CVE CyberSecurity Database News

CVE-2023-36402 - Inside Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution – Full Deep Dive

Poster -

---

The 2023 vulnerability tracked as CVE-2023-36402 caught the attention of security experts because of its critical implications for anyone running SQL Server or apps that use Microsoft’s OLE DB provider. In this article, we break down what happened, how it works, and most importantly — what you can do to stay safe. We'll look at code snippets, reference the original advisories, and walk through potential exploit details, with simple terms for everyone.

What is CVE-2023-36402?

CVE-2023-36402 is a remote code execution vulnerability in the Microsoft WDAC (Windows Data Access Components, also known as MDAC) OLE DB provider for SQL Server. If exploited, attackers can execute arbitrary code on the affected machine. This means an attacker might gain control with the privileges of the application that uses the OLE DB provider, such as a web server or app backend.

Microsoft’s advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36402

Technical Details: How It Happens

The root cause appears to be improper validation of user-supplied input by the OLE DB provider. If an attacker manages to feed specially crafted data to an application that’s using the SQL Server OLE DB provider, the untrusted input could end up as malicious code executed with the application’s privileges.

The entry point is typically untrusted SQL commands sent through applications using OLE DB, particularly if the app fails to sanitize input correctly.

Suppose you have a C# app connecting to SQL Server using OLE DB

using System.Data.OleDb;

// BAD CODE!
string userInput = GetUserInput(); // comes from web query or user form
string connString = "Provider=SQLOLEDB;Data Source=localhost;Initial Catalog=TestDB;User ID=sa;Password=secret";
OleDbConnection conn = new OleDbConnection(connString);

string sql = $"SELECT * FROM Users WHERE Username = '{userInput}'"; // DANGER!
OleDbCommand command = new OleDbCommand(sql, conn);

conn.Open();
var reader = command.ExecuteReader();
...
conn.Close();

*If userInput is attacker-controlled and the OLE DB provider has CVE-2023-36402 unpatched, this could lead to code execution on the host.*

Proof-of-Concept Exploit (Education Only!)

Security researchers demonstrated the RCE via specially crafted payloads. Here’s the hypothetical workflow:

Attacker sends malicious parameter to the vulnerable app (such as via a web form).

2. OLE DB provider interprets input in a way that ultimately calls lower-level functions without proper checks.
3. Malicious input triggers code execution, such as writing files or running commands with the privilege of the application.

> WARNING: Do NOT exploit real systems without permission — this is for defensive awareness only.

Example Exploit Snippet

A common exploit for similar vulnerabilities might include attempting to stack SQL statements, escape existing queries, or call dangerous system procedures (like xp_cmdshell).

'; exec xp_cmdshell('calc.exe'); --

If userInput is injected with the above, and the OLE DB provider and SQL Server are poorly configured, this opens the door for arbitrary system command execution ("calc.exe" is a harmless demo).

Why OLE DB Increases the Risk

The OLE DB provider acts as a bridge between your code and SQL Server. Vulnerabilities here surface in any code using the provider, which often has high privileges. This means the weakest link in your app logic, when chained with this vulnerability, can lead to full server compromise.

Affected Software

- Windows Data Access Components (WDAC/MDAC) OLE DB Provider for SQL Server, as shipped in Windows and Office

Used by various programming languages & platforms (C#, VB, ASP, classic ASP, etc.)

Microsoft Fix:
Patched in regular June 2023 Patch Tuesday release.
See the official update:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36402

How to Stay Safe

1. Patch ASAP
Apply Microsoft’s June 2023 critical security update. It addresses the vulnerable component directly.

2. Disable OLE DB Provider if Unused
If your app doesn’t use OLE DB, remove or disable it via Windows features.

3. Principle of Least Privilege
Run apps and SQL Server with the lowest privileges necessary. Never use sa or administrator accounts for app connections.

4. Strict Input Validation
Always sanitize user input, especially SQL statements. Use parameterized queries instead of string concatenation.

Example Secure Code

string sql = "SELECT * FROM Users WHERE Username = ?";
OleDbCommand command = new OleDbCommand(sql, conn);
command.Parameters.AddWithValue("@Username", userInput);

5. Monitor for Strange Behavior
Audit connection logs and system events for anomalies, such as failed logins or odd commands.

Key References

- Microsoft CVE-2023-36402 Advisory
- NIST NVD Record
- Microsoft Data Access Components

Final Thoughts

CVE-2023-36402 is a wake-up call for everyone using Microsoft’s OLE DB provider for SQL Server: these core components are a critical attack surface. With patching, secure coding, and a well-configured environment, you can avoid the dangerous consequences of this RCE bug.

*Patching is not just IT’s job — it’s everyone’s job.*

Timeline

Published on: 11/14/2023 18:15:41 UTC
Last modified on: 11/20/2023 19:54:50 UTC