eEye Digital Security

I am getting a high risk vulnerability for CVE-2008-5416, namely "Microsoft SQL contains a vulnerability in the sp_replwritetovarbin extended stored procedure..." during a vulnerability assessment on my Windows XP laptop. On a similarly configured desktop I dont't see this.  What is the cause for this and what could be the difference between the two?  I do not run MS sql server on either.  Thanks. 

 Are both your Windows XP the same (i.e. Professional or Home)? 

vkundakci:

I am getting a high risk vulnerability for CVE-2008-5416, namely "Microsoft SQL contains a vulnerability in the sp_replwritetovarbin extended stored procedure..." during a vulnerability assessment on my Windows XP laptop. On a similarly configured desktop I dont't see this.  What is the cause for this and what could be the difference between the two?  I do not run MS sql server on either.  Thanks. 

This is a zero-day vulnerability that will only flag on your system if SQL is installed on your system. Since it is being exploited in the wild and Microsoft is still investigating the vulnerability, the audit is only checking general characteristics on an SQL installation.  The audit will be updated once Microsoft releases a patch for this vulnerability and further details are disclosed on exactly which versions of SQL are affected.

Per Microsoft Security Advisory (http://www.microsoft.com/technet/security/advisory/961040.mspx):

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

Please take a look at the referenced MS Security Advisory at the Suggested Actions.

eEye Preview Service offers an in-depth analysis of emerging zero-day threats, including CVE-2008-5416, for more information visit http://www.eeye.com/html/services/preview/index.html

Both Professional, XP SP3, one is a desktop Dell GX, the other a Vaio laptop.  Vaio is displaying the vulnerability. 

I want to know what files or status triggers this vulnerability in Blink Personal so that I cantrack it down.  Neither machine has sql server installed.  One of the articles talks about wyukon (windows internal database).  I don't know what it is but that's the only non sql server os that is listed in the article that seems to have this malaise in XP possibly.

I have read all the articles by Microsoft, Secunia, etc.  I do not have SQL server running on my system.  Is there anything else that will trigger this vulnerability, possibly as a false positive?  What is Blink finding to report this problem?  Is it a file?  A registry entry?

nomuus:

vkundakci:

I am getting a high risk vulnerability for CVE-2008-5416, namely "Microsoft SQL contains a vulnerability in the sp_replwritetovarbin extended stored procedure..." during a vulnerability assessment on my Windows XP laptop. On a similarly configured desktop I dont't see this.  What is the cause for this and what could be the difference between the two?  I do not run MS sql server on either.  Thanks. 

 

This is a zero-day vulnerability that will only flag on your system if SQL is installed on your system. Since it is being exploited in the wild and Microsoft is still investigating the vulnerability, the audit is only checking general characteristics on an SQL installation.  The audit will be updated once Microsoft releases a patch for this vulnerability and further details are disclosed on exactly which versions of SQL are affected.

 

Per Microsoft Security Advisory (http://www.microsoft.com/technet/security/advisory/961040.mspx):

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

 

Please take a look at the referenced MS Security Advisory at the Suggested Actions.

 

eEye Preview Service offers an in-depth analysis of emerging zero-day threats, including CVE-2008-5416, for more information visit http://www.eeye.com/html/services/preview/index.html

 

vkundakci:

Is it a file?  A registry entry?

It can be anything ranging from a particular "vulnerable" file (a .dll file, executable, etc) that is used in all Windows based systems or a component that Windows XP has in common too.  In this case, I am guessing,. is probably something dealing with either the:

1. Windows Server Update Services (WSUS): http://technet.microsoft.com/en-us/wsus/default.aspx

2. Windows Share Point Services: http://technet.microsoft.com/en-us/windowsserver/sharepoint/bb848085.aspx

Note: This has some connections and dealing with Windows ASP.NET-based components (these do exist in Windows XP).

Both of these are a part of the Windows Internal Database:  http://en.wikipedia.org/wiki/Windows_Internal_Database

it can be quite confusing at times, but makes sense after you look into it some.

Can you please try opening regedit.exe, then see if the following keys (either one) exists?

**Caution: Do not modify the registry, unless you know exactly what you're changing and why.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server

They both exist. Here's what they are:

MSSQLServer

    Client

        SuperSocketNetLib

            LastConnect

            VIA

Microsoft SQL Server

    MICROSOFTBCM

        HotFixes

            0818

        SQLServerAgent

I also noticed that there is a \Program Files\Microsoft SQL Server diectory.  I have a suspicion it was installed by a SQLHotfix dated 4/2006 in my \Windows directory.  That date was before I got my new laptop.  I deleted it from my \Prpogram Files.  It did not make a difference to Blink.

