[27478] in bugtraq
Microsoft SQL Server Webtasks privilege upgrade (#NISR17102002)
daemon@ATHENA.MIT.EDU (David Litchfield)
Thu Oct 17 16:12:38 2002
Message-ID: <005c01c275e0$70ef4bd0$2501010a@HEPHAESTUS>
From: "David Litchfield" <david@ngssoftware.com>
To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>,
<vulnwatch@vulnwatch.org>
Date: Thu, 17 Oct 2002 14:23:54 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
NGSSoftware Insight Security Research Advisory
Name: Microsoft SQL Server Webtasks privilege elevation
Systems: Microsoft SQL Server 2000 and 7
Severity: High Risk
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/mssql-webtasks.txt
Date: 17th October 2002
Advisory number: #NISR17102002
Description
***********
Using a number of flaws in the webtask functionality of Microsoft SQL Server
an attacker may gain control of the database by elevating their privileges.
Details
*******
The xp_runwebtask stored procedure fails to set permissions properly when
executed and runs with the privileges of the SQL Server. xp_runwebtask can
be executed by 'PUBLIC'.
The permissions of the table that stores webtasks, namely
msdb.dbo.mswebtasks, are set loosely allowing 'PUBLIC' to INSERT, UPDATE,
DELETE and SELECT.
By updating a webtask owned by the database owner and then running it
through xp_runwebtask an attacker may elevate their privileges. In terms of
exploitation an attacker may choose to run OS commands or add themselves to
the SYSADMIN group.
Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 23rd of August.
Microsoft has released a patch that addresses these issues. For more details
please see
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-061.asp
A check and fix for these problems already exists in NGSSQuirreL, an
advanced SQL Server security management tool, of which more information
is available from the NGSSite: http://www.nextgenss.com/.
