SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


MS15-058: Vulnerabilities in SQL Server could allow remote code execution


MS15-058: Vulnerabilities in SQL Server could allow remote code execution

Author
Message
Press Release
Press Release
Hall of Fame
Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)

Group: General Forum Members
Points: 3860 Visits: 0
Comments posted to this topic are about the item MS15-058: Vulnerabilities in SQL Server could allow remote code execution
Megistal
Megistal
SSCrazy Eights
SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)

Group: General Forum Members
Points: 8075 Visits: 2666
For curiosity and prevention, what does the "special crafted" (as MS says it) query looks like? I often see SQL Instances not patched (not under my control / jurisdiction) so having an idea of what it looks like could help to identify weird behavior or at least to know what to look for.

Thx
Iwas Bornready
Iwas Bornready
SSC Guru
SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)

Group: General Forum Members
Points: 69006 Visits: 886
Thanks for the heads up.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)

Group: Administrators
Points: 632362 Visits: 21351
Megistal (7/15/2015)
For curiosity and prevention, what does the "special crafted" (as MS says it) query looks like? I often see SQL Instances not patched (not under my control / jurisdiction) so having an idea of what it looks like could help to identify weird behavior or at least to know what to look for.

Thx


I have not seen this. I suspect it's a query with some hex in it, though the KB mentions a call to a virtual function. They typically don't publish the query as people might run it on their instances (or others).

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Megistal
Megistal
SSCrazy Eights
SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)

Group: General Forum Members
Points: 8075 Visits: 2666
I have not seen this. I suspect it's a query with some hex in it, though the KB mentions a call to a virtual function. They typically don't publish the query as people might run it on their instances (or others).


Still, going deeper I do now know that it is related to two things:

One comes from Transactional replication
and the other one (exploit) comes from database name, schema name and data within it.

I feel more safe knowing this than just a "virtual call". I know more what to be aware of.

- The first one, it's not always on and most of the time it's scripted or setup by a DBA
- The second, not very easy to cover / hide

For both of them a DBA could easily exploit those two vulnerabilities, but at the basis, a DBA often has all the rights in SQL Server (and often on the box for perfmon and the like also) so it would be pointless for them to do such attacks other than preventing non-DBA to do it.


The other question I have in mind is: in what circumstances that person found this vulnerability?
Steve Jones
Steve Jones
SSC Guru
SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)

Group: Administrators
Points: 632362 Visits: 21351
Megistal (7/15/2015)

The other question I have in mind is: in what circumstances that person found this vulnerability?


I'm not sure what you mean? Do you mean how was this reported?

This is a patch for an issue Microsoft has released and acknowledge. How could it occur? If anyone has access to a SQL Server, including SQL Injection through an application, and they submit a query.

That means anyone who can access your SQL Server could potentially exploit this.

Patch your server.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Megistal
Megistal
SSCrazy Eights
SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)SSCrazy Eights (8.1K reputation)

Group: General Forum Members
Points: 8075 Visits: 2666
I'm not sure what you mean? Do you mean how was this reported?


No.

The first time it was discovered, if not by someone who deliberately search to find issues (QA, hackers and the likes), it was within a valid, good intentions business case which was under development.

One of the vulnerabilities include names and data. Before this vulnerability was known, what justified those (probably weird) names for databases, schemas?

We will never knows, just wandering, base on names assumption, how to go into that direction to fall into the issue.
the other mike.stuart
the other mike.stuart
SSC-Enthusiastic
SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)SSC-Enthusiastic (130 reputation)

Group: General Forum Members
Points: 130 Visits: 107
So, I anticipate the following happening:

Me: Hey boss, Microsoft has released a security patch. Steve Jones recommends we should patch all of our servers.
Boss: LOL

As a SQL professional, I get it when when Microsoft says "hey everyone, heads up!!", and not need a whole lot of supporting data. Boss-man however is going to have a lot of questions, and I need to be able to explain what the nature of the risk is, and if we even need to be concerned.

I've read through the descriptions provided by Microsoft and it doesn't give a whole lot of details on what exactly is being fixed:

"This update resolves vulnerabilities in Microsoft SQL Server that could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address. This leads to a function call to uninitialized memory."

Huh???

I need ammo to justify taking the time and resources away from all my other work and patching our servers.

Can anyone elaborate further on this?

Thanks,


Mike
Steve Jones
Steve Jones
SSC Guru
SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)SSC Guru (632K reputation)

Group: Administrators
Points: 632362 Visits: 21351
It's as vulnerable as before. How likely is an attack?

Depends on your level of SQL Injection vulnerability as well as how many people (outside of employees) can send a custom query through to the instance.

I think in many cases, it's not a big deal. If you have potential issues, then you'll want to patch sooner.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Summer90
Summer90
One Orange Chip
One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)

Group: General Forum Members
Points: 29627 Visits: 4284
It is getting quite confusing of what patches to apply to each different version and CU version of SQL Server. We have so many versions and at different releases here.

I don't know if I agree with putting other fixes into a security patch. I guess that can be debated until the end of time though.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum









































































































































































SQLServerCentral


Search