SQL Server Stored Procedure Overflow

January 8, 2009

Microsoft SQL Server is a relational database management system. It uses Transact-SQL (T-SQL) for querying and modifying data and managing databases. SQL Server provides a wide range of stored procedures. A stored procedure is a group of Transact-SQL statements compiled into a single execution plan. One such stored procedure is sp_replwritetovarbin. It can be called by using EXEC SQL statement:

EXEC master.dbo.sp_replwritetovarbin

There exists a buffer overflow vulnerability in Microsoft SQL Server. Specifically, the flaw is due to a boundary error in the implementation of the sp_replwritetovarbin stored procedure. The vulnerable procedure does not check whether the supplied output varbinary buffer has the adequate size for this copy operation. By supplying an insufficiently small varbinary object to its output buffer parameter, and/or an overly large string argument to the sp_replwritetovarbin stored procedure, an authenticated user can trigger the buffer overflow condition. Successful exploitation could lead to arbitrary code execution in the context of the vulnerable SQL server process.

The vulnerability has been assigned as CVE-2008-5416 and Microsoft KB961040.

Since the procedure, sp_replwritetovarbin, is proprietary to Microsoft and its interface is not published, it is believed that the procedure is rarely used for legitimate purposes.

SonicWALL has released the following IPS signatures that will detect and prevent the invocation of sp_replwritetovarbin stored procedure. The signatures to address this vulnerability are:

  • 1286 SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
  • 1292 SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)