NGSSoftware Insight Security Research Advisory Name: Microsoft SQL Server Webtasks privilege elevation Systems: Microsoft SQL Server 2000 and 7 Severity: High Risk Vendor URL: http://www.microsoft.com/ Author: David Litchfield (davidat_private) Advisory URL: http://www.ngssoftware.com/advisories/mssql-webtasks.txt Date: 17th October 2002 Advisory number: #NISR17102002 Description *********** Using a number of flaws in the webtask functionality of Microsoft SQL Server an attacker may gain control of the database by elevating their privileges. Details ******* The xp_runwebtask stored procedure fails to set permissions properly when executed and runs with the privileges of the SQL Server. xp_runwebtask can be executed by 'PUBLIC'. The permissions of the table that stores webtasks, namely msdb.dbo.mswebtasks, are set loosely allowing 'PUBLIC' to INSERT, UPDATE, DELETE and SELECT. By updating a webtask owned by the database owner and then running it through xp_runwebtask an attacker may elevate their privileges. In terms of exploitation an attacker may choose to run OS commands or add themselves to the SYSADMIN group. Fix Information *************** NGSSoftware alerted Microsoft to these problems on the 23rd of August. Microsoft has released a patch that addresses these issues. For more details please see http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS 02-061.asp A check and fix for these problems already exists in NGSSQuirreL, an advanced SQL Server security management tool, of which more information is available from the NGSSite: http://www.nextgenss.com/.
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 13:10:57 PDT