Microsoft SQL Server Stored procedures [sp_MSSetServerPropertiesn and sp_MSsetalertinfo] (#NISR03092002A)

From: NGSSoftware Insight Security Research (nisr@NEXTGENSS.COM)
Date: 09/02/02


Date:         Mon, 2 Sep 2002 20:07:33 +0100
From: NGSSoftware Insight Security Research <nisr@NEXTGENSS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research Advisory

Name: sp_MSSetServerPropertiesn and sp_MSsetalertinfo
Systems: Microsoft SQL Server 2000
Severity: Low Risk
Category: Configuration
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL:
http://www.ngssoftware.com/advisories/mssql-sp_MSSetServerProperties.txt
Date: 3rd September 2002
Advisory number: #NISR03092002A

Details
*******
sp_MSSetServerProperties is a stored procedure for internal use.
sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL
Server starts up automatically or manually and as the 'public' role can
execute this stored procedure, by default, it means that low privileged
users can modify this. This is a low risk issue. It does not allow an
attacker to compromise the server or data but may be used in conjunction
with another attack. For example an attacker may not want SQL Server to
restart on server reboot if they set a shell listening on TCP port 1433.

The sp_MSsetalertinfo stored procedure can be execute by the public role and
allows low privileged users to modify alert information such as the e-mail
address where alerts should be sent to.

Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 22nd of August. SQL
Server administrators are advised to disallow the 'public' role from
executing these stored procedure using the following Transact SQL.

use master
go
drop execute on [sp_MSSetServerProperties] to [public]
go
drop execute on [sp_MSsetalertinfo] to [public]
go

A check and fix for these problems have been added to NGSSQUirreL, an SQL
Server security management tool, of which more information is available from
the NGSSite: http://www.nextgenss.com/.



Relevant Pages

  • Microsoft SQL Server Stored procedures [sp_MSSetServerPropertiesn and sp_MSsetalertinfo] (#NISR03092
    ... sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL ... Server starts up automatically or manually and as the 'public' role can ... execute this stored procedure, by default, it means that low privileged ... This is a low risk issue. ...
    (Bugtraq)
  • [VulnWatch] Microsoft SQL Server Stored procedures [sp_MSSetServerPropertiesn and sp_MSsetalertinfo]
    ... sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL ... Server starts up automatically or manually and as the 'public' role can ... execute this stored procedure, by default, it means that low privileged ... This is a low risk issue. ...
    (VulnWatch)
  • Re: Stored procedure/trigger and scripts
    ... SQL Server has permissions to execute xp_cmdshell. ... Please read up on xp_cmdshell within Books Online (within the SQL Server program group). ... >> client to change their password they have to call the "Client Relations" ...
    (microsoft.public.sqlserver.programming)
  • Re: Problem with bulk load security.
    ... The only user that didn't have the bulkadmin roll was the ID that SQL ... Did you to EXECUTE AS USER or EXECUTE ... Links for SQL Server Books Online: ... DDL Triggers with Server Scope and logon triggers ...
    (microsoft.public.sqlserver.security)
  • Re: DTS package not executing from within a webservice
    ... method on the Server A which has a web method, Am trying to execute a DTS ... created a wrapper and using the methods of the DTS.dll ... Not associated with a trusted SQL ... Server connection. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)