You only need to be granted the bulkadmin fixed server role to execute BULK INSERT. You do NOT need to have sysadmin to execute BULK INSERT (yes, I have tested this several times). So this vulnerability leads to a privilege escalation. Regards, Aaron _______________________________ Aaron C. Newman CTO/Founder Application Security, Inc. www.appsecinc.com Phone: 212-490-6022 Fax: 212-490-6456 - Protection Where It Counts - -----Original Message----- From: Hall, Philip [mailto:phall@spss.com] Sent: Thursday, July 11, 2002 10:57 AM To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com; vulnwatch@vulnwatch.org Subject: RE: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow (#NISR11072002) > To be able to use the 'BULK INSERT' query one must have the > privileges of the database owner or dbo. Note this does not > necessarily imply 'sa' equivalence. In fact, you need to be a member of the sysadmin and bulkadmin fixed server roles to be able to execute BULK INSERT, both of these have to be explicitly set, if you're not user 'sa' --phil
