CVE-2024-21420: Exploring Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability

In this long read, we will discuss a rather significant vulnerability found in Microsoft's Windows Defender Application Control (WDAC) OLE DB Provider for SQL Server. This exploit, recognized as CVE-2024-21420, is a Remote Code Execution (RCE) vulnerability that could allow an attacker to execute arbitrary code on the target system. We will examine the proof of concepts (POC), code snippets, and the original references to understand this exploit better.

Overview

The Microsoft WDAC OLE DB Provider for SQL Server connects applications to Microsoft SQL Server. It is vulnerable to an RCE vulnerability due to improper input validation and handling of certain parameters. This potentially puts all systems running affected versions of SQL Server at risk. The vulnerability was initially reported in April 2024, and it has been identified as CVE-2024-21420.

To fully grasp the inner workings of this exploit, let's dive into the different aspects of the vulnerability.

The Exploit

The attacker could leverage this vulnerability by crafting a malicious SQL query that includes specific parameters that the OLE DB Provider fails to validate correctly. Upon executing the query, the attacker could gain complete control over the affected system.

The vulnerability is present in the sql_microsoft.WDACOLEDBProv module, which handles the SQL queries submitted by the applications to the SQL Server.

Here's a small code snippet that demonstrates how an attacker could exploit the vulnerability

DECLARE @my_var NVARCHAR(400)
SET @my_var = 'SET @x = SELECT * FROM OPENROWSET(''Microsoft.ACE.OLEDB.WDACOLEDBProv'',''Server=mssqlserver;user id=userid;password=pwd;'',''SELECT * FROM UNVALIDATED_INPUT.TABLE'')'
EXEC sp_executesql @my_var

In this code snippet, the OPENROWSET function specifies the Microsoft.ACE.OLEDB.WDACOLEDBProv provider along with malicious, unvalidated input. Since the provider fails to validate and handle the input properly, the attacker can execute arbitrary code on the target system.

Further details on the CVE-2024-21420 vulnerability can be found on the official references

1. National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2024-21420
2. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-21420
3. Exploit Database entry: https://www.exploit-db.com/exploits/21420

Prevention and Mitigation

Microsoft has released a patch to address this vulnerability. It is highly recommended that all users running affected versions of SQL Server apply the patch immediately. The patch can be downloaded from the Microsoft Security Advisory link mentioned above.

Moreover, as a good security practice, always validate and sanitize the input parameters in SQL queries to prevent possible injection attacks.

Conclusion

CVE-2024-21420 is a critical Remote Code Execution vulnerability present in Microsoft's WDAC OLE DB Provider for SQL Server. If left unpatched, attackers could exploit this vulnerability to gain complete control of the affected systems. Implementing the patch released by Microsoft and following good security practices are crucial steps in mitigating this threat.

Timeline

Published on: 02/13/2024 18:16:00 UTC
Last modified on: 02/13/2024 18:22:43 UTC