Microsoft SQL Server 'sp_replwritetovarbin' Remote Memory Corruption
[Summary]
Microsoft SQL Server is prone to a remote memory-corruption vulnerability because it fails to properly handle user-supplied input.
Specifically, the issue occurs when the server handles the 'sp_replwritetovarbin' extended stored procedure call. By supplying several uninitialised variables as parameters to the call, an attacker can write to a controlled memory location. Reportedly, this can be used to achieve code execution on certain unspecified versions of the Windows operating system.
Authenticated attackers can exploit this issue to execute arbitrary code and completely compromise affected computers. Failed attacks will likely cause denial-of-service conditions.
Note that in the default configuration, any authenticated user can access the 'sp_replwritetovarbin' procedure. Proof of concept and exploit code are publicly available.
[Solution/Workaround]
Microsoft recommends to deny access to the vulnerable stored procedure. See the referenced vendor advisory for more information.
[Affected System]
Microsoft SQL Server 2000
Microsoft SQL Server 2005
[Reference]
http://www.microsoft.com/technet/security/advisory/961040.mspx