Ah, hell here we go again. Last evening the news wires lit up with a new Microsoft vulnerability. This time it affects Microsoft SQL server 2000 and 2005. Other versions might be affected. The long and the short of this is that it can lead to a privilege escalation.
From Sec-Consult:
By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process.
In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application.
This vulnerability has been confirmed on SQL Server 2000/2005 (SQL Server 2008 has not been tested).
This is odd as it was announced by Sec Consult on Dec 9th but, for some reason the press (and us) are only just taking notice now. Well, I’ll say it, our bad.
The part of this that really annoys me is this “Vendor notified: 2008-04-17”. Why did this take (or rather is taking) so long?
