Discovered by: Brett Moore
Just in time for the Pwnie nominations to close, Brett Moore and Microsoft bring you the first security bulletin affecting SQL Server 2005. This vulnerability, exposed to an unprivileged SQL user, occurs when SQL Server attempts to restore a corrupt database backup. The database backup may be hosted on a remote SMB or WebDAV server, making this a remote code execution exploit that can also be triggered through a SQL injection vulnerability.
The best part is from Insomnia Security’s advisory:
SQL server appears to use its own dynamic heap management, which makes exploitation different from a standard heap overflow. Using a custom heap management routines means that the standard heap protections mechanisms are not in place.
If this vulnerability wins a Pwnie, David Litchfield has promised to come up on stage and present it to Brett.