SQL Server Stored Procedure Overflow (Jan 02, 2009)


Microsoft SQL Server is a relational database management system. It uses Transact-SQL (T-SQL) for querying and modifying data and managing databases. SQL Server provides a wide range of stored procedures. A stored procedure is a group of Transact-SQL statements compiled into a single execution plan. One such stored procedure is sp_replwritetovarbin. It can be called by using EXEC SQL statement:

EXEC master.dbo.sp_replwritetovarbin

There exists a buffer overflow vulnerability in Microsoft SQL Server. Specifically, the flaw is due to a boundary error in the implementation of the sp_replwritetovarbin stored procedure. The vulnerable procedure does not check whether the supplied output varbinary buffer has the adequate size for this copy operation. By supplying an insufficiently small varbinary object to its output buffer parameter, and/or an overly large string argument to the sp_replwritetovarbin stored procedure, an authenticated user can trigger the buffer overflow condition. Successful exploitation could lead to arbitrary code execution in the context of the vulnerable SQL server process.

The vulnerability has been assigned as CVE-2008-5416 and Microsoft KB961040.

Since the procedure, sp_replwritetovarbin, is proprietary to Microsoft and its interface is not published, it is believed that the procedure is rarely used for legitimate purposes.

SonicWALL has released the following IPS signatures that will detect and prevent the invocation of sp_replwritetovarbin stored procedure. The signatures to address this vulnerability are:

  • 1286 SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
  • 1292 SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.