Microsoft acknowledges a long-standing SQL Server flaw
It wouldn't be the Christmas season without the tinsel, the holly, and the zero-days. Since early this month, an exploitable buffer overflow has been known to exist in SQL Server, and today Microsoft is acknowledging its existence.
In a security bulletin released yesterday, Microsoft is saying a somewhat simply exploitable vulnerability exists in all presently used versions of SQL Server dating back to SS 2000 Service Pack 4. It has to do with a Transactional-SQL (T-SQL) statement which apparently uses a parameter that isn't checked for type.
BetaNews has seen the code for a publicly available exploit based on information uncovered by security engineer Bernhard Mueller, who contributed information to two of the incidents covered by Microsoft's last Patch Tuesday round. Mueller is the good guy in this story; unfortunately, malicious users with no ingenuity of their own rely on news from Mueller and others for their inspiration.
Based on what we've seen, we can say it's a fairly simple process to run a T-SQL script, or run commands from the command line, that use the sp_replwritetovarbin command to trigger a heap buffer overflow. In normal use, the command enables transactional replication among multiple subscribers in a network. Code in the resulting overflow may then be executed without privilege.
Independent research firm Secunia is currently rating the exploit "Less Critical". In lieu of a patch, Microsoft is advising customers to effectively disable the privileges of the general public to use this command. This can be done even more simply than the exploit itself, by logging in as the system administrator and issuing a pair of short instructions to the command line, which appear in Microsoft's advisory. While this may turn off replication ability, and potentially slow down some enterprise networks' transactional capabilities, it does present an effective safeguard in the short run.