[NT] Elevation of Privilege in SQL Server Web Tasks

From: support@securiteam.com
Date: 10/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 17 Oct 2002 03:11:04 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Elevation of Privilege in SQL Server Web Tasks
------------------------------------------------------------------------

SUMMARY

This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and
Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE) 2000. In
addition, it eliminates a newly discovered vulnerability.

SQL Server 7.0 and 2000 provide stored procedures that are a collection of
Transact-SQL statements stored under a name and processed as a group. One
stored procedure, an extended stored procedure and weak permissions on a
table combine to allow a low privileged user the ability to run, delete,
insert or update web tasks.

An attacker who is able to authenticate to a SQL server could delete,
insert or update all the web tasks created by other users. In addition,
the attacker could run already created web tasks in the context of the
creator of the web task. This typically runs in the context of the SQL
Server Agent service account.

DETAILS

Affected Software:
 * Microsoft SQL Server 7.0
 * Microsoft Data Engine (MSDE) 1.0
 * Microsoft SQL Server 2000
 * Microsoft Desktop Engine (MSDE) 2000

Mitigating factors:
 * It is necessary to be an authenticated user of the SQL Server.
 * Exploiting this vulnerability could allow the attacker to escalate
privileges to the level of the SQL Server service account. By default, the
service runs with the privileges of a domain user, rather than with system
privileges.
 * Web tasks have to exist in the first place.

Patch availability:
Download locations for this patch
 * Microsoft SQL Server 7.0:
    
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q327068&sd=tech
 * Microsoft SQL Server 2000:
    
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333&sd=tech

What's the scope of the vulnerability?
This is an elevation of privilege vulnerability that occurs in a
Microsoft-provided stored procedure, one extended stored procedure and
weak permissions on a table. It is possible for an attacker to execute a
SQL Server stored procedure that would run web tasks. Since anyone who
could authenticate to the SQL Server could run this stored procedure, it
is possible for an attacker to run previously stored web tasks in the
context of the person who created them, thereby potentially elevating his
or her privileges. Normally, only SQL Server administrators or database
operators should be able to run stored procedures.

An attacker would first have to be able to authenticate to the SQL Server,
and even then the attacker could not create new web tasks. Also, the
database to which the attacker is authenticating must support the use of
web tasks.

What is a stored procedure?
A stored procedure is a precompiled collection of Transact-SQL statements
stored under a name and processed as a group. SQL Server supplies stored
procedures for managing SQL Server and displaying information about
databases and users. SQL Server-supplied stored procedures are called
system stored procedures.

When a developer creates an application with SQL Server, the Transact-SQL
programming language is the primary programming interface between the
developer's applications and the SQL Server database. There are two
methods available for storing and executing the programs when using the
Transact-SQL programs. You can store the programs locally and create
applications that send the commands to SQL Server and process the results,
or a developer can store the programs as stored procedures in SQL Server
and create applications that execute the stored procedures and process the
results.

Stored procedures in SQL Server are similar to procedures in other
programming languages in that they can:
 * Accept input parameters and return multiple values in the form of
output parameters to the calling procedure or batch.
 * Contain programming statements that perform operations in the database,
including calling other procedures.
 * Return a status value to a calling procedure or batch to indicate
success or failure (and the reason for failure).

What are SQL Server extended stored procedures?
Extended stored procedures provide the ability for database designers and
administrators to create your their own customized external routines in a
programming language such as C or C#. For all intents and purposes,
extended stored procedures appear to users as normal stored procedures and
are executed in the same way. Database queries can pass data to extended
stored procedures which can return results and return status. For
instance, among the standard extended stored procedures included with SQL
Server are ones that provide e-mail functions. For example:

 * xp_startmail, which starts a SQL Mail client session, and
 * xp_sendmail, which sends an e-mail or page.

What is a web task?
Web tasks create a task that produces an HTML document containing data
returned by executed queries. In other words, a web developer might create
an asp page which needs data from a SQL Server. The asp page would send a
web request to the SQL Server to create an http file containing queried
data that the asp page can later pick up.

What do web tasks and stored procedures have to do with one another?
The ability to create web tasks is a system stored procedure.

What causes the vulnerability?
There is a flaw in the stored procedure to run web tasks where it is
possible for a low privileged user to run that stored procedure. In
addition, there are weak permissions on the web tasks table that together
with the stored procedure could allow an attacker to run, delete or update
a web task.

What's wrong with the stored procedure to run web tasks?
There is a flaw in the way SQL Server handles permissions.

What could this vulnerability enable an attacker to do?
An attacker could seek to exploit this vulnerability by logging in to a
SQL Server and then run the stored procedure for web tasks. An attacker
might first query for web tasks and then use the stored procedure to run
them. It is also possible for the attacker to delete, update or insert new
web tasks in order to escalate privileges.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by logging in to a
SQL server and then run the stored procedure. Attacker may query for web
tasks first then use the stored procedure to run them. Or delete or update
the web tasks or insert new ones in order to potentially escalate
privileges.

What does the patch do?
The patch eliminates the vulnerability by putting proper permissions on
the stored procedure for running web tasks. The patch also locks down
permissions on the table that stores information about web tasks.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_38989_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages