Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - New MS SQL Server vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New MS SQL Server vulnerability

Published: 2008-12-15
Last Updated: 2008-12-16 01:21:55 UTC
by Toby Kohlenberg (Version: 2)
2 comment(s)

A slightly belated entry to make sure everyone is aware that last week we saw a new vulnerability announced for MS SQL Server 2000, 2005 & 2005 Express Edition by Bernhard Mueller from SEC Consult. Here is the original announcement: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

The above link does include a simple test script (not a full PoC) for the vulnerability.

There is a mitigation available - you can remove the vulnerable stored procedure - Correction below for SQL Server 2005. Microsoft hasn't provided a patch yet and hasn't provided a timeframe for delivery either.

Update: We've had a report that this works against 64bit as well as 32bit versions of SQL Server 2005 (no reports on SQL Server 2000 yet)

Also, thanks for the comments from Brian and Hacktheplanet pointing out that in SQL Server 2005 you can't remove a Stored Procedure, all you can do is deny execute permission to the public role: http://msdn.microsoft.com/en-us/library/ms164755(SQL.90).aspx

 

Keywords: MS SQL Server
2 comment(s)
Diary Archives