A SQL Server Security Hole “Could Allow Remote Code Execution”
- by Scott Whigham on December 23, 2008 6:36 AMThe skinny: apparently back in April, SEC Consult notified the MSFT team of a vulnerability in the sp_replwritetovarbin system stored procedure. Microsoft has thus far declined to create a patch and so, for whatever reason, SEC Consult decided to release the vulnerability publicly. You can view the scripts to reproduce here but beware - this script will likely cause unexpected behavior (so don't run it on production).
I tested this the scripts they provided to reproduce the vulnerability against a 9.0.3282 test server (that's SQL Server 2005 SP2 with CU9) and it said, "Command(s) completed successfully." I was just about ready to dismiss it -- "Ha! MSFT must've already patched it!" and then I clicked the Execute button once more - BAM! (as that cajun chef on TV always says). It throws two errors: "Msg 0, Level 11, State 0, Line 0 A severe error occurred on the current command. The results, if any, should be discarded."
When I looked in the Windows Application Event log, it says "A user request from the session with SPID 55 generated a fatal exception. SQL Server is terminating this session. Contact Product Support Services with the dump produced in the log directory."
On my machine, this did not cause any decreased/change-in functionality with SQL Server; just unpredictable results. The report says that it will trigger an access violation exception (write to address 0x41414141). Sure enough, when I look at exception.log in my SQL Server's log directory, it throws that error:
Strangely enough, you can play around with the script and SQL Server will not provide an error. I added a SELECT statement at the end of the vulnerability query and SQL Server did nothing - no error, nothing but a welcoming Command(s) completed successfully. If I put a GO in between the vulnerability code and my SELECT statement, I received errors every single time I executed the code (remember that before I didn't receive an error the first time). In fact, with no other commands, here's the reproducibility:
- Run the vulnerability code as-is multiple times - receive an error every even-numbered execution (1st, 3rd, 5th executions generates no error but 2nd, 4th, and 6th do)
- Run the vulnerability with a SELECT attached at end - no errors ever
- Run the vulnerability with a GO followed by a SELECT at end - error every time
Microsoft Responds
Microsoft was finally persuaded to release a Security Advisory yesterday (here) after SEC Consult's public release of the code to repro the vulnerability. I love the first line - "Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server..." Notice that phrasing "new public reports"? Yeah - SEC Consult told them about in April but only made the vulnerability public on December 9. Thankfully SQL 2008 and SQL Server 2005 SP3 are not affected.
Wait - SQL Server 2005 SP3 is not affected? Waiiiiit a minute! That must mean that MSFT had the fix, tested it so thoroughly, and didn't release it...
That pisses me off.
FAQ from the MSFT article:
What is the sp_replwritetovarbin extended stored procedure used for?
The sp_replwritetovarbin extended stored procedure is used by transactional replication with updatable subscribers and only when the subscription is created with @update_mode = 'failover' or 'queued tran'.
I totally adore this website :D absolutely going to have to put this on my blogroll.
This is the first time I've ever visited your website and I think the information here is simply awesome!
Comfortabl y, the post is really the sweetest topic on this registry related issue. I harmonize with your conclusions and will eagerly look forward to your coming updates. Saying thanks will not just be sufficient, for the exceptional clarity in your writing. I will instantly grab your rss feed to stay informed of any updates.
There have been many people who can make money through Twitter :)
Hi. I needed to drop you a quick note to impart my thanks. I've been observing your blog for a month or so and have picked up a heap of effective information as well as relished the way you've structured your site. I am undertaking to run my own blog however I think its too general and I would like to focus more on smaller topics.
Wow. just searched google and found exactly what i was looking for great post.
Thank you for the intelligent critique. Me and my neighbour were just preparing to do some research about this. I am very grateful to see such great information being shared freely out there.
thanks,
I just couldnt leave your website prior to saying that I definitely enjoyed the quality facts you offer for your visitors. Would be back frequently to check up on new stuff in you article!
Excellent job.
