advisory has been updated accordingly:

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt



Workaround:
-----------

Remove the sp_replwriterovarbin extended stored procedure. Run the
following as an administrator:

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'

See also:

"Removing an Extended Stored Procedure from SQL Server"
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx


Patch:
------

According to an email received by Microsoft in September, a fix for this
vulnerability has been completed.
The release schedule for this fix is currently unknown.


Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 12-09-2008
Update (added MS-SQL 2005): 12-10-2008

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF Bernhard Mueller / @2008

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] 21 Million German bank accounts stolen
Next by Date: Re: [Full-disclosure] We're letting the bad guys win
Previous by thread: Re: [Full-disclosure] List Charter
Next by thread: [Full-disclosure] CYBSEC News - New sapyto release (v0.98)
Index(es):
- Date
- Thread