CVE-2024-28945 is a critical Remote Code Execution (RCE) vulnerability found in the Microsoft OLE DB Driver for SQL Server. As of June 2024, this bug enables attackers to execute arbitrary code on target Windows systems if they successfully trick a user or service into opening a specially-crafted connection or file. This vulnerability poses a major security risk, especially for servers or applications that manage sensitive data, because it can lead to full system compromise.
Affected Versions:
Severity: Critical (CVSS 9.8)
For Microsoft’s official advisory, see:
Microsoft Security Update Guide - CVE-2024-28945
How The Vulnerability Works
The root cause lies in improper parsing of server responses or malformed data by the OLE DB driver. If an attacker can control a SQL Server or set up a fake one, they can return malicious payloads that the OLE DB client mishandles, triggering code execution.
Common Exploitation Scenarios
- Malicious SQL Servers: The attacker tricks a target application to connect to a rogue SQL Server that responds with malicious data.
- Man-in-the-Middle Attacks: An attacker intercepts or relays data between client and SQL server, injecting code via protocol fields expected by the OLE DB driver.
Attacker Prepares Malicious SQL Server:
Set up an SQL server that returns abnormal or specifically crafted protocol packets when clients connect.
Victim Connects Using OLE DB Driver:
The victim application or user connects to the attacker's malicious server using a typical connection string.
OLE DB Driver Processes Malformed Packet:
The vulnerable driver parses the malicious content. Due to the bug, this leads to execution of embedded code under the current process' privileges.
Code Example: Vulnerable Connection
using System.Data.OleDb;
string connStr = "Provider=MSOLEDBSQL;Data Source=attacker-server.example.com;Initial Catalog=TestDB;User Id=sa;Password=P@ssword;";
using (OleDbConnection conn = new OleDbConnection(connStr))
{
conn.Open(); // Opening this connection could trigger the vulnerability!
// Further DB actions...
}
Warning: Connecting to untrusted SQL Servers with the OLE DB SQL driver *could be dangerous.*
How Attackers Can Craft a Malicious SQL Server
Attackers might set up an open-source SQL server clone or use packet crafting tools (like Impacket or Metasploit) to send malformed protocol responses.
A simple demo using Python socket server (for simulation only!)
import socket
# Malicious response that exploits vulnerability (pseudocode / for demo ONLY)
malicious_payload = b'\x04\x01\x00...'
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(('...', 1433)) # SQL Server default port
server.listen(1)
print("Fake SQL Server is waiting for connections...")
conn, addr = server.accept()
print(f"Connection from {addr}")
conn.sendall(malicious_payload)
conn.close()
Note: Real payloads require detailed knowledge of the buggy code path.
Real-World Impact
- Compromised Applications: Any app using OLE DB to connect to untrusted or user-supplied database servers can be hijacked.
- Lateral Movement: If an attacker gets an initial foothold, they can use this bug for privilege escalation or to deploy ransomware.
- Cloud & On-Premise: Both cloud deployments and on-premise Windows servers are impacted if unpatched.
Microsoft released a fixed OLE DB Driver. Download the latest version at:
Microsoft OLE DB Driver for SQL Server Downloads
Further Reading and References
- Microsoft Security Advisory - CVE-2024-28945
- CERT/CC Note _(if published)_
- Impacket (SQL protocol tools)
- MSOLEDBSQL Driver Docs
- Official Patch Download Page
TL;DR
CVE-2024-28945 is a critical bug in the Microsoft OLE DB Driver for SQL Server that lets attackers run remote code if they can control the SQL Server you connect to.
Patch your OLE DB drivers, and never trust unknown SQL Servers!
Stay safe, stay updated—and always check your connection strings!
Timeline
Published on: 04/09/2024 17:15:57 UTC
Last modified on: 04/10/2024 13:24:00 UTC