NGSSoftware Insight Security Research Advisory Name: sp_MSSetServerPropertiesn and sp_MSsetalertinfo Systems: Microsoft SQL Server 2000 Severity: Low Risk Category: Configuration Vendor URL: http://www.microsoft.com/ Author: David Litchfield (davidat_private) Advisory URL: http://www.ngssoftware.com/advisories/mssql-sp_MSSetServerProperties.txt Date: 3rd September 2002 Advisory number: #NISR03092002A Details ******* sp_MSSetServerProperties is a stored procedure for internal use. sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL Server starts up automatically or manually and as the 'public' role can execute this stored procedure, by default, it means that low privileged users can modify this. This is a low risk issue. It does not allow an attacker to compromise the server or data but may be used in conjunction with another attack. For example an attacker may not want SQL Server to restart on server reboot if they set a shell listening on TCP port 1433. The sp_MSsetalertinfo stored procedure can be execute by the public role and allows low privileged users to modify alert information such as the e-mail address where alerts should be sent to. Fix Information *************** NGSSoftware alerted Microsoft to these problems on the 22nd of August. SQL Server administrators are advised to disallow the 'public' role from executing these stored procedure using the following Transact SQL. use master go drop execute on [sp_MSSetServerProperties] to [public] go drop execute on [sp_MSsetalertinfo] to [public] go A check and fix for these problems have been added to NGSSQUirreL, an SQL Server security management tool, of which more information is available from the NGSSite: http://www.nextgenss.com/.
This archive was generated by hypermail 2b30 : Mon Sep 02 2002 - 13:37:15 PDT