Re: MSSQL HEllo bug

From: Chip Andrews (chipandrews@USA.NET)
Date: 10/03/02 

Date:         Thu, 3 Oct 2002 14:44:14 -0400
From: Chip Andrews <chipandrews@USA.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Microsoft claims that the default for SQL Server 2000 is a domain user NOT
LocalSystem because the SQL 2000 setup program defaults to assigning a
domain account as the service account during the installation phase. In
practice, many people assign a high-privilege domain account that already
exists OR simply click the LocalSystem radio button to save themselves the
trouble of creating an account manually. Keep in mind that MSDE gives you
no such choices and always installs as LocalSystem unless a developer has
altered the unattended installation configuration files.
(http://support.microsoft.com/default.aspx?scid=KB;EN-US;q233312)

In addition, even if you assign a domain user account (or local account) for
the service, it is granted a nice set of privileges to support its new role:

*Access to the SQL Server files (MDFs,LDFs, logs, etc)
*Access to the SQL Server registry entries
*The account is added to sysxlogins and becomes a member of the sysadmins
role
*The account is granted both "Act as part of theoperating system" and
"Replace a process level token" user rights

So, as you can see - this is hardly a very crippled account as the user can
at the very least wipe your SQL Server clean and do some nasty OS tricks
using its new user rights.

Microsoft's claim might be technically correct that the default is not
LocalSystem access (at least for SQL Server 2000) but it's a bit of a
stretch to say "it would not, under default conditions, grant the attacker
significant privileges at the operating system level".

In practice, whether you follow best practices or not, privilege levels for
the attacker remain high.

Chip Andrews
www.sqlsecurity.com

----- Original Message -----
From: "Dave Aitel" <dave@IMMUNITYSEC.COM>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Thursday, October 03, 2002 12:18 PM
Subject: MSSQL HEllo bug

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges.

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "