Update to SEC Consult Security Advisory 20081210-0 (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability) =================================================================== Summary: ------------ By calling the extended stored procedure sp_replwritetovarbin, an attacker can write limited values to arbitrary locations in process memory. This vulnerability has been described in a prior security advisory for MS SQL Server 2000: http://www.securityfocus.com/archive/1/499042 Moreno Zilli of Swisscom has reported that MS SQL Server 2005 is vulnerable to the same attack. This has been confirmed in a lab test conducted by SEC Consult. Our public security advisory has been updated accordingly: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt Workaround: ----------- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: "Removing an Extended Stored Procedure from SQL Server" http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: ------ According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --------------- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 12-09-2008 Update (added MS-SQL 2005): 12-10-2008 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / 2008