Hi - I just wanted to say thank you for an cool site about something I have had an interest in for a long time now. I have been lurking and reading the comments avidly so just wanted to express my thanks for providing me with some very good reading material. I look forward to more, and taking a more proactive part in the discussions here, whilst picking up some knowledge too!!
Heya, recently found this site and also i appreciate looking through it.I had a problem by our pc and was hunting for how to make it better by using some software program and this made it easy to me. kudos!
I can say that, since reading this article it saved me from the time consuming searches I did on this matter.
Thanks for the great insight on that, never really thought about it. bookmarked your site! honeywell window fan
Good post, thanks
Great post!
Good post, thanks
Stumbled into this site by chance but I’m sure glad I clicked on that link. You definitely answered all the questions I’ve been dying to answer for some time now. Will definitely come back for more of this. Thank you so much
If you are in uncomfortable position and have no cash to get out from that point, you would need to take the lowest-rate-loans.com. Because that should help you for sure. I take secured loan every single year and feel myself fine just because of that.
I wish more people would write blogs like this that are actually helpful to read. With all the rubbish floating around on the web, it is refreshing to read a blog like yours instead.
Hi, Thanks. Having been going through the same problem. Resolved now Regards.
Just wanted to let you know that its not showing up properly on the BlackBerry Browser (I have a Pearl). Anyway, I am now on the RSS feed on my laptop, so thanks!
Just wanted to let you know that its not showing up properly on the BlackBerry Browser (I have a Pearl). Anyway, I am now on the RSS feed on my laptop, so thanks!
I wish more people would write blogs like this that are actually helpful to read. With all the rubbish floating around on the web, it is refreshing to read a blog like yours instead.
Wow, I never new that, much appreciated.
Hello, I don't usually post feedback on blogs, as I like to learn only. But I discover the article that you've written earlier has very insightful info, and I find it very informational. Anyway, I am wondering whether you might be open for hyperlink exchange, as I hope that we are able to agree on a mutual link trade agreement. Hope to listen to a constructive reply from you, and have an important day!
yea right, money can be made with twitter, but only after you have a strong personal brand.
Hi there! My wife and i like to finally buy a great new 106 inch High definition lcd tv. The Television should've full high-definiton coupled with minimum two High-definition multimedia interface outputs. For that reason i are attempting to find numerous excellent analysis web pages, by reason of there are numerous hdtv devices from so many brands at the electric marketplace. Does anybody acknowledge a lot of fine webpages, exactly where i and my partner could well have a look at?
My pals and I really love facebook's new "like" feature. Want to be able to "like" anything you want? Look at this site, it does exactly that: www.fbliker.net
I am really excited to see 3d television is really becoming a reality! Now that 3D is possible, there will be mind blowing movies and games in the future.
"3 7/8"" x 8 7/8"" - Deposit holder with three storage solutions." "3 7/8"" x 8 7/8"" - Deposit holder of certificate, a penny saved is a penny earned. Certificate of deposit holders protect that hard earned savings with three storage solutions. An economical choice for banks as a new client gift or marketing ....
Hey, what's going on! I would just like to take the time out of my busy schedule at work here today to say that I just got done reading your blog post and I just wanted to comment on how much I enjoyed reading it. It is my sincere hope for you that everyone else reading you blog that either has commented on it or is just now reading it and waiting to comment on it got as much enjoyment and knowledge out of it as I did. I would like to thank you personally for writing such an informative blog and I can't wait to check back for more great blog posts. Please tell me you this won't be your only blog post!
Super-Duper site! I am loving it!! Will come back again - taking you feeds also, Thanks.
Great Benefits Of Custodial Savings Account A custodial savings account is a very specific type of savings account in the sense that it is opened for people at a minor age, or those who are 18 years of age or younger. A custodial savings account may also be opened for people who are over the ....
I really like your blog and i respect your work. I’ll be a frequent visitor. How can I subscribe to RSS? Cartucce
I am sure you have spent some time to provide this amazing post to us. I do not know how to thank you.
