NGSSoftware Insight Security Research Advisory Name: Extended Stored Procedure Privilege Upgrade Systems: Microsoft SQL Server 2000 and 7 Severity: High Risk Category: Privilege Escalation Vendor URL: http://www.microsoft.com/ Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/mssql-esppu.txt Date: 15th August 2002 Advisory number: #NISR15002002A Description *********** Microsoft SQL Server 2000 and 7 extends functionality by using extended stored procedures. Three particular extended stored procedures contain a vulnerability that allow a low privileged user to run abritrary SQL queries in the context of the account running SQL Server. Details ******* SQL Server supports two forms of authentication. The first is where a user uses an SQL login and password to authenticate and the second is through Windows Authentication. Any user authenticated by Windows can "upgrade" their privileges to that of the account running the SQL Server by using one of three extended stored procedures. These stored procedures allow a user to run an arbitrary SQL query. By exploiting this problem a low privileged user will be able to run any stored procedure, extended or otherwise, and select from, update or insert into any table in any database. That is by exploiting these holes an attacker can fully compromise the database server and its data. Whilst an SQL Login user can not directly exploit this vulnerability they can do so indirectly by submitting a job to the SQL Agent. As this the SQL Agent authenticates to the SQL Server and runs in the context of Windows account these vulnerabilities can be exploited. Please see NGSSoftware alert NISR15002002A (http://www.ngssoftware.com/advisories/mssql-esppu.txt) for more details. Fix Information *************** NGSSoftware informed Microsoft of these issues in July. Microsoft has produced a patch that resolves these issues. Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-043.asp for more details. For those SQL Server database administrators who are not able to patch immediately NGSSoftware recommend that they remove public access to these stored procedures. This will prevent low privileged users from accessing these extended stored procedures. xp_execresultset xp_printstatements xp_displayparamstmt A check for this vulnerability has been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which, more information is available from the NGSSite, http://www.ngssoftware.com/.
