Microsoft Security Advisory: Vulnerability in SQL Server could allow remote code execution

Article translations Article translations
Article ID: 961040 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released a security advisory about a vulnerability in Microsoft SQL Server that could allow remote code execution. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/961040.mspx
This article includes a VB script that you can use to apply a workaround to all running instances of SQL Server on a local computer.

EXAMPLE OF A VB SCRIPT THAT YOU CAN USE TO APPLY THE WORKAROUND

You can use this VB script to deny Execute permission to the Public role on the sp_replwritetovarbin extended stored procedure on all affected versions of SQL Server that are running on the local computer.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Copy this code to a text file, save the file using a .vbs file name extension, and then run the script file using CScript.exe. The script iterates through the running instances of SQL Server on the local computer and applies the workaround on the affected versions. You must be a member of the sysadmin role on each instance of SQL Server to apply the workaround. If you do not have a Windows account that is a member of the sysadmin role on all affected servers that are running SQL Server, you may have to run this script from multiple accounts. On Windows Server 2008 and on Windows Vista, if you are using a Windows administrator account that is a member of the sysadmin role, you must run this script from an “elevated” command prompt.
'*************************************************************************************
'Description: This script iterates through all the running instances of SQL Server 
'            and denies execute permission on sp_replwritetovarbin to public on all
'            the affected versions.
'            THIS IS PROVIDED AS A WORKAROUND AND SHOULD NOT BE USED IN THE EVENT THAT 
'            A SECURITY UPDATE IS PROVIDED AND INSTALLED.
'*************************************************************************************

OPTION EXPLICIT
ON ERROR RESUME NEXT

' Constant values
CONST EXIT_SUCCESS       = 0
CONST EXIT_FAILURE       = 1
CONST EXIT_NOINSTANCES   = -1
CONST DEFAULTNAMESPACE   = "root\default"
CONST STDREGPROV         = "stdregprov"
CONST HKEY_LOCAL_MACHINE = &H80000002
CONST REG_MULTI_SZ       = 7
CONST REG_SZ             = 1
CONST adCmdText          = 1


Call VBMain()

Function VBMain()
    Err.Clear
    ON ERROR RESUME NEXT
		
    Dim sInstances(), strInstance, i, TotalCount
    VBMain = EXIT_SUCCESS
    If GetInstances(sInstances, TotalCount) = FALSE Then
        WScript.Quit EXIT_FAILURE
    End If

    If IsEmptyNull(sInstances) Then 
        WScript.Echo "INFO: No instances are present."
        VBMain = EXIT_NOINSTANCES
        Exit Function
    End If

    For i = 0 To TotalCount-1
        strInstance = sInstances(i,0)
        GetFullInstance strInstance, sInstances(i,1)
        If ApplyFix(sInstances(i,0), strInstance) = FALSE Then
            WScript.Echo "ERROR: Could not apply the workaround on " + sInstances(i,0) + "." + vbCRLF
            VBMain = EXIT_FAILURE
        End If
    Next
	
    WScript.Echo "INFO: Completed processing all the running SQL instances."
End Function

Function GetInstances(ByRef sInstances, ByRef TotalCount)
    Err.Clear
    ON ERROR RESUME NEXT
		
    Dim sInstances1, sInstances2, i
    Dim instCount1, instCount2
    GetInstances = FALSE

    If NOT GetRegValue ("", HKEY_LOCAL_MACHINE, "Software\Microsoft\Microsoft SQL Server", "InstalledInstances", sInstances1, REG_MULTI_SZ, TRUE) Then
        WScript.Echo "ERROR:Failed to read SQL instances installed on the machine."
        Exit Function
    End If

    sInstances2 = NULL
    If IsOs64Bit() = TRUE Then
        If NOT GetRegValue ("", HKEY_LOCAL_MACHINE, "Software\Microsoft\Microsoft SQL Server", "InstalledInstances", sInstances2, REG_MULTI_SZ, FALSE) Then
            WScript.Echo "ERROR:Failed to read SQL instances installed on the machine."
            Exit Function
        End If
    End If

    If IsEmptyNull(sInstances1) AND IsEmptyNull(sInstances2) Then 
        WScript.Echo "INFO: No instances present."
        WScript.Quit EXIT_SUCCESS
    End If
        
    instCount1 = 0
    instCount2 = 0 
    TotalCount = 0
    If IsEmptyNull(sInstances1) = FALSE Then
        instCount1 = UBound(sInstances1) + 1
        TotalCount = instCount1
    End If
        
    If IsEmptyNull(sInstances2) = FALSE Then
        instCount2 = UBound(sInstances2) + 1
        TotalCount = TotalCount + instCount2
    End If

    ReDim PRESERVE sInstances(TotalCount,1)
    if instCount1 > 0 Then
        For i = 0 To UBound(sInstances1)
            sInstances(i,0) = sInstances1(i)
            sInstances(i,1) = True
        Next
    End If
    If instCount2 >0 Then
        For i = 0 To UBound(sInstances2)
            sInstances(i+instCount1,0) = sInstances2(i)
            sInstances(i+instCount1,1) = FALSE
        Next
    End If
    GetInstances = TRUE
End Function


Function ApplyFix(ByVal strInstance, ByVal strServerName)
    Err.Clear
    ON ERROR RESUME NEXT

    Dim objConn, objCmd, objCmd1, objRS, objRS1
    Dim strCommand, strConn
    Dim strBuildVersion, strProductLevel, bApplyFix

    ' Initialize return value
    ApplyFix = FALSE
    
    strConn = "Provider=sqloledb;Initial Catalog=master;Integrated Security=SSPI;Data Source=" + strServerName + ";"
    ' Error checking is intentionally left to keep the code short
    Set objConn = CreateObject("ADODB.Connection")
    Set objCmd = CreateObject("ADODB.Command")
    Set objCmd1 = CreateObject("ADODB.Command")
    
    ' Open a Connection to the master Database
    objConn.Open strConn 
    If ErrorOccurred("Error: Could not connect to " + strInstance) Then
        Set objConn = Nothing
        Exit Function
    End If

    ' Validate the version before applying the fix
    strCommand = "select SERVERPROPERTY('ProductVersion') as version, SERVERPROPERTY('productlevel') as productlevel"
    objCmd.ActiveConnection = objConn
    objCmd.CommandType = adCmdText
    objCmd.CommandText = strCommand
    	
    Set objRS = objCmd.Execute()
    If ErrorOccurred("ERROR: Could not execute """ + strCommand + """ on " + strInstance) = TRUE Then
        objConn.Close()
        Set objConn = Nothing
        ApplyFix = FALSE
        Exit Function   
    End If

    strBuildVersion = objRS("version")
    strProductLevel = UCase(objRS("productlevel"))

    bApplyFix = FALSE
    ' Apply the workaround only for SQL 2000 and SQL 2005 (RTM, SP1 and SP2) versions
    If (CInt(Mid(strBuildVersion,1,1)) = 8) Then
        bApplyFix = TRUE
    ElseIf CInt(Mid(strBuildVersion,1,1)) = 9 AND (StrComp(strProductLevel,"RTM") = 0 OR StrComp(strProductLevel,"SP1") = 0 OR StrComp(strProductLevel,"SP2") = 0) Then
        bApplyFix = TRUE
    End If 
	
    If bApplyFix = TRUE Then
        strCommand = "deny execute on sp_replwritetovarbin to public"
        objCmd1.ActiveConnection = objConn
        objCmd1.CommandType = adCmdText
        objCmd1.CommandText = strCommand
        Set objRS1 = objCmd1.Execute()
        If ErrorOccurred("ERROR: Could not execute """ + strCommand + """ on " + strInstance) = FALSE Then
            WScript.Echo "INFO: Successfully applied the workaround on " + strInstance + " (" + strBuildVersion + ")." + vbCRLF
            ApplyFix = TRUE
        End If
    Else
        WScript.Echo "INFO: Skipping collecting information for " + strInstance + " (" + strBuildVersion + ") as this instance is not vulnerable." + vbCRLF
        ApplyFix = TRUE
    End If

    objConn.Close()
    Set objConn = Nothing
    Set objCmd = Nothing
    Set objCmd1 = Nothing
    Set objRS = Nothing
    Set objRS1 = Nothing
End Function

Private Function GetRegValue (ByVal strMachineName, ByVal hMainKey, ByVal strPath, ByVal strValueName, ByRef strValue, ByVal iValueType, ByVal b32bit)
    Err.Clear
    ON ERROR RESUME NEXT
	
    Dim objLocator, objServices, objRegistry, objCtx
    Dim sMultiStrings, lRc
    GetRegValue = TRUE

    'Connect to WMI and get an object to STDREGPROV class.
    Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
    If b32bit = TRUE Then
        objCtx.Add "__ProviderArchitecture", 32
    Else
        objCtx.Add "__ProviderArchitecture", 64
    End If
    objCtx.Add "__RequiredArchitecture", TRUE
    set objLocator = createobject("wbemscripting.swbemlocator")
    set objServices = objLocator.connectserver(strMachineName,DEFAULTNAMESPACE, "", "",,,,objCtx)
    set objRegistry = objServices.get(STDREGPROV)
    If ErrorOccurred ("ERROR: Could not connect to WMI namespace " + DEFAULTNAMESPACE) Then
        GetRegValue = FALSE
        Exit Function
    End If 

    lRc = 0
    Select Case iValueType
        ' We only care about REG_MULTI_SZ
        Case REG_MULTI_SZ
            strValue = ""
            lRC = objRegistry.GetMultiStringValue(hMainKey, strPath, strValueName, sMultiStrings)
            strValue = sMultiStrings
        Case REG_SZ
            strValue = ""
            lRC = objRegistry.GetStringValue(hMainKey, strPath, strValueName, strValue)
        Case Else
            GetRegValue = FALSE
    End Select

    If lRc = 2 Or lRc = 3 Then
        GetRegValue = TRUE
        strValue = ""
    ElseIf Err.Number OR lRc <> 0 Then
        GetRegValue = FALSE
    End If
    
    Set objLocator = Nothing
    Set objServices = Nothing
    Set objRegistry = Nothing
End Function

Function IsEmptyNull(sCheck)
    IsEmptyNull = FALSE
    If IsObject(sCheck) Then Exit Function
    If IsArray(sCheck) Then Exit Function
    If VarType(sCheck) = vbEmpty Then IsEmptyNull = TRUE : Exit Function
    If VarType(sCheck) = vbNull Then IsEmptyNull = TRUE : Exit Function
    If sCheck = "" Then IsEmptyNull = TRUE
End Function

Private Function ErrorOccurred (ByVal strIn)
    If Err.Number <> 0 Then
        WScript.Echo strIn
        WScript.Echo "ERROR: 0x" & Err.Number & " - " & Err.Description
        Err.Clear
        ErrorOccurred = TRUE
    Else
        ErrorOccurred = FALSE
    End If
End Function

Function IsOs64Bit()
    Err.Clear
    ON ERROR RESUME NEXT
    
    Dim objProc
    Set objProc = GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'")
    If objProc.Architecture = 0 Then
        IsOs64Bit = FALSE
    Else
        IsOs64Bit = TRUE
    End If
End Function

Function GetFullInstance (ByRef strInstanceName, ByVal b32bit)
    Err.Clear
    ON ERROR RESUME NEXT 

    Dim objServices, objClusters, objCluster
    Dim strMacName, isEmpty
    Dim strKey, strInstID
    
    GetFullInstance = TRUE
    
    If strComp(UCase(strInstanceName), "MICROSOFT##SSEE", 1) = 0 Then
        strInstanceName = "np:\\.\pipe\mssql$microsoft##ssee\sql\query"
        Exit Function
    End if

    strMacName = ""
    Set objServices = GetObject("winmgmts:root\cimv2")

