Microsoft Security Advisory (961040) – Remote Code Execution

Monday, January 5, 2009


Priority: MEDIUM

Impact: Potential for database corruption or data theft.

Resolution: Remediate the following web application and database flaws:

  1. Poor/missing input validation of user-supplied data in the web application.
  2. Improper database permissions and/or SQL query construction.

Who: Any organization with a front-end web application that communicates with a back-end Microsoft MS-SQL database may be vulnerable.

What: Microsoft has confirmed new public reports of a vulnerability that allows remote code execution on systems running:

  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2000 Desktop Engine (MSDE 2000)
  • Microsoft SQL Server 2000 Desktop Engine (WMSDE)
  • Microsoft Windows Internal Database (WYukon)

*Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3 and Microsoft SQL Server 2008 are not affected by this issue.

How: By calling the extended stored procedure sp_replwritetovarbin and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying operating system used, it may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. This vulnerability is not exposed anonymously for a direct connection to the database listener; however, an attacker could take advantage of a SQL injection vulnerability in a web application that is able to authenticate.

Impact: Although Microsoft is not aware of active attacks that use this exploit code, construction of automated exploit code is possible. The impact of a successful compromise is severe as it can result in alteration of database contents or the extraction of sensitive data. 

Risk: Because working exploit code has not yet been confirmed, we have classified this as a MEDIUM severity issue.

Resolution:Remediate the following web application and database flaws:

  1. Poor/missing input validation of user-supplied data in the web application.
  2. Improper database permissions and/or SQL query construction.

How Breach Security Customers Are Protected:
Regardless of which Breach Security product customers are using, they should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically, that the appliances are configured in a “blocking” mode to protect against these such attacks.

WebDefend customers are proactively protected from attempts to exploit this vulnerability by the positive security profile automatically created by the Adaption learning system. In this particular case, Adaption would have already created a profile of the expected parameter names/values for the front-end web application. If an attacker tried to inject the sp_replwritetovarbin data into a parameter, it would be identified and blocked if blocking actions were previously set for the relevant events within the Policy Manager.

ModSecurity Pro M1100 and open-source ModSecurity customers may implement the following “virtual patch” in their ModSecurity products:

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bsp_replwritetovarbin\b" \ "phase:2,block,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compress WhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'1',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\bsp_replwritetovarbin\b" \ "phase:2,block,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComm ents,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'1',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

Customers may contact the Breach Security Services Team for assistance in implementing this virtual patch as part of their normal support contracts.