|
COMMAND SQL user priviledge escalation via stored procedures SYSTEMS AFFECTED Microsoft SQL Server 2000 and 7 PROBLEM David Litchfield [david@ngssoftware.com] posted an advisory where he reveals that the three stored procedures : xp_execresultset, xp_printstatements and xp_displayparamstmt can be used to escalate an SQL session authenticated by Windows basic mechanism to the SQL power users : http://www.nextgenss.com/advisories/mssql-esppu.txt SOLUTION See: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp