Microsoft SQL Server Stored procedures [sp_MSSetServerPropertiesn and sp_MSsetalertinfo] (#NISR03092002A)From: NGSSoftware Insight Security Research (nisr@NEXTGENSS.COM)
Date: Mon, 2 Sep 2002 20:07:33 +0100 From: NGSSoftware Insight Security Research <nisr@NEXTGENSS.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
NGSSoftware Insight Security Research Advisory
Name: sp_MSSetServerPropertiesn and sp_MSsetalertinfo
Systems: Microsoft SQL Server 2000
Severity: Low Risk
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (firstname.lastname@example.org)
Date: 3rd September 2002
Advisory number: #NISR03092002A
sp_MSSetServerProperties is a stored procedure for internal use.
sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL
Server starts up automatically or manually and as the 'public' role can
execute this stored procedure, by default, it means that low privileged
users can modify this. This is a low risk issue. It does not allow an
attacker to compromise the server or data but may be used in conjunction
with another attack. For example an attacker may not want SQL Server to
restart on server reboot if they set a shell listening on TCP port 1433.
The sp_MSsetalertinfo stored procedure can be execute by the public role and
allows low privileged users to modify alert information such as the e-mail
address where alerts should be sent to.
NGSSoftware alerted Microsoft to these problems on the 22nd of August. SQL
Server administrators are advised to disallow the 'public' role from
executing these stored procedure using the following Transact SQL.
drop execute on [sp_MSSetServerProperties] to [public]
drop execute on [sp_MSsetalertinfo] to [public]
A check and fix for these problems have been added to NGSSQUirreL, an SQL
Server security management tool, of which more information is available from
the NGSSite: http://www.nextgenss.com/.