NGSSoftware Insight Security Research Advisory

Name: sp_MSSetServerPropertiesn and sp_MSsetalertinfo
Systems: Microsoft SQL Server 2000
Severity: Low Risk
Category: Configuration
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-sp_MSSetServerProperties.txt
Date: 3rd September 2002
Advisory number: #NISR03092002


Details
*******
sp_MSSetServerProperties is a stored procedure for internal use. sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL Server starts up automatically or manually and as the 'public' role can execute this stored procedure, by default, it means that low privileged users can modify this. This is a low risk issue. It does not allow an attacker to compromise the server or data but may be used in conjunction with another attack. For example an attacker may not want SQL Server to restart on server reboot if they set a shell listening on TCP port 1433.

The sp_MSsetalertinfo stored procedure can be execute by the public role and allows low privileged users to modify alert information such as the e-mail address where alerts should be sent to. 


Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 22nd of August. SQL Server administrators are advised to disallow the 'public' role from executing these stored procedure using the following Transact SQL.


use master
go
revoke execute on [sp_MSSetServerProperties] to [public]
go
revoke execute on [sp_MSsetalertinfo] to [public]
go


A check and fix for these problems have been added to NGSSQUirreL, an SQL Server security management tool, of which more information is available from the NGSSite: http://www.nextgenss.com/.