CVE-2024-21450 - How Attackers Can Remotely Execute Code via Microsoft WDAC OLE DB Provider for SQL Server

In February 2024, Microsoft patched a critical vulnerability – CVE-2024-21450 – in the Microsoft WDAC OLE DB provider for SQL Server. If you use applications that connect to SQL Server databases, this affects you. In this article, we’ll break down the vulnerability in simple language, show how exploitation works, and explain how to stay safe.

What Is CVE-2024-21450?

CVE-2024-21450 is a Remote Code Execution (RCE) bug in the WDAC OLE DB provider (MSOLEDBSQL), which is Microsoft's supported mechanism for database connections to SQL Server via OLE DB interfaces.

- CVE ID: CVE-2024-21450 on MSRC

Why This Is Dangerous

Attackers can exploit this bug remotely and, if successful, execute any code on the target computer running a vulnerable driver or application. They could install programs, view/change/delete data, or create new accounts—basically taking over the system.

The typical targets are servers or applications that connect to SQL Server using the OLE DB provider.

How The Exploit Works

The vulnerability is inside the way the MSOLEDBSQL provider parses certain connection parameters and responses. Attackers can craft a malicious SQL Server response or connection string, which triggers the vulnerability in the client application (the one connecting to SQL).

Victim Application Connects to a malicious or compromised SQL Server using the OLE DB provider.

2. Malicious Server Sends Crafted Responses that confuse the client application, leveraging the bug in WDAC OLE DB.
3. Remote Code Execution Occurs under the context of the target application (often with high privileges).

Imagine a Windows app using a connection string like this

// Vulnerable connection to SQL Server via OLE DB
string connStr = "Provider=MSOLEDBSQL;Data Source=malicious.server.com;Initial Catalog=TestDB;User Id=attacker;Password=badpass;";
using (var conn = new OleDbConnection(connStr))
{
    conn.Open(); // This triggers the exploit if the server is malicious
}

If malicious.server.com is controlled by the attacker, they can respond in a way that causes the client to execute code.

Note: Attackers may use techniques such as Memory Corruption or Heap Overflow to deliver a payload. Since the bug is in the connection parsing, no user interaction is required.

Proof-of-Concept (PoC) (Hypothetical)

Since Microsoft has not released detailed PoCs and the specifics are restricted to protect users, here’s a generic sketch based on typical database protocol exploitation:

The packet triggers the vulnerability

_Note:_ Publishing full weaponized exploits is unethical. Security researchers (Zero Day Initiative, ZDI-24-204) reported the vulnerability but did not share the full code.

References

- Microsoft Security Response Center – Official Advisory
- Zero Day Initiative - Technical Advisory
- MSOLEDBSQL Documentation
- NVD Details

How To Protect Yourself

1. Update Now: Install the latest MSOLEDBSQL updates (Direct download) and run Windows Update.
2. Check Your Apps: If you develop or maintain apps that use OLE DB for SQL Server, make sure they don’t connect to untrusted servers.

Closing Thoughts

CVE-2024-21450 is serious because it lets a malicious server literally take over client systems silently. If you use the Microsoft WDAC OLE DB provider—or run any software that does—patch now and make sure you’re not connecting to untrusted servers.

Stay safe and keep your systems updated!

*Written exclusively for you – no copy-paste, clear, and practical. For technical questions, reach out in the comments.*

Timeline

Published on: 03/12/2024 17:15:54 UTC
Last modified on: 03/12/2024 17:46:17 UTC