System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Microsoft has released a security advisory about a
vulnerability in Microsoft SQL Server that could allow remote code execution.
The security advisory contains additional security-related information. To view
the security advisory, visit the following Microsoft Web site:
You can use this VB script to deny Execute permission to the
Public role on the sp_replwritetovarbin extended stored procedure on all
affected versions of SQL Server that are running on the local
computer.
Microsoft provides programming examples for illustration only,
without warranty either expressed or implied. This includes, but is not limited
to, the implied warranties of merchantability or fitness for a particular
purpose. This article assumes that you are familiar with the programming
language that is being demonstrated and with the tools that are used to create
and to debug procedures. Microsoft support engineers can help explain the
functionality of a particular procedure. However, they will not modify these
examples to provide added functionality or construct procedures to meet your
specific requirements.
Copy this code to a text file, save the file
using a .vbs file name extension, and then run the script file using
CScript.exe. The script iterates through the running instances of SQL Server on
the local computer and applies the workaround on the affected versions. You
must be a member of the sysadmin role on each instance of SQL Server to apply
the workaround. If you do not have a Windows account that is a member of the
sysadmin role on all affected servers that are running SQL Server, you may have
to run this script from multiple accounts. On Windows Server 2008 and on
Windows Vista, if you are using a Windows administrator account that is a
member of the sysadmin role, you must run this script from an “elevated”
command prompt.
'*************************************************************************************
'Description: This script iterates through all the running instances of SQL Server
' and denies execute permission on sp_replwritetovarbin to public on all
' the affected versions.
' THIS IS PROVIDED AS A WORKAROUND AND SHOULD NOT BE USED IN THE EVENT THAT
' A SECURITY UPDATE IS PROVIDED AND INSTALLED.
'*************************************************************************************
OPTION EXPLICIT
ON ERROR RESUME NEXT
' Constant values
CONST EXIT_SUCCESS = 0
CONST EXIT_FAILURE = 1
CONST EXIT_NOINSTANCES = -1
CONST DEFAULTNAMESPACE = "root\default"
CONST STDREGPROV = "stdregprov"
CONST HKEY_LOCAL_MACHINE = &H80000002
CONST REG_MULTI_SZ = 7
CONST REG_SZ = 1
CONST adCmdText = 1
Call VBMain()
Function VBMain()
Err.Clear
ON ERROR RESUME NEXT
Dim sInstances(), strInstance, i, TotalCount
VBMain = EXIT_SUCCESS
If GetInstances(sInstances, TotalCount) = FALSE Then
WScript.Quit EXIT_FAILURE
End If
If IsEmptyNull(sInstances) Then
WScript.Echo "INFO: No instances are present."
VBMain = EXIT_NOINSTANCES
Exit Function
End If
For i = 0 To TotalCount-1
strInstance = sInstances(i,0)
GetFullInstance strInstance, sInstances(i,1)
If ApplyFix(sInstances(i,0), strInstance) = FALSE Then
WScript.Echo "ERROR: Could not apply the workaround on " + sInstances(i,0) + "." + vbCRLF
VBMain = EXIT_FAILURE
End If
Next
WScript.Echo "INFO: Completed processing all the running SQL instances."
End Function
Function GetInstances(ByRef sInstances, ByRef TotalCount)
Err.Clear
ON ERROR RESUME NEXT
Dim sInstances1, sInstances2, i
Dim instCount1, instCount2
GetInstances = FALSE
If NOT GetRegValue ("", HKEY_LOCAL_MACHINE, "Software\Microsoft\Microsoft SQL Server", "InstalledInstances", sInstances1, REG_MULTI_SZ, TRUE) Then
WScript.Echo "ERROR:Failed to read SQL instances installed on the machine."
Exit Function
End If
sInstances2 = NULL
If IsOs64Bit() = TRUE Then
If NOT GetRegValue ("", HKEY_LOCAL_MACHINE, "Software\Microsoft\Microsoft SQL Server", "InstalledInstances", sInstances2, REG_MULTI_SZ, FALSE) Then
WScript.Echo "ERROR:Failed to read SQL instances installed on the machine."
Exit Function
End If
End If
If IsEmptyNull(sInstances1) AND IsEmptyNull(sInstances2) Then
WScript.Echo "INFO: No instances present."
WScript.Quit EXIT_SUCCESS
End If
instCount1 = 0
instCount2 = 0
TotalCount = 0
If IsEmptyNull(sInstances1) = FALSE Then
instCount1 = UBound(sInstances1) + 1
TotalCount = instCount1
End If
If IsEmptyNull(sInstances2) = FALSE Then
instCount2 = UBound(sInstances2) + 1
TotalCount = TotalCount + instCount2
End If
ReDim PRESERVE sInstances(TotalCount,1)
if instCount1 > 0 Then
For i = 0 To UBound(sInstances1)
sInstances(i,0) = sInstances1(i)
sInstances(i,1) = True
Next
End If
If instCount2 >0 Then
For i = 0 To UBound(sInstances2)
sInstances(i+instCount1,0) = sInstances2(i)
sInstances(i+instCount1,1) = FALSE
Next
End If
GetInstances = TRUE
End Function
Function ApplyFix(ByVal strInstance, ByVal strServerName)
Err.Clear
ON ERROR RESUME NEXT
Dim objConn, objCmd, objCmd1, objRS, objRS1
Dim strCommand, strConn
Dim strBuildVersion, strProductLevel, bApplyFix
' Initialize return value
ApplyFix = FALSE
strConn = "Provider=sqloledb;Initial Catalog=master;Integrated Security=SSPI;Data Source=" + strServerName + ";"
' Error checking is intentionally left to keep the code short
Set objConn = CreateObject("ADODB.Connection")
Set objCmd = CreateObject("ADODB.Command")
Set objCmd1 = CreateObject("ADODB.Command")
' Open a Connection to the master Database
objConn.Open strConn
If ErrorOccurred("Error: Could not connect to " + strInstance) Then
Set objConn = Nothing
Exit Function
End If
' Validate the version before applying the fix
strCommand = "select SERVERPROPERTY('ProductVersion') as version, SERVERPROPERTY('productlevel') as productlevel"
objCmd.ActiveConnection = objConn
objCmd.CommandType = adCmdText
objCmd.CommandText = strCommand
Set objRS = objCmd.Execute()
If ErrorOccurred("ERROR: Could not execute """ + strCommand + """ on " + strInstance) = TRUE Then
objConn.Close()
Set objConn = Nothing
ApplyFix = FALSE
Exit Function
End If
strBuildVersion = objRS("version")
strProductLevel = UCase(objRS("productlevel"))
bApplyFix = FALSE
' Apply the workaround only for SQL 2000 and SQL 2005 (RTM, SP1 and SP2) versions
If (CInt(Mid(strBuildVersion,1,1)) = 8) Then
bApplyFix = TRUE
ElseIf CInt(Mid(strBuildVersion,1,1)) = 9 AND (StrComp(strProductLevel,"RTM") = 0 OR StrComp(strProductLevel,"SP1") = 0 OR StrComp(strProductLevel,"SP2") = 0) Then
bApplyFix = TRUE
End If
If bApplyFix = TRUE Then
strCommand = "deny execute on sp_replwritetovarbin to public"
objCmd1.ActiveConnection = objConn
objCmd1.CommandType = adCmdText
objCmd1.CommandText = strCommand
Set objRS1 = objCmd1.Execute()
If ErrorOccurred("ERROR: Could not execute """ + strCommand + """ on " + strInstance) = FALSE Then
WScript.Echo "INFO: Successfully applied the workaround on " + strInstance + " (" + strBuildVersion + ")." + vbCRLF
ApplyFix = TRUE
End If
Else
WScript.Echo "INFO: Skipping collecting information for " + strInstance + " (" + strBuildVersion + ") as this instance is not vulnerable." + vbCRLF
ApplyFix = TRUE
End If
objConn.Close()
Set objConn = Nothing
Set objCmd = Nothing
Set objCmd1 = Nothing
Set objRS = Nothing
Set objRS1 = Nothing
End Function
Private Function GetRegValue (ByVal strMachineName, ByVal hMainKey, ByVal strPath, ByVal strValueName, ByRef strValue, ByVal iValueType, ByVal b32bit)
Err.Clear
ON ERROR RESUME NEXT
Dim objLocator, objServices, objRegistry, objCtx
Dim sMultiStrings, lRc
GetRegValue = TRUE
'Connect to WMI and get an object to STDREGPROV class.
Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
If b32bit = TRUE Then
objCtx.Add "__ProviderArchitecture", 32
Else
objCtx.Add "__ProviderArchitecture", 64
End If
objCtx.Add "__RequiredArchitecture", TRUE
set objLocator = createobject("wbemscripting.swbemlocator")
set objServices = objLocator.connectserver(strMachineName,DEFAULTNAMESPACE, "", "",,,,objCtx)
set objRegistry = objServices.get(STDREGPROV)
If ErrorOccurred ("ERROR: Could not connect to WMI namespace " + DEFAULTNAMESPACE) Then
GetRegValue = FALSE
Exit Function
End If
lRc = 0
Select Case iValueType
' We only care about REG_MULTI_SZ
Case REG_MULTI_SZ
strValue = ""
lRC = objRegistry.GetMultiStringValue(hMainKey, strPath, strValueName, sMultiStrings)
strValue = sMultiStrings
Case REG_SZ
strValue = ""
lRC = objRegistry.GetStringValue(hMainKey, strPath, strValueName, strValue)
Case Else
GetRegValue = FALSE
End Select
If lRc = 2 Or lRc = 3 Then
GetRegValue = TRUE
strValue = ""
ElseIf Err.Number OR lRc <> 0 Then
GetRegValue = FALSE
End If
Set objLocator = Nothing
Set objServices = Nothing
Set objRegistry = Nothing
End Function
Function IsEmptyNull(sCheck)
IsEmptyNull = FALSE
If IsObject(sCheck) Then Exit Function
If IsArray(sCheck) Then Exit Function
If VarType(sCheck) = vbEmpty Then IsEmptyNull = TRUE : Exit Function
If VarType(sCheck) = vbNull Then IsEmptyNull = TRUE : Exit Function
If sCheck = "" Then IsEmptyNull = TRUE
End Function
Private Function ErrorOccurred (ByVal strIn)
If Err.Number <> 0 Then
WScript.Echo strIn
WScript.Echo "ERROR: 0x" & Err.Number & " - " & Err.Description
Err.Clear
ErrorOccurred = TRUE
Else
ErrorOccurred = FALSE
End If
End Function
Function IsOs64Bit()
Err.Clear
ON ERROR RESUME NEXT
Dim objProc
Set objProc = GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'")
If objProc.Architecture = 0 Then
IsOs64Bit = FALSE
Else
IsOs64Bit = TRUE
End If
End Function
Function GetFullInstance (ByRef strInstanceName, ByVal b32bit)
Err.Clear
ON ERROR RESUME NEXT
Dim objServices, objClusters, objCluster
Dim strMacName, isEmpty
Dim strKey, strInstID
GetFullInstance = TRUE
If strComp(UCase(strInstanceName), "MICROSOFT##SSEE", 1) = 0 Then
strInstanceName = "np:\\.\pipe\mssql$microsoft##ssee\sql\query"
Exit Function
End if
strMacName = ""
Set objServices = GetObject("winmgmts:root\cimv2")
' Query Cluster service
Set objClusters = objServices.ExecQuery ("select * from win32_service where Name='ClusSvc' AND Started = TRUE")
isEmpty = TRUE
If Err.Number = 0 Then
For each objCluster in objClusters
isEmpty = FALSE
Next
End If
Set objServices = Nothing
Set objClusters = Nothing
If isEmpty = TRUE Then
strInstanceName = BuildInstanceName (".", strInstanceName)
Exit Function
End If
' If we reach here that means the machine is a clustered node.
' So lets query registry to determine whether the SQL instance is clustered or not.
' For SQL 2000 query the following value
' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<InstanceName>\Cluster
' ClusterName
strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\" + strInstanceName + "\Cluster"
GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit
If StrComp(strMacName, "") <> 0 Then
strInstanceName = BuildInstanceName (strMacName, strInstanceName)
Exit Function
End If
strKey = "SOFTWARE\Microsoft\" + strInstanceName + "\Cluster"
GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit
If StrComp(strMacName, "") <> 0 Then
strInstanceName = BuildInstanceName (strMacName, strInstanceName)
Exit Function
End If
' Lets try querying the registry value for 2005/2008 instances
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
' RegValue = InstanceName
strInstID = ""
strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"
GetRegValue "", HKEY_LOCAL_MACHINE, strKey, strInstanceName, strInstID, REG_SZ, b32bit
If StrComp(strInstID, "") = 0 Then
' If this key doesnt exist, then return back as a SQL 2000 local instance
strInstanceName = BuildInstanceName (".", strInstanceName)
Exit Function
End If
strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\" + strInstID + "\Cluster"
GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit
If StrComp(strMacName, "") = 0 Then
strMacName = "."
End If
strInstanceName = BuildInstanceName (strMacName, strInstanceName)
End Function
Function BuildInstanceName (ByVal strMachineName, ByVal strInstanceName)
Dim strPrefix
strPrefix = ""
If StrComp(strMachineName, ".") = 0 Then
strPrefix = "lpc:"
End If
If strComp(UCase(strInstanceName), "MSSQLSERVER", 1) = 0 Then
BuildInstanceName = strPrefix + strMachineName
Else
BuildInstanceName = strPrefix + strMachineName + "\" + strInstanceName
End if
End Function
For more information about CScript.exe, visit the following Microsoft
Web site:
When you run the script, you receive the following error
message:
ERROR: Could not execute "deny execute on
sp_replwritetovarbin to public" on <instancename> ERROR:
0x-2147217900 - Cannot find the object 'sp_replwritetovarbin', because it does
not exist or you do not have permission. ERROR: Could not apply the
workaround on <instancename>.
You receive this error message if you do not have the permissions
that are required to apply the change. This error message indicates that you
were able to successfully log in to the instance "<instancename>."
This error message typically occurs in SQL Server Express in which
the "Built-In\Users" group has a login to the database by default. However,
this group is not a member of the sysadmin role.
This error message
may also occur if you dropped the sp_replwritetovarbin procedure. This was the
recommendation from a third-party report. We do not recommend dropping the
stored procedure. Instead, we recommend that you apply this resolution.
Make sure that the account that you connect with is a member of
the sysadmin role on that instance of the database. If the account is not a
member, either add the user that you are connecting as to the sysadmin role, or
use another user account. For SQL Server 2005 and earlier, the
"Built-in\Administrators" group is a member of the sysadmin role by default.
When you run this script on Windows Vista or on Windows Server 2008, make sure
that you run it from an “elevated” command prompt.
If you run this script in SQL Server 2005, you receive the
following error message:
Error: Could not connect to
<instancename> ERROR: 0x-2147217843 - Login failed for user
'<user>'. ERROR: Could not apply the workaround on
<instancename>.
You receive this error message if you were not able to connect to
the instance "<instancename>" even though this instance exists.
This error message typically occurs when you connect to Windows
Internal Database or to Microsoft SQL Server 2000 Desktop Edition (Windows)
instances. Typically, no user accounts have logins to these databases.
Make sure that the account that you use to run the script has a
login on the database that is a member of the sysadmin role.
We do
not recommend that you add individual users to Windows Internal Database and to
Microsoft SQL Server 2000 Desktop Edition (Windows) databases. If you do this,
the users that you add may interfere with the ordinary operation of these
databases. In this case, make sure that you connect from an account that is a
member of the sysadmin role. The "Built-in\Administrators" group in Windows is
typically a member of the sysadmin role by default in SQL Server 2005 and in
earlier versions. When you run this script on Windows Vista or on Windows
Server 2008, make sure that you run it from an "elevated" command prompt.
This database is the Windows Internal Database, also known as
"SQL Server Embedded Edition," or sometimes known as "Windows Internal
Database" or "Microsoft SQL Server 2000 Desktop Edition (Windows)." It is
installed with some products from Microsoft, including SharePoint Services.
The workaround script is designed to function with the Windows
Internal Database. No action is necessary on your part.
Some
applications do not remove the Windows Internal Database when they are
uninstalled.
For more information about how to remove the Windows
Internal Database, click the following article number to view the article in
the Microsoft Knowledge Base:
920277
(http://support.microsoft.com/kb/920277/
)
Windows Internal Database is not listed in the Add or Remove Programs
tool and is not removed when you remove Windows SharePoint Services 3.0 from
the computer
You receive this error message if the following conditions are true:
You have a 32-bit version of SQL Server 2000 installed on an x64-bit operating system.
You have a 64-bit version of SQL Server 2005 or of SQL Server 2008 installed on the computer.
This error message occurs when the script uses the 64-bit version of the dbmslpcn.dll file. This version cannot communicate with the WoW instances of SQL Server 2000.
Use the 32-bit version of the cscript.exe file from the %WINDOWS%\SysWOW64 folder to start the script. This loads the 32-bit version of the dbmslpcn.dll file that can detect WoW instances.
For more information about how to identify your
SQL Server version and edition, click the following article number to view the
article in the Microsoft Knowledge Base:
321185
(http://support.microsoft.com/kb/321185/
)
How to identify your SQL Server version and edition
The following table lists significant technical revisions to
this article. The revision number and the last review date in this article
might indicate minor editorial revisions or structural revisions to this
article that are not included in the table.
Collapse this tableExpand this table
Date
Revisions
December 31, 2008
Includes an updated script that detects SQL Server failover clustering instances.
December 30, 2008
Includes an updated script that
detects 32-bit versions of SQL Server running on 64-bit versions of
Windows.
Back to the top
