CVE-2024-21365: Uncovering Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability

In this in-depth analysis, we will uncover the details of CVE-2024-21365, a recently discovered critical vulnerability affecting Microsoft Windows Defender Application Control (WDAC) and the OLE DB provider for SQL Server. This remote code execution vulnerability could allow an attacker to execute arbitrary code on a target system, potentially compromising its security. We will explore the background of WDAC, OLE DB, and SQL Server technologies, dive into the actual exploit, and examine the original references and links that brought this issue to light.

Background: Understanding WDAC, OLE DB, and SQL Server

Microsoft Windows Defender Application Control (WDAC) provides administrators with the ability to control the applications that are allowed to run on their systems. It offers a robust mechanism to help restrict potentially malicious applications and prevent unauthorized access to the target system.

OLE DB (Object Linking and Embedding, Database) is a Microsoft technology that provides a standard method for accessing various types of data stored in different data sources. OLE DB providers are components that help in connecting and interfacing with these diverse data sources, allowing applications to retrieve data or perform modifications.

The Microsoft OLE DB provider for SQL Server is a specific implementation that enables a high-performance access to SQL Server databases. SQL Server is a widely used relational database management system developed by Microsoft, which has long been a popular choice for organizations both large and small.

The vulnerability in question specifically affects the OLE DB provider for SQL Server when used in conjunction with WDAC, opening the door to potential exploitation.

Exploit Details

CVE-2024-21365 is a critical remote code execution vulnerability that arises due to a memory corruption issue in the Microsoft OLE DB provider for SQL Server when it processes user-supplied input. An attacker who successfully exploits this vulnerability can run arbitrary code on the affected system.

The vulnerable code in the OLE DB provider for SQL Server mishandles a pointer, which could be exploited by a malicious actor to corrupt memory, cause a denial of service, or potentially execute arbitrary code on the target system. The following code snippet demonstrates the vulnerable code pattern:

// Vulnerable code snippet

HRESULT CMsSqlConnection::ExecuteSql(...)
{
  // ...
  wchar_t *pStr = new wchar_t[ulLen];
  memcpy(pStr, pInputStr, ulLen * sizeof(wchar_t));
  // ...
}

In this example, the vulnerable code allocates memory for a wide character string (wchar_t) based on the length of the supplied user input. However, it fails to check for integer wrap-around, allowing an attacker to create a specially crafted input string that causes the new wchar_t[ulLen] allocation to be smaller than the expected buffer size. Consequently, the subsequent memcpy operation can corrupt memory, leading to arbitrary code execution.

The vulnerability was initially reported to Microsoft by a security researcher, who responsibly disclosed the findings following a detailed investigation. Microsoft acknowledged the issue and assigned it a CVE identifier (CVE-2024-21365) to facilitate tracking and vulnerability management.

- Microsoft Security Response Center (MSRC) official advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21365
- Common Vulnerabilities and Exposures (CVE) entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21365
- National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2024-21365

Conclusion

CVE-2024-21365 is a significant vulnerability that poses a considerable risk to systems running Microsoft WDAC and the OLE DB provider for SQL Server. It is vital for administrators and developers using these technologies to be aware of the potential impact and take appropriate measures to protect their systems. Staying informed about security issues, applying security patches, and adhering to best practices in application development and system administration are essential steps in ensuring the security of critical systems and data.

Timeline

Published on: 02/13/2024 18:15:53 UTC
Last modified on: 02/13/2024 18:22:53 UTC