Security vulnerability found in MS SQL Server 2000
A vulnerability has been found in Microsoft's SQL Server 2000 that would allow an attacker to remotely execute code in the server. According to security consultants SEC Consult, the cause of the problem is a bug in the program's memory management. By calling the extended stored procedure
sp_replwritetovarbin and supplying several uninitialised variables as parameters, it is possible to trigger a memory write to a controlled location. The report claims the success of an attack depends on the version of Windows being used. SEC Consult says it has developed an exploit that has successfully executed arbitrary code on a lab machine.
In a default configuration, the procedure is accessible by any authenticated user. In theory, the vulnerability can also be exploited via SQL injection in a vulnerable web application. SEC Consult say Microsoft has been aware of the problem since April this year. Despite the promise of a patch by September, a release date for the patch remains uncertain. SEC Consult recommends removal of the vulnerable procedure by running
execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'.
- Microsoft SQL Server 2000 sp_replwritetovarbin limited memory overwrite vulnerability, report from SEC Consult