Credit Repair Loans - Overcome your Bad Credit History In the past getting lumbered with a bad credit history meant that you faced a difficult financial future, with very little to help you on the long road to financial recovery. For many this meant extreme difficulties when it came to obtaining any ....
Your word is unreal! What are you suggesting?
Rodrick Boyl
Dean Roby
Latesha Sokolowski
Cyrus Stork
Adolfo Raiden
Donella Masso
Lonnie Cerchia
I'm really loving the blog, and hope this, as well as the excellent article some other people have written, will help somebody
Trent Fidel
Wan Rioz
Greate Atricle I like your blog and Plz update it more I'll subscripble you.
Hey, Really does this still do the job?
Hi ya, nice day.. Your article is extremely impressive. I never considered that it was feasible to accomplish something like that until after I looked over your post. You certainly gave a great perception on exactly how this whole process works. I will make sure to return for more advice. Thanks
Very interesting post, I found it looking through Altavista...and I agree in the most part. Keep up the great work...I will undoubtedly be back shortly to read more about this subject!
I'm really to be finally posting online after all these years. There really is no mystery about it, is there? I just dropped by your blog and had to write something. I'm a recent college grad, journalism major if you must know, and I absolutely love the art of photography. I've got my site up but it's nothing to boast about yet. None of my stuff's been posted. Soon as I figure out how to do that, I'll spend the day posting my best pictures. anyways just thought I'd drop a line. I hope to return with more substantial stuff, stuff you can actually use. SPG
Nice one - added to my reader
I do believe a normal person wastes as many as 12 years of their total daily life watching Television and so if that is right I assume I am going to dedicate roughly 24 years enjoying video games on the net.... lol
Thanks for this usefull information.
I came across a website which I think may be useful to you guys who want to buy insanity, as the price is unbelieveable.
I currently have poor credit due to some old credit card bills. I need a car badly, so I've been learning about buy here pay here dealerships. Thanks for the info!
hmmm... Give individual advice to a web-site built from warez haxors.Does not sound smart .If you have time.Please enter my blog laptop dvd writer
Gratulations man, radio go2 spoke about your blog on 5 pm. Header was your blog post A SQL Server Security Hole “Could Allow Remote Code Execution” | TechUrbia - A LearnItFirst Blog. Good work. bye-bye
hmmm... Give private specifics to a webpage built from warez haxors.Does not sound wise .If you have time.Please enter my blog atlanta laptop repair
I just sent this post to a bunch of my friends as I agree with most of what you’re saying here and the way you’ve presented it is awesome.
You certainly have some agreeable opinions and views. Your blog provides a fresh look at the subject.
Thank You For This Blog, was added to my bookmarks.
awesome! you have to have accomplished a great deal of perform on this. thanks for sharing. this weblog goes in my bookmarks.
I just book marked your blog on Digg and StumbleUpon.I enjoy reading your commentaries.
Which golf clubs will be the best for beginner ?
I just book marked your blog on Digg and StumbleUpon.I enjoy reading your commentaries.
I really enjoyed the article. It proved to be Quite very helpful to me and I am positive to every one of the commentators here!
What is Super Mario's favored style of trousers? Denim denim denim....lol Anyone else have any funny game jokes?
I really enjoyed the write-up. It proved being Very helpful to me and I am confident to every one of the commentators here!
As being a rookie blogger myself, it truly is great you just read a quality blogger for something different. I intend to learn so much from following other folks personal blogs and Personally i think that yours has quite a lot to provide the readers, thank you for taking a few minutes and making the effort. Dannielle
The a lot more I read content of such excellent as this (which can be rare), the additional I consider there might be a future for that Web. Continue to keep it up, because it were.
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
This is exactly what I was looking for! Thanks!
I know it will be cliche to quote Tina Turner songs... but this is "simply the best"! I swear by this like a religious zealot!
@Mike You make a great point
@Dave You make a great point
Great Post. I add this Blog to my bookmarks.
Thank You For This Post, was added to my bookmarks.
Nice and interesting site.I like it!
