[NT] Microsoft SQL Server Extended Stored Procedure Privilege Escalation Vulnerabilities

From: support@securiteam.com
Date: 08/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 19 Aug 2002 11:00:24 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft SQL Server Extended Stored Procedure Privilege Escalation
Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Microsoft SQL Server 2000 and 7 extends functionality by using extended
stored procedures. Three particular extended stored procedures contain a
vulnerability that allow a low privileged user to run arbitrary SQL
queries in the context of the account running SQL Server.

DETAILS

Vulnerable systems:
 * Microsoft SQL Server 2000
 * Microsoft SQL Server 7

SQL Server supports two forms of authentication. The first is where a user
uses an SQL login and password to authenticate and the second is through
Windows Authentication. Any user authenticated by Windows can "upgrade"
their privileges to that of the account running the SQL Server by using
one of three extended stored procedures. These stored procedures allow a
user to run an arbitrary SQL query. By exploiting this problem a low
privileged user will be able to run any stored procedure, extended or
otherwise, and select from, update, or insert into any table in any
database. That is by exploiting these holes an attacker can fully
compromise the database server and its data. Whilst an SQL Login user
cannot directly exploit this vulnerability, they can do so indirectly by
submitting a job to the SQL Agent. As this the SQL Agent authenticates to
the SQL Server and runs in the context of Windows account these
vulnerabilities can be exploited.

Fix Information:
NGSSoftware informed Microsoft of these issues in July. Microsoft has
produced a patch that resolves these issues. Please see

 <http://www.securiteam.com/windowsntfocus/5FP0F0A7PM.html> Cumulative
Patch for SQL Server

For more details.

For those SQL Server database administrators who are not able to patch
immediately NGSSoftware recommend that they remove public access to these
stored procedures. This will prevent low privileged users from accessing
these extended stored procedures.

xp_execresultset
xp_printstatements
xp_displayparamstmt

ADDITIONAL INFORMATION

The original advisory can be found at:
 <http://www.ngssoftware.com/advisories/mssql-esppu.txt>
http://www.ngssoftware.com/advisories/mssql-esppu.txt

The information has been provided by <mailto:david@ngssoftware.com> David
Litchfield.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages