Vulnerability Details : CVE-2008-5416
Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."
Vulnerability category: OverflowExecute codeDenial of service
At least one public exploit which can be used to exploit this vulnerability exists!
Exploit prediction scoring system (EPSS) score for CVE-2008-5416
Probability of exploitation activity in the next 30 days: 97.31%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2008-5416
-
MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption
Disclosure Date : 2008-12-09exploit/windows/mssql/ms09_004_sp_replwritetovarbinA heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. An authenticated database session is required to access the vulnerable code. That said, it is possible to access the vulnerable code via an SQL injection vulnerability. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38 -
MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection
Disclosure Date : 2008-12-09exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqliA heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional
CVSS scores for CVE-2008-5416
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
[email protected] |
CWE ids for CVE-2008-5416
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: [email protected] (Primary)
References for CVE-2008-5416
-
http://www.securityfocus.com/archive/1/499085/100/0/threaded
-
http://securityreason.com/securityalert/4706
-
http://www.microsoft.com/technet/security/advisory/961040.mspx
-
http://securitytracker.com/id?1021490
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6217
-
http://support.avaya.com/elmodocs2/security/ASA-2009-055.htm
-
http://www.securityfocus.com/bid/32710
Exploit
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004
-
http://www.kb.cert.org/vuls/id/696644
US Government Resource
-
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
Exploit
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
-
http://securitytracker.com/id?1021363
-
http://www.us-cert.gov/cas/techalerts/TA09-041A.html
US Government Resource
-
https://www.exploit-db.com/exploits/7501
-
http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0304.html
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/47182
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
-
http://www.vupen.com/english/advisories/2008/3380
- http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
-
http://www.securityfocus.com/archive/1/499042/100/0/threaded
Products affected by CVE-2008-5416
- cpe:2.3:a:microsoft:sql_server:2000:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sql_server:2005:*:*:*:*:*:*:*