Re: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow (#NISR11072002)

From: Aaron C. Newman (aaron@NEWMAN-FAMILY.COM)
Date: 07/12/02 

Date:         Thu, 11 Jul 2002 22:20:46 -0400
From: "Aaron C. Newman" <aaron@NEWMAN-FAMILY.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

You only need to be granted the bulkadmin fixed server role to execute
BULK INSERT. You do NOT need to have sysadmin to execute BULK INSERT
(yes, I have tested this several times).

So this vulnerability leads to a privilege escalation.

Regards,
Aaron
_______________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
Phone: 212-490-6022
Fax: 212-490-6456
- Protection Where It Counts -

-----Original Message-----
From: Hall, Philip [mailto:phall@spss.com]
Sent: Thursday, July 11, 2002 10:57 AM
To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com;
vulnwatch@vulnwatch.org
Subject: RE: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow
(#NISR11072002)

> To be able to use the 'BULK INSERT' query one must have the
> privileges of the database owner or dbo. Note this does not
> necessarily imply 'sa' equivalence.

In fact, you need to be a member of the sysadmin and bulkadmin fixed
server roles to be able to execute BULK INSERT, both of these have to be
explicitly set, if you're not user 'sa'

--phil

Relevant Pages