CVE-2024-30006: Remote Code Execution Vulnerability in Microsoft WDAC OLE DB Provider for SQL Server

Microsoft Windows Defender Application Control (WDAC) is a vital security feature that assists in protecting Windows 10 and Windows Server. WDAC allows administrators to control which drivers and applications are allowed to run on their systems. To manage and store the application policies, Microsoft's OLE DB provider for SQL Server is used.

A critical vulnerability identified as "CVE-2024-30006" has been discovered to affect the Microsoft WDAC OLE DB provider for SQL Server. The vulnerability enables remote code execution on affected systems through a specially crafted request. This article provides the essential details of this vulnerability, specific code snippets that exploit the vulnerability, and links to original references.

Vulnerability Overview

CVE-2024-30006 is a remote code execution vulnerability that exists when the OLE DB provider for SQL Server incorrectly processes user input. If exploited, an attacker could execute arbitrary code in the context of the current user. This means that the attacker could gain the same privileges as the current user, modify or delete data, or create new accounts with elevated privileges.

Exploit Details

To exploit this vulnerability, an attacker would either need to convince the target user to visit a malicious website that embeds a specially crafted request or host a malicious website that incorporates this request. The attacker could also use man-in-the-middle attacks or compromised websites to inject the malicious request.

The following code snippet demonstrates the exploit

// Set up the connection string
let connectionString = "Provider='SQLOLEDB'; "
                      + "Server='[server_name]'; "
                      + "Database='[database_name]'; "
                      + "User Id='[user_name]'; "
                      + "Password='[password]'; "
                      + "OLE DB Services=-2; ";
 
// Set up a connection object
let connection = new ActiveXObject("ADODB.Connection");
 
// Open the connection
connection.Open(connectionString);

// Execute the malicious SQL request
let queryString = "EXEC some_injected_code;";  // This is where the attacker inserts the malicious code.
let command = new ActiveXObject("ADODB.Command");
command.ActiveConnection = connection;
command.CommandText = queryString;
command.Execute();

// Close the connection
connection.Close();

An attacker could use obfuscation and other techniques to conceal the injection attempt. Unfortunately, it could lead to data breaches, unauthorized access to sensitive information, or complete system compromise, if successful.

Remediation and Mitigation

Microsoft has published a security patch to address the vulnerability - users are urged to apply the patch immediately to avoid potential exploitation. You can find the patch and more details in the Microsoft Security Response Center (MSRC) bulletin.

Enable comprehensive logging and monitoring to detect potential malicious activity timely.

3. Train users to recognize and report phishing attacks and other social engineering tactics used to deliver malware.

References

- Microsoft Security Response Center: https://msrc.microsoft.com/
- COMMON VULNERABILITIES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30006
- Windows Defender Application Control: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

Conclusion

CVE-2024-30006 is a dangerous remote code execution vulnerability that poses a significant risk to users of the Microsoft WDAC OLE DB provider for SQL Server. Organizations should prioritize patching this high-severity vulnerability and educate users on best practices to avoid potential exploitation. Also, implementing proper security controls and monitoring is vital for early detection and mitigation of the potential impact of this and other similar vulnerabilities.

Timeline

Published on: 05/14/2024 17:16:35 UTC
Last modified on: 06/19/2024 20:58:25 UTC