COMMAND

	SQL user priviledge escalation via stored procedures

SYSTEMS AFFECTED

	Microsoft SQL Server 2000 and 7

PROBLEM

	David Litchfield [david@ngssoftware.com] posted  an  advisory  where  he
	reveals  that  the   three   stored   procedures   :   xp_execresultset,
	xp_printstatements and xp_displayparamstmt can be used  to  escalate  an
	SQL session authenticated by Windows basic mechanism to  the  SQL  power
	users :
	

	http://www.nextgenss.com/advisories/mssql-esppu.txt

	

SOLUTION

	See:
	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp