[26143] in bugtraq
RE: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow (#NISR11072002)
daemon@ATHENA.MIT.EDU (Aaron C. Newman)
Fri Jul 12 00:08:27 2002
From: "Aaron C. Newman" <aaron@newman-family.com>
To: "'Hall, Philip'" <phall@spss.com>, <bugtraq@securityfocus.com>,
<ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
Date: Thu, 11 Jul 2002 22:20:46 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <0AB647D29447FA4C818A8EE43B1F4FA30ABB91@hqemail1.spss.com>
Message-Id: <20020712021118.C6F7D73FF6@sparky.appsecinc.com>
You only need to be granted the bulkadmin fixed server role to execute
BULK INSERT. You do NOT need to have sysadmin to execute BULK INSERT
(yes, I have tested this several times).
So this vulnerability leads to a privilege escalation.
Regards,
Aaron
_______________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
Phone: 212-490-6022
Fax: 212-490-6456
- Protection Where It Counts -
-----Original Message-----
From: Hall, Philip [mailto:phall@spss.com]
Sent: Thursday, July 11, 2002 10:57 AM
To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com;
vulnwatch@vulnwatch.org
Subject: RE: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow
(#NISR11072002)
> To be able to use the 'BULK INSERT' query one must have the
> privileges of the database owner or dbo. Note this does not
> necessarily imply 'sa' equivalence.
In fact, you need to be a member of the sysadmin and bulkadmin fixed
server roles to be able to execute BULK INSERT, both of these have to be
explicitly set, if you're not user 'sa'
--phil
