Microsoft issued an advisory late Monday warning of publicly available code that could be used to target an unpatched vulnerability in SQL Server.
In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.
"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."
Microsoft security news:
issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being
exploited if a user browses some legitimate websites.
Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched.
Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.
An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.
The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).
"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.
As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its customers.
Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.
"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory.