NGSSoftware Insight Security Research Advisory

Name: Extended Stored Procedure Privilege Upgrade
Systems: Microsoft SQL Server 2000 and 7
Severity: High Risk
Category: Privilege Escalation
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-esppu.txt
Date: 15th August 2002
Advisory number: #NISR15002002A


Description
***********
Microsoft SQL Server 2000 and 7 extends functionality by using extended
stored procedures. Three particular extended stored procedures contain a
vulnerability that allow a low privileged user to run abritrary SQL queries
in the context of the
account running SQL Server.

Details
*******
SQL Server supports two forms of authentication. The first is where a user
uses an SQL login and password to authenticate and the second is through
Windows Authentication. Any user authenticated by Windows can "upgrade"
their privileges to that of the account running the SQL Server by using one
of three extended stored procedures. These stored procedures allow a user to
run an arbitrary SQL query. By exploiting this problem a low privileged user
will be able to run any stored procedure, extended or otherwise, and select
from, update or insert into any table in any database. That is by exploiting
these holes an attacker can fully compromise the database server and its
data. Whilst an SQL Login user can not directly exploit this vulnerability
they can do so indirectly by submitting a job to the SQL Agent. As this the
SQL Agent authenticates to the SQL Server and runs in the context of Windows
account these vulnerabilities can be exploited. Please see NGSSoftware alert
NISR15002002A (http://www.ngssoftware.com/advisories/mssql-esppu.txt) for
more details.

Fix Information
***************
NGSSoftware informed Microsoft of these issues in July. Microsoft has
produced a patch that resolves these issues. Please see

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-043.asp

for more details.

For those SQL Server database administrators who are not able to patch
immediately NGSSoftware recommend that they remove public access to these
stored procedures. This will prevent low privileged users from accessing
these extended stored procedures.

xp_execresultset
xp_printstatements
xp_displayparamstmt

A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/.