Date: 22 December 2008
References: AU-2008.0028
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0266 AUSCERT Advisory
[Win] Vulnerability in Microsoft SQL Server Could Allow
Remote Code Execution
23 December 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Microsoft SQL Server 2000 Service Pack 4
Microsoft SQL Server 2000 Itanium-based Edition Service Pack 4
Microsoft SQL Server 2005 Service Pack 2
Microsoft SQL Server 2005 x64 Edition Service Pack 2
Microsoft SQL Server 2005 with SP2 for Itanium-based Systems
Microsoft SQL Server 2005 Express Edition Service Pack 2
Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4
Microsoft SQL Server 2000 Desktop Engine (WMSDE)
Windows Internal Database (WYukon) Service Pack 2
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Existing Account
CVE Names: CVE-2008-4270
Member content until: Tuesday, January 20 2009
Original Bulletin:
http://www.microsoft.com/technet/security/advisory/961040.mspx
OVERVIEW:
A vulnerability has been discovered in Microsoft SQL Server which could
allow attackers to execute arbitrary code. Exploit code for this
vulnerability has been published but is not being widely used at this
time.
IMPACT:
"Microsoft is investigating new public reports of a vulnerability that
could allow remote code execution on systems with supported editions of
Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL
Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine
(MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and
Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0
Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft
SQL Server 2008 are not affected by this issue." [1]
MITIGATION:
There is no patch at this time but there are a number of mitigating
factors and approaches than can be taken.
* Microsoft has advised that the current exploit code does not affect the
following supported versions of Microsoft SQL Server:
Microsoft SQL Server 7.0 Service Pack 4
Microsoft SQL Server 2005 Service Pack 3
Microsoft SQL Server 2008
Those using Microsoft SQL Server 7.0 prior to Service Pack 4 or
Microsoft SQL Server 2005 prior to Service Pack 3 may want to consider
uprading to the newer versions.
* The exploit requires an authenticated connection to the Microsoft SQL
Server which would require an existing account or exploitation via a
web application that utilises a Microsoft SQL Server backend.
Those with web applications that back onto a Microsoft SQL Server may
want to consider using a URL request filtering tool to prevent
possible exploitation of this vulenerability via SQL injection
attacks. Microsoft provides the URlScan Security Tool to provide this
style of service for IIS web servers. [2]
* Microsoft advises that MSDE 2000 and SQL Server 2005 Express do not
allow remote connections by default and that an attacker would require
local access to the server. However remote connections can be enabled
on both MSDE 2000 and SQL Server 2005 Express and administrators should
check accordingly.
* Microsoft has also provided a workaround that will disable the
sp_replwritetovarbin extended stored procedure which contains the
vulnerability the exploit uses. Microsoft does advise that this
workaround will impact those using transactional replication with
updatable subscriptions for their applications. Administrators should
check before implementing this work around for the use of this
functionality. Administrators can check if the extended stored
procedure is used in their infrastructure by monitoring all databases
with the Microsoft SQL Profiling Tool [3]. The work around is reproduced
below:
Deny permissions on the sp_replwritetovarbin extended stored procedure
Use one of the following procedures:
To deny access to the stored procedure, connect to SQL Server as a
sysadmin using osql.exe or sqlcmd.exe or through SQL Server Management
Studio and execute the following T-SQL script:
use master
deny execute on sp_replwritetovarbin to public
To deny access to the stored procedure using SQL Server
administration:
For SQL Server 2000:
1. Connect to SQL Server using Enterprise Manager as a sysadmin
2. From the SQL Server Enterprise Manager window, select the
desired server
3. Expand the databases
4. Expand Master
5. Click Extended Stored Procedures. A list of stored procedures
appears.
6. From the list of stored procedures, right-click
sp_replwritetovarbin and select Properties
7. In the Properties window, click Permissions
8. Under Users/Database Roles/Public, find Public, then click the
box in the EXEC column. The box turns into a red X.
9. Click OK twice
For SQL Server 2005:
1. Connect to SQL Server using SQL Server Management Studio as
a sysadmin
2. From the Object Explorer window, select the desired server
3. Expand the databases and the system databases
4. Expand Master
5. Expand Programmability
6. Click Extended Stored Procedures. A list of stored procedures
appears.
7. From the list of stored procedures, right-click
sp_replwritetovarbin and select Properties
8. In the Properties window, click Permissions
9. Click Deny execution beside the desired user IDs and click OK
The Microsoft Security Advisory[1] contains the rollback procedure for
removing this work around.
REFERENCES:
[1] Microsoft Security Advisory (961040) Vulnerability in SQL Server
Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/961040.mspx
[2] UrlScan Security Tool
http://technet.microsoft.com/en-us/security/cc242650.aspx
[3] Monitoring with SQL Profiler
http://msdn.microsoft.com/en-us/library/aa173918.aspx
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSVB90Ch9+71yA2DNAQItXwP9Hi7auTua6+FVl8fgH+hXRbYbY/CA99SG
h+Y3ui3vuUMd11HpG7aULwl7xm2QxgS4AooI/5Y3DoieUF4syzke0Q5xjH1d7ksN
GqiUTY3+C5Zn1QXrkSvnworUdEn6xySvcIgU4nPLvw8J4a+3tSvKp8kX7SXoHfD7
X3kAvp/IWl4=
=B/Vp
-----END PGP SIGNATURE-----
|