CVE-2024-43519 - Numeric Truncation Error

Severity

88%

Complexity

27%

Confidentiality

98%

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Demo Examples

Numeric Truncation Error

CWE-197

This example, while not exploitable, shows the possible mangling of values associated with truncation errors:


               
printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive);

The above code, when compiled and run on certain systems, returns the following output:


               
Short MAXINT: -1

This problem may be exploitable when the truncated value is used as an array index, which can happen implicitly when 64-bit values are used as indexes, as they are truncated to 32 bits.

Numeric Truncation Error

CWE-197

In the following Java example, the method updateSalesForProduct is part of a business application class that updates the sales information for a particular product. The method receives as arguments the product ID and the integer amount sold. The product ID is used to retrieve the total product count from an inventory object which returns the count as an integer. Before calling the method of the sales object to update the sales count the integer values are converted to The primitive type short since the method requires short type for the method arguments.


               
...// update sales database for number of product sold with product ID

                     
sales.updateSalesCount(productID, count, sold);// get the total number of products in inventory database// convert integer values to short, the method for the// sales object requires the parameters to be of type short// update sales database for product

However, a numeric truncation error can occur if the integer values are higher than the maximum value allowed for the primitive type short. This can cause unexpected results or loss or corruption of data. In this case the sales database may be corrupted with incorrect data. Explicit casting from a from a larger size primitive type to a smaller size primitive type should be prevented. The following example an if statement is added to validate that the integer values less than the maximum value for the primitive type short before the explicit cast and the call to the sales method.


               
...// update sales database for number of product sold with product ID

                     
}// get the total number of products in inventory database// make sure that integer numbers are not greater than// maximum value for type short before converting

                           
sales.updateSalesCount(productID, count, sold);// convert integer values to short, the method for the// sales object requires the parameters to be of type short// update sales database for product
// throw exception or perform other processing
...

Overview

Type

Microsoft Windows Server

First reported 4 months ago

2024-10-08 18:15:00

Last updated 4 months ago

2024-10-17 18:53:00

Affected Software

Microsoft Windows Server 2012

Microsoft Windows Server 2016

Microsoft Windows Server 2019

References

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.