Follow SQLMaster on Twitter
Welcome to SqlServer-QA.net Sign in | Help

SQL Server Replication (SSQA.net)

Another methodology to distribute data to different locations and to remote or mobile users over local and wide area networks, dial-up connections, wireless connections, and the Internet.
sp_replwriterovarbin - New SQL Server Injection-Based Attack Found

Another security vulnerability or rather call in the sense of security experts that "A zero day vulnerability has been reported in SQL Server"! 

Though its a not serious flaw or problematic loophole to worry but still its a security flaw in using the sp_replwriterovarbin extended stored procedure, which is an undocumented one as per the BOL information and you will not find any reference on further details on web. Here is what the best explanation on this XP and vulnerability - mssql-sp_replwritetovarbin_memwrite by SEC Consult Security Advisory.

The issue with this flaw could allow a SQL injection attack against websites, and also could allow an attack by an authenticated user, mostly by now I'm sure that most of the SQL instances are secured as per the industry best practices but still there is a room for improvement to avoid such issues and as per the above note about code that people can use to test if their systems are vulnerable. A simple workaround is to remove that sp_replwriterovarbin extended stored procedure by executing :

execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' as an administrator (SA).

Here is the moral of this story that comes about security,  a key factor down to a few very important things:

  • Never trust input to your system.  Avoid using Dynamic SQL and try to filter, use parameters, make sure you know what you're processing before you try to process it.
  • Remove unneeded access points - such as do not enable every user as a DBO or grant escalated rights, just grant whatever is required - DB_DATAREADER or DB_DATAWRITER at the maximum.
  • Taking it from security to functional components on your system that you're not using - make sure you've updated what you need and removed or disabled what you don't.
  • Within the development platform make sure to debug, tracing and track down the TSQL code or any other code that connects to SQL database.
  • Within the web based application environment then make sure to take utmost care on IIS settings and also be aware that it is not be able to log really long URLs, attackers keep you from learning what they do and how they do it. 

Visit MS-Security website regularly to ensure that you have the upto date information or to get alerts for this type of December 2008 Microsoft Security Bulletin Release - Community Related information information.

Be safe, never be sorry!

Posted: Wednesday, December 17, 2008 12:10 AM by SQL Master

Comments

SQL Server Replication (SSQA.net) : sp_replwriterovarbin - New SQL Server Injection-Based Attack Found said:

PingBack from http://sqlserver-qa.net/blogs/replication/archive/2008/12/17/5179.aspx

# December 17, 2008 12:21 AM

Other SQL Server Blogs around the Web said:

Another security vulnerability or rather call in the sense of security experts that " A zero day

# December 17, 2008 1:03 AM

SQL Server Security, Performance & Tuning (SSQA.net) said:

You may have seen the sp_replwriterovarbin - New SQL Server Injection-Based Attack Found vulerability

# December 23, 2008 3:04 AM

SQL Server Knowledge Sharing Network (SqlServer-qa.net) said:

You may have seen the sp_replwriterovarbin - New SQL Server Injection-Based Attack Found vulerability

# December 23, 2008 3:15 AM
Anonymous comments are disabled