Posts

Microsoft Security Bulletin Coverage (Feb 13, 2009)

/in /by

During the first 2 months of 2009 Microsoft has published 5 security bulletins. Among them, MS09-001, MS09-003 and MS09-004 address vulnerabilities on the server side, while MS09-002 and MS09-005 address vulnerabilities on the client side. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities. Below is the summary of security bulletins and the corresponding SonicWALL signatures.

MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

  • IPS Sid 5357 — NETBIOS MS SMB TRANS Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4834
  • IPS Sid 5358 — NETBIOS MS SMB OPEN2 Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4835

MS09-002 Cumulative Security Update for Internet Explorer

  • IPS Sid 5379 — WEB-CLIENT MS IE Cloned Object Memory Corruption Attempt (MS09-002)
    CVE-2009-0075
  • IPS Sid 5387 — WEB-CLIENT MS IE CSS Processing Memory Corruption PoC (MS09-002)
    CVE-2009-0076

MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution

  • IPS Sid 5383 — DOS MS Exchange System Attendant DoS
    CVE-2009-0099
  • IPS Sid 5385 — SMTP MS Exchange TNEF Integer Underflow PoC (MS09-003)
    CVE-2009-0098

MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

  • IPS Sid 1286 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
    CVE-2008-5416
  • IPS Sid 1292 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)
    CVE-2008-5416
  • IPS Sid 1358 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode-SMB)
    CVE-2008-5416
  • IPS Sid 1360 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII-SMB)
    CVE-2008-5416

MS09-005 Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution

  • IPS Sid 5384 — MISC MS Visio Object ID Table Memory Corruption PoC (MS09-005)
    CVE-2009-0097
  • IPS Sid 5386 — MISC MS Visio Invalid Tag Handling Memory Corruption PoC (MS09-005)
    CVE-2009-0096
  • IPS Sid 5389 — MS Visio VSD File Icon Bits Memory Corruption PoC (MS09-005)
    CVE-2009-0096

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.

SQL Server Stored Procedure Overflow (Jan 02, 2009)

/in /by

Microsoft SQL Server is a relational database management system. It uses Transact-SQL (T-SQL) for querying and modifying data and managing databases. SQL Server provides a wide range of stored procedures. A stored procedure is a group of Transact-SQL statements compiled into a single execution plan. One such stored procedure is sp_replwritetovarbin. It can be called by using EXEC SQL statement:

EXEC master.dbo.sp_replwritetovarbin

There exists a buffer overflow vulnerability in Microsoft SQL Server. Specifically, the flaw is due to a boundary error in the implementation of the sp_replwritetovarbin stored procedure. The vulnerable procedure does not check whether the supplied output varbinary buffer has the adequate size for this copy operation. By supplying an insufficiently small varbinary object to its output buffer parameter, and/or an overly large string argument to the sp_replwritetovarbin stored procedure, an authenticated user can trigger the buffer overflow condition. Successful exploitation could lead to arbitrary code execution in the context of the vulnerable SQL server process.

The vulnerability has been assigned as CVE-2008-5416 and Microsoft KB961040.

Since the procedure, sp_replwritetovarbin, is proprietary to Microsoft and its interface is not published, it is believed that the procedure is rarely used for legitimate purposes.

SonicWALL has released the following IPS signatures that will detect and prevent the invocation of sp_replwritetovarbin stored procedure. The signatures to address this vulnerability are:

  • 1286 SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
  • 1292 SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)