[VulnWatch] Microsoft SQL Server Webtasks privilege upgrade (#NISR17102002)

From: David Litchfield (david@ngssoftware.com)
Date: 10/17/02 

From: "David Litchfield" <david@ngssoftware.com>
To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
Date: Thu, 17 Oct 2002 14:23:54 +0100

NGSSoftware Insight Security Research Advisory

Name: Microsoft SQL Server Webtasks privilege elevation
Systems: Microsoft SQL Server 2000 and 7
Severity: High Risk
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-webtasks.txt
Date: 17th October 2002
Advisory number: #NISR17102002

Description
***********
Using a number of flaws in the webtask functionality of Microsoft SQL Server
an attacker may gain control of the database by elevating their privileges.

Details
*******
The xp_runwebtask stored procedure fails to set permissions properly when
executed and runs with the privileges of the SQL Server. xp_runwebtask can
be executed by 'PUBLIC'.

The permissions of the table that stores webtasks, namely
msdb.dbo.mswebtasks, are set loosely allowing 'PUBLIC' to INSERT, UPDATE,
DELETE and SELECT.

By updating a webtask owned by the database owner and then running it
through xp_runwebtask an attacker may elevate their privileges. In terms of
exploitation an attacker may choose to run OS commands or add themselves to
the SYSADMIN group.

Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 23rd of August.
Microsoft has released a patch that addresses these issues. For more details
please see

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-061.asp

A check and fix for these problems already exists in NGSSQuirreL, an
advanced SQL Server security management tool, of which more information
is available from the NGSSite: http://www.nextgenss.com/.

Relevant Pages

  • Microsoft SQL Server Webtasks privilege upgrade (#NISR17102002)
    ... Microsoft SQL Server Webtasks privilege elevation ... an attacker may gain control of the database by elevating their privileges. ... The permissions of the table that stores webtasks, ...
    (NT-Bugtraq)
  • Microsoft SQL Server Webtasks privilege upgrade (#NISR17102002)
    ... Microsoft SQL Server Webtasks privilege elevation ... an attacker may gain control of the database by elevating their privileges. ... The permissions of the table that stores webtasks, ...
    (Bugtraq)
  • CERT Advisory CA-2002-22 Multiple Vulnerabilities in Microsoft SQL Server
    ... The Microsoft SQL Server contains several serious vulnerabilities that ... These vulnerabilities are public and have ... the same privileges as the operating system. ... a compromised Microsoft SQL Server can be used to take ...
    (Cert)
  • Alert: Microsoft Security Bulletin - MS02-061
    ... Elevation of Privilege in SQL Server Web Tasks ... Microsoft SQL Server 7.0 ... Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. ...
    (NT-Bugtraq)
  • RE: Sharepoint issue
    ... do you mean Microsoft SQL Server ... 833183 You receive a "Cannot connect to the configuration database" error ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
Quantcast