    ' Query Cluster service
    Set objClusters = objServices.ExecQuery ("select * from win32_service where Name='ClusSvc' AND Started = TRUE")
    isEmpty = TRUE
    If Err.Number = 0 Then
        For each objCluster in objClusters
            isEmpty = FALSE
        Next
    End If

    Set objServices = Nothing
    Set objClusters = Nothing

    If isEmpty = TRUE Then
        strInstanceName = BuildInstanceName (".", strInstanceName)
        Exit Function
    End If
    
    ' If we reach here that means the machine is a clustered node.
    ' So lets query registry to determine whether the SQL instance is clustered or not.
    ' For SQL 2000 query the following value
    ' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<InstanceName>\Cluster
    ' ClusterName
    strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\" + strInstanceName + "\Cluster"
    GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit

    If StrComp(strMacName, "") <> 0 Then
        strInstanceName = BuildInstanceName (strMacName, strInstanceName)
        Exit Function
    End If

    strKey = "SOFTWARE\Microsoft\" + strInstanceName + "\Cluster"
    GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit

    If StrComp(strMacName, "") <> 0 Then
        strInstanceName = BuildInstanceName (strMacName, strInstanceName)
        Exit Function
    End If

    ' Lets try querying the registry value for 2005/2008 instances
    'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
    ' RegValue = InstanceName
    strInstID = ""
    strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"
    GetRegValue "", HKEY_LOCAL_MACHINE, strKey, strInstanceName, strInstID, REG_SZ, b32bit
    
    If StrComp(strInstID, "") = 0 Then
        ' If this key doesnt exist, then return back as a SQL 2000 local instance
        strInstanceName = BuildInstanceName (".", strInstanceName)
        Exit Function
    End If

    strKey = "SOFTWARE\Microsoft\Microsoft SQL Server\" + strInstID + "\Cluster"
    GetRegValue "", HKEY_LOCAL_MACHINE, strKey, "ClusterName", strMacName, REG_SZ, b32bit
    
    If StrComp(strMacName, "") = 0 Then
        strMacName = "."
    End If

    strInstanceName = BuildInstanceName (strMacName, strInstanceName)
End Function

Function BuildInstanceName (ByVal strMachineName, ByVal strInstanceName)
    Dim strPrefix
    
    strPrefix = ""
    If StrComp(strMachineName, ".") = 0 Then
        strPrefix = "lpc:"
    End If
    
    If strComp(UCase(strInstanceName), "MSSQLSERVER", 1) = 0 Then
        BuildInstanceName = strPrefix + strMachineName
    Else
        BuildInstanceName = strPrefix + strMachineName + "\" + strInstanceName
    End if
End Function
For more information about CScript.exe, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb490887.aspx
Note We recommend that you not use this script if a security update has been provided and you have installed it.

KNOWN ISSUES THAT MAY OCCUR WHEN YOU RUN THIS SCRIPT

Issue 1

When you run the script, you receive the following error message:
ERROR: Could not execute "deny execute on sp_replwritetovarbin to public" on <instancename>
ERROR: 0x-2147217900 - Cannot find the object 'sp_replwritetovarbin', because it does not exist or you do not have permission.
ERROR: Could not apply the workaround on <instancename>.

Cause 1

You receive this error message if you do not have the permissions that are required to apply the change. This error message indicates that you were able to successfully log in to the instance "<instancename>."

This error message typically occurs in SQL Server Express in which the "Built-In\Users" group has a login to the database by default. However, this group is not a member of the sysadmin role.

This error message may also occur if you dropped the sp_replwritetovarbin procedure. This was the recommendation from a third-party report. We do not recommend dropping the stored procedure. Instead, we recommend that you apply this resolution.

Resolution 1

Make sure that the account that you connect with is a member of the sysadmin role on that instance of the database. If the account is not a member, either add the user that you are connecting as to the sysadmin role, or use another user account. For SQL Server 2005 and earlier, the "Built-in\Administrators" group is a member of the sysadmin role by default. When you run this script on Windows Vista or on Windows Server 2008, make sure that you run it from an “elevated” command prompt.

Issue 2

If you run this script in SQL Server 2005, you receive the following error message:
Error: Could not connect to <instancename>
ERROR: 0x-2147217843 - Login failed for user '<user>'.
ERROR: Could not apply the workaround on <instancename>.

Cause 2

You receive this error message if you were not able to connect to the instance "<instancename>" even though this instance exists.

This error message typically occurs when you connect to Windows Internal Database or to Microsoft SQL Server 2000 Desktop Edition (Windows) instances. Typically, no user accounts have logins to these databases.

Resolution 2

Make sure that the account that you use to run the script has a login on the database that is a member of the sysadmin role.

We do not recommend that you add individual users to Windows Internal Database and to Microsoft SQL Server 2000 Desktop Edition (Windows) databases. If you do this, the users that you add may interfere with the ordinary operation of these databases. In this case, make sure that you connect from an account that is a member of the sysadmin role. The "Built-in\Administrators" group in Windows is typically a member of the sysadmin role by default in SQL Server 2005 and in earlier versions. When you run this script on Windows Vista or on Windows Server 2008, make sure that you run it from an "elevated" command prompt.

Issue 3

You may notice an instance of a database named MICROSOFT##SSEE. However, you did not install this database.

Cause 3

This database is the Windows Internal Database, also known as "SQL Server Embedded Edition," or sometimes known as "Windows Internal Database" or "Microsoft SQL Server 2000 Desktop Edition (Windows)." It is installed with some products from Microsoft, including SharePoint Services.

Resolution 3

The workaround script is designed to function with the Windows Internal Database. No action is necessary on your part.

Some applications do not remove the Windows Internal Database when they are uninstalled. For more information about how to remove the Windows Internal Database, click the following article number to view the article in the Microsoft Knowledge Base:
920277 Windows Internal Database is not listed in the Add or Remove Programs tool and is not removed when you remove Windows SharePoint Services 3.0 from the computer

Issue 4

When you run the script, you receive the following error message:
Error: Could not connect to .\<instancename>
ERROR: 0x-2147467259 - [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied

Cause 4

You receive this error message if the following conditions are true:
  • You have a 32-bit version of SQL Server 2000 installed on an x64-bit operating system.
  • You have a 64-bit version of SQL Server 2005 or of SQL Server 2008 installed on the computer.
This error message occurs when the script uses the 64-bit version of the dbmslpcn.dll file. This version cannot communicate with the WoW instances of SQL Server 2000.

Resolution 4

Use the 32-bit version of the cscript.exe file from the %WINDOWS%\SysWOW64 folder to start the script. This loads the 32-bit version of the dbmslpcn.dll file that can detect WoW instances.

REFERENCES

For more information about how to identify your SQL Server version and edition, click the following article number to view the article in the Microsoft Knowledge Base:
321185 How to identify your SQL Server version and edition

MORE INFORMATION

The following table lists significant technical revisions to this article. The revision number and the last review date in this article might indicate minor editorial revisions or structural revisions to this article that are not included in the table.
Collapse this tableExpand this table
DateRevisions
December 31, 2008Includes an updated script that detects SQL Server failover clustering instances.
December 30, 2008Includes an updated script that detects 32-bit versions of SQL Server running on 64-bit versions of Windows.

Properties

Article ID: 961040 - Last Review: September 30, 2011 - Revision: 4.0
APPLIES TO
  • Windows Internal Database
  • Microsoft SQL Server 2005 Service Pack 2, when used with:
    • Microsoft SQL Server 2005 Standard Edition
    • Microsoft SQL Server 2005 Enterprise Edition
    • Microsoft SQL Server 2005 Express Edition
    • Microsoft SQL Server 2005 Express Edition with Advanced Services
    • Microsoft SQL Server 2005 Enterprise X64 Edition
    • Microsoft SQL Server 2005 Standard X64 Edition
    • Microsoft SQL Server 2005 Enterprise Edition for Itanium-based Systems
  • Microsoft SQL Server 2000 Desktop Engine (Windows)
Keywords: 
kbfix kbbug kbsecvulnerability kbsecbulletin kbsecurity KB961040

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com