Thanks.  /V

bpatten:

Can you please try opening regedit.exe, then see if the following keys (either one) exists?

**Caution: Do not modify the registry, unless you know exactly what you're changing and why.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server

 

 

Aren't these both applicable to Windows Server only.  I am running a poor old XP system.B

By the way, this vulnerablility started showing up only recently.  I am thinking that eEye guys just coded the test for it.  What are they testing? 

Blue1978:

1. Windows Server Update Services (WSUS): http://technet.microsoft.com/en-us/wsus/default.aspx

2. Windows Share Point Services: http://technet.microsoft.com/en-us/windowsserver/sharepoint/bb848085.aspx

Thanks for the lead regarding these registry entries...  I found out that my laptop came with a software called VAIO Entertainment Platform which apparently includes a copy of MS SQL Server.  Supposedly removing the former is supposed to get rid of the SQL Server.  Well, it does not.  So I renamed \Program Files\Microsoft SQL Server\ which I had done before without any results, AND renamed the two registry keys HKLM\Software\MSSQLServer and Microsoft SQL Server.  Vulnerability gone!  Thanks all.  /V

vkundakci:

Thanks for the lead regarding these registry entries...  I found out that my laptop came with a software called VAIO Entertainment Platform which apparently includes a copy of MS SQL Server.  Supposedly removing the former is supposed to get rid of the SQL Server.  Well, it does not.  So I renamed \Program Files\Microsoft SQL Server\ which I had done before without any results, AND renamed the two registry keys HKLM\Software\MSSQLServer and Microsoft SQL Server.  Vulnerability gone!  Thanks all.  /V

 

You have it installed, so renaming some files is not necessarily going to stop it from being instantiated; meaning the vulnerability isn't really resolved.  There should be an uninstaller located within the SQL Server directory or an Uninstall entry in Add/Remove Programs, and though the VAIO app may have included it, it's possible that it couldn't be removed because it was running /or/ some other program was using it.  (It can be really difficult tracking down dependencies!)  The real truth is that you should research exactly how to remove the vulnerable application, rather than doing a registry hack to exclude it from scans (which will cause other issues with future scans -- such as false negatives).  If you really want to exclude the audit, choose the "Exclude this audit" feature in Blink.

I had remamed the directories and files to originalnames.delete.me.  So were the registry keys.  They have been deleted once I determined that there were no side effects of renaming them. By the way, there were no uninstall files nor any uninstall entry in Add/Remove Programs. My orginial confusion was the result of the fact that I did not even know SQL server was installed. And getting rid of the server directory from Program Files alone did not fix the Vulnerability warning from Blink.  I was hoping to find out what Blink was looking for to determine what to clean up.  I turned out the two registry keys that I deleted.  Thanks.

There are many vertical apps, as well as crapware, that install MS SQL Server Express.  Some do it well, allowing you to see and uninstall MS SQL Server Express from Add/Remove Programs, and others hide it to prevent having their implementation disabled.

http://www.microsoft.com/Sqlserver/2005/en/us/express.aspx

You can look in the \Program Files\Microsoft SQL Server\ folder you found for SQL Server Management Studio, Surface Area Manager, Configuration Manager, or sqlcmd.exe which would help you determine which database brought MS SQL to your computer, resolve conflicts between instances, and uninstall part or all of the software.  Microsoft is, as always, deprecating one or the other of its DB admin tools, and moving functionality between them, so it takes a little poking around.

I know you have solved the problem, but for others who may be wondering how/why MS SQL ever got into their machines.....

vkundakci:

Thanks for the lead regarding these registry entries...  I found out that my laptop came with a software called VAIO Entertainment Platform which apparently includes a copy of MS SQL Server.  Supposedly removing the former is supposed to get rid of the SQL Server.  Well, it does not.  So I renamed \Program Files\Microsoft SQL Server\ which I had done before without any results, AND renamed the two registry keys HKLM\Software\MSSQLServer and Microsoft SQL Server.  Vulnerability gone!  Thanks all.  /V

 

FYI - Looks like we'll be seeing a patch next week!

Microsoft Security Bulletin Advance Notification for February 2009

Microsoft SQL Server -  Important - Remote Code Execution

http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx

UPDATE:

The zero day Retina check for this vulnerability has since been deleted and replaced with checks that audit for patches listed in Microsoft Security Bulletin MS09-004.

Please visit Microsoft's website to obtain updates...
http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx