TUCoPS :: Web :: Apps :: web5655.htm

SQL server
23th Aug 2002 [SBWID-5655]
COMMAND

	
		SQL Server arbitrary command execution via distyributor
	
	

SYSTEMS AFFECTED

	
		Microsoft SQL Server 2000 SP 2
	
	

PROBLEM

	
		In David Litchfield [david@ngssoftware.com] advisory [#NISR22002002A] :
		

		http://www.ngssoftware.com/advisories/mssql-sp_MScopyscriptfile.txt

		

		

		--snipp--
		

		If a Microsoft SQL Server is configured as  a  distributor,  so  it  can
		replicate data between servers, a low privileged and malicious user  may
		execute the 'sp_MScopyscript'  stored  procedure  and  insert  arbitrary
		commands which will be run in the security context  of  the  SQL  Server
		account. If the SQL Server is running as  LocalSytem  then  this  attack
		will invariably fail. The reasons behind this is due to the  fact  that,
		before the user supplied commands are executed, the server  must  create
		a directory over a network  share  on  the  distributor.  As  the  Local
		System account has no pivileges on the  network,  the  stored  procedure
		will fail at this point. If the server is running in the  context  of  a
		domain user then the  "make  directory"  command  should  work  provided
		replication has been setup properly. Once this command has executed  the
		stored procedure then inserts the user  supplied  @scriptfile  parameter
		into a command: from the text of sp_MScopyscript
		

		select @cmd = N'copy "' + @scriptfile + N'" "' + @directory + N'"'

		exec @retcode = master..xp_cmdshell @cmd, NO_OUTPUT

		

		By supplying a malformed  @scriptfile  parameter  an  attacker  can  run
		arbitrary commands:
		

		use master

		declare @cmd nvarchar(4000)

		exec sp_MScopyscriptfile N'c:\autoexec.bat" c:\cp.txt&echo hello >

		c:\ccc.bbb & echo "hello',@cmd OUTPUT

		print @cmd

		

		The above query will copy the autoexec.bat file to cp.txt but also  echo
		hello to a file called ccc.bbb.
		

		If the server is running with Administrator privileges an attacker  will
		be able to insert pretty much any command. For example the could  create
		a Windows NT user and add it to the administrators group.
		

		--snapp--
	
	

SOLUTION

	
		 Patch

		 =====

		

		http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp

		 

		 Workaround

		 ==========

		

		NGSSoftware recommend that you at least prevent the 'public'  role  from
		running this stored procedure. You can do this by running the  following
		query from Query Analyzer:
		

		REVOKE EXECUTE ON [dbo].[sp_MScopyscriptfile] FROM [public] CASCADE

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH