CVE-2024-21365 - Breaking Down the Microsoft WDAC OLE DB Provider Remote Code Execution Vulnerability

---

Microsoft regularly patches security holes in its products, but every so often, a flaw comes along that really deserves a closer look. CVE-2024-21365 is one such vulnerability, affecting the Microsoft Windows Defender Application Control (WDAC) OLE DB provider for SQL Server. This bug lets attackers run code remotely—effectively taking control of vulnerable systems. Let's break down what CVE-2024-21365 is, why it's dangerous, how exploitation works, and what you should do.

What is CVE-2024-21365?

CVE-2024-21365 is a Remote Code Execution (RCE) vulnerability discovered in the Microsoft WDAC OLE DB provider for SQL Server. This library helps Windows apps connect to SQL Server databases. If not properly patched, attackers can exploit this flaw by sending crafted OLE DB requests, potentially letting them run any commands they want on the affected server, under the SQL Server service account.

Microsoft has assigned it a CVSS 3.1 base score of 8.8 (High), meaning it poses a real threat to unpatched systems.

Why is it Dangerous?

Remote Code Execution vulnerabilities are highly sought after by cyber attackers because they open the door for full system compromise, especially on database servers that often have access to sensitive data. An exploit can let attackers:

Create new accounts with full user rights

If your environment relies on WDAC and supports OLE DB connections for SQL Server, and you're still using a vulnerable version, you could be at risk.

Original References

- Microsoft Security Update Guide: CVE-2024-21365
- Official Microsoft Patch Notes - June 2024

Technical Details & Exploit Scenario

Microsoft did not publish full technical details due to the risk of exploitation, but the community has shared insights into the attack method. Here’s how a hypothetical exploit might work, based on similar previous vulnerabilities:

Attack Vector

- A remote attacker tricks an authenticated user or service into accessing a malicious SQL Server via OLE DB with custom crafted parameters.
- The exploit takes advantage of unsafe handling of data in the OLE DB provider, triggering the vulnerability.

Vulnerable Code Pattern (Simplified Example)

Let's assume a C++ snippet that insecurely handles OLE DB connection properties (this is illustrative, not the real MS code):

HRESULT ConnectToSqlServer(const wchar_t* connString) {
    IDBInitialize* pDBInit = NULL;
    HRESULT hr = CoCreateInstance(CLSID_MSOLEDBSQL, NULL, CLSCTX_INPROC_SERVER, IID_IDBInitialize, (void**)&pDBInit);
    if (SUCCEEDED(hr)) {
        // BAD: Using untrusted connection string without validation
        hr = pDBInit->Initialize(connString);
        if (FAILED(hr)) {
            // Handle error
        }
    }
    // Continue using pDBInit ...
    return hr;
}

If an attacker can control connString, they might be able to execute arbitrary code by manipulating provider-specific properties.

Proof-of-Concept (PoC) Attack Workflow

1. Attacker crafts a malicious OLE DB connection string or property blob that triggers a bug in the provider.
2. The attacker convinces an admin or automated process to connect, or targets exposed remote OLE DB endpoints.
3. When the WDAC OLE DB component processes the connection, it triggers the flaw, possibly overwriting memory or causing the provider to load and execute malicious code.

Metasploit (Hypothetical) Module Skeleton

Pretty soon after patch release, PoCs and Metasploit modules may emerge. An example structure (not a real exploit):

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::MSSQL

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft WDAC OLE DB Provider RCE',
      'Description'    => %q{
          This module exploits RCE in WDAC OLE DB SQL Provider (CVE-2024-21365)
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'securityresearcher' # Your alias here
        ],
      'References'     =>
        [
          ['CVE', '2024-21365'],
          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21365';]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows Server with vulnerable WDAC OLE DB', {} ]
        ],
      'DefaultTarget'  => ,
      'DisclosureDate' => '2024-06-11'))
  end

  def exploit
    print_status("Triggering the vulnerability ...")
    connect
    send_malicious_ole_db_request
    handler
    disconnect
  end

  def send_malicious_ole_db_request
    # Placeholder: Craft your payload here
  end
end

Disclaimer: Real weaponized exploits should never be used outside authorized penetration testing!

Patch Immediately:

Apply the June 2024 Microsoft security updates to all affected systems. This is the only efficient way to close the hole.

Restrict Access:

Limit the ability to run OLE DB connections to trusted accounts and sources. Monitor for suspicious outgoing connections to unknown SQL servers.

Conclusion

CVE-2024-21365 is a high-impact vulnerability that should not be ignored. Attackers will almost certainly try to exploit unpatched servers in the coming months. If you use Microsoft WDAC with OLE DB connections to SQL Server, patch now and be proactive with hardening and monitoring. The best defense is making sure you’re not a target.

References

- Microsoft Security Update Guide: CVE-2024-21365
- NIST National Vulnerability Database - CVE-2024-21365

Timeline

Published on: 02/13/2024 18:15:53 UTC
Last modified on: 02/13/2024 18:22:53 UTC