CVE-2023-36728 — SQL Server (sqllang.dll) ReadIDCRLToken Pre-Auth Integer Underflow → OOB Read DoS

Last updated: 2026-07-02
Severity: Medium/High — pre-auth remote DoS with potential info-leak
Component: sqllang.dll (Microsoft SQL Server 2022, build 2022.160.4035.4) — CFedAuthFeatureExtension::ReadIDCRLToken
Bug Class: Unsigned integer underflow bypasses a length check → out-of-bounds read (CWE-125 / CWE-119)
Prerequisite: SQL Server configured with Azure AD (Entra ID) authentication
Related: Integer Overflows, Compiler & UB Pitfalls, CVE-2024-29050 (CryptoAPI)

Vulnerability Summary

A pre-authentication out-of-bounds read in Microsoft SQL Server 2022. When SQL Server is configured for Azure AD authentication, an attacker can send a malformed TDS (Tabular Data Stream) login packet whose federated-auth token length field is 3. A len - 4 computation on that value underflows to 0xffffffff, which then slips past a signed length-validation check and reaches a memcpy_s with an oversized length — reading beyond the heap allocation. The result is a per-connection crash (DoS) with potential heap information disclosure.


Affected Code Path

TDS login (pre-auth) → CFedAuthFeatureExtension::ReadIDCRLToken(this, a2 /*buf*/, a3 /*len*/)
    v10 = *a3 - 4;                         // *a3 == 3  →  v10 = 0xffffffff
    if (v10 >= (int)len1 + 0x40) {         // signed compare: check bypassed
        memcpy_s(*((void**)this + 7), len1, v8, len1);   // OOB read
    }

Key function: CFedAuthFeatureExtension::ReadIDCRLToken in sqllang.dll.


Root Cause Analysis

ReadIDCRLToken accepts a user-controlled buffer (a2) and length (a3) from the TDS feature-extension data with no lower-bound validation. The code computes v10 = *a3 - 4. When *a3 == 3, the unsigned subtraction wraps to 0xffffffff. The subsequent bounds check if (v10 >= (int)len1 + 0x40) compares this as a signed integer, so the wrapped value passes and the code proceeds into a memcpy_s sized from adjacent fields — reading past the intended buffer. This is the same “small value − constant → huge value” arithmetic-underflow class seen in many parser bugs; see Integer Overflows.


Impact

  • Thread termination: the offending connection thread crashes; the service does not fully die at first.
  • Cascading failure: repeated exploitation accumulates thread failures until legitimate clients — even a local SSMS — can no longer connect, and the SQL Server Configuration Manager cannot restart the service.
  • Information disclosure: the over-read can leak adjacent heap contents with additional technique.

Exploitation Notes

Requirements: SQL Server 2022 with Azure AD integration enabled, and a crafted TDS packet carrying a federated-auth feature extension whose length field equals 3. The PoC intercepts the SSL/TLS login handshake with GDB to inject the malformed payload during negotiation. Exploitable before credentials are validated.

Affected versions: SQL Server 2022 confirmed on sqllang.dll 2022.160.4035.4; likely other 2022 builds with a vulnerable sqllang.dll.


References