You certainly deserve a round of applause for your post and more specifically, your blog in general. Very high quality material.
Really interesting submit many thanks for sharing We've additional your blog to my bookmarks and will check out back Through the way this really is a little off topic but I definitely like your blogs layout.
Which golf clubs will be the best for beginner ?
You certainly deserve a round of applause for your post and more specifically, your blog in general. Very high quality material.
Very informative post. Thanks for taking the time to share your view with us.
Great post!
Very Interesting Blog! Thank You For Thi Information!
Should I buy steel golf clubs or graphite ?
Thank You For This Blog, was added to my bookmarks.
Wonderful to read!
Love it! Truly psyched to see you touch on this topic, most folks seem to fly right passed it. Keep it up, I saved your website and will keep checking on your updates as time goes on. Many thanks! How to quit smoking
Which golf clubs will be the best for beginner ?
I find myself coming to your blog more and more often to the point where my visits are almost daily now!
Which Golf Clubs Are Better - Steel or Graphite ?
How do they get away with THAT?
You certainly deserve a round of applause for your post and more specifically, your blog in general. Very high quality material.
I just book marked your blog on Digg and StumbleUpon.I enjoy reading your commentaries.
As Boston Goes, so Goes the nation According to the S&P/Case-Shiller US national Home Price Index, there isn't a lot of good news in the housing market. But they make an interesting observation: "During this cycle, Boston was the first metro area to report negative year-over-year ....
That was interesting but I can`t agree at all.
This can be really ridiculous but I definitely do think that it may possibly have some accomplishment. After all, they do have the proper userbase for this new venture.If you have time.Please enter my blog toshiba laptop troubleshooting
Which golf clubs will be the best for beginner ?
I just sent this post to a bunch of my friends as I agree with most of what you’re saying here and the way you’ve presented it is awesome.
Weird... I just came across your website by searching for 'financial spreadbetting' on Bing. But I don't see any posts about that on here?
Odd... I just stumbled on your site by looking for 'financial spreadbetting' on Google. But I can't find any posts on that on here?
I just book marked your blog on Digg and StumbleUpon.I enjoy reading your commentaries.
I’ve been visiting your blog for a while now and I always find a gem in your new posts. Thanks for sharing.
Which Golf Clubs Are Better - Steel or Graphite ?
You certainly have some agreeable opinions and views. Your blog provides a fresh look at the subject.
Which Golf Clubs Are Better - Steel or Graphite ?
Which Golf Clubs Are Better - Steel or Graphite ?
Thank you for such a good blog. It was what I looked for.
This is useful! How did you learn the subject when you were new to it?
Great Blog. I add this Blog to my bookmarks.
Which Golf Clubs Are Better - Steel or Graphite ?
If you're still on the fence: grab your favorite earphones, head down to a Best Buy and ask to plug them into a Zune then an iPod and see which one sounds better to you, and which interface makes you smile more. Then you'll know which is right for you.
Which Golf Clubs Are Better - Steel or Graphite ?
Thanks For This Post, was added to my bookmarks.
Which Golf Clubs Are Better - Steel or Graphite ?
I just sent this post to a bunch of my friends as I agree with most of what you’re saying here and the way you’ve presented it is awesome.
all i have to say is wow. it worked for me. maybe the people upset with this product didn't really use it properly. maybe they skipped out of a little bit of exercise. it worked for me and that's all i have to say about it. now im going to get my ACUs in a smaller size as they seem a bit large for me now.thanks for your product.
I think this product did just want it had intended to do. I found myself having a lot of energy when using this and actually lost weight! I've never taken a diet pill that didn't make me jittery and this doesn't do that at all! I feel energized and without the jitters. I also didn't feel as hungry throughout the day. I would recommend this product to anyone!
I bought this combination for myself. I have been using them since end of August. So far, I lost about 5-7 lbs which I gained over the summer while I was visiting my parents. I didn't change my eating habit dramaticly, but I do pay more attention the food I ate. If anyone out there wants to loose the last five lbs, you should give a try.
Good post, thanks