Microsoft SQL Server Webtasks privilege elevation

NGSSoftware Insight Security Research Advisory

Name: Microsoft SQL Server Webtasks privilege elevation

Systems: Microsoft SQL Server 2000 and 7

Severity: High Risk

Vendor URL: http://www.microsoft.com/

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/mssql-webtasks.txt

Date: 17th October 2002

Advisory number: #NISR17102002

Description

***********

Using a number of flaws in the webtask functionality of Microsoft SQL Server

an attacker may gain control of the database by elevating their privileges.

Details

*******

The xp_runwebtask stored procedure fails to set permissions properly when

executed and runs with the privileges of the SQL Server. xp_runwebtask can

be executed by ‘PUBLIC’.

The permissions of the table that stores webtasks, namely

msdb.dbo.mswebtasks, are set loosely allowing ‘PUBLIC’ to INSERT, UPDATE,

DELETE and SELECT.

By updating a webtask owned by the database owner and then running it

through xp_runwebtask an attacker may elevate their privileges. In terms of

exploitation an attacker may choose to run OS commands or add themselves to

the SYSADMIN group.

Fix Information

***************

NGSSoftware alerted Microsoft to these problems on the 23rd of August.

Microsoft has released a patch that addresses these issues. For more details

please see

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS

02-061.asp

A check and fix for these problems already exists in NGSSQUirreL, an

advanced SQL Server security management tool, of which more information

is available from the NGSSite: http://www.nextgenss.com/.