NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q3

[sec-adv] SQL Server Named Pipe Privilege Escalation Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Fri Jul 11 2003 - 03:49:24 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
SQL Server Named Pipe Privilege Escalation Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9229/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

SOFTWARE:
Microsoft SQL Server 7
Microsoft SQL Server 2000

DESCRIPTION:
A vulnerability has been identified in SQL Server, which can be
exploited by malicious, local users to escalate their privileges on a
vulnerable system.

The vulnerability is caused due to a general error in the
"CreateFile" API and an attack vector exists in SQL Server making it
possible to gain the privileges of the SQL Server. This can be
exploited by specifying the UNC name of a named pipe instead of a
file as an argument to the "xp_fileexist" extended stored procedure.

An example is included in the original advisory.

SOLUTION:
Generally, only trusted administrators should be allowed access to a
server. Furthermore, services should be run with as few privileges as
possible.

Microsoft has fixed this issue in Windows 2000 Service Pack 4 by
introducing a new user right:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

REPORTED BY / CREDITS:
Andreas Junestam (stake)

ORIGINAL ADVISORY:
http://www.atstake.com/research/advisories/2003/a070803-1.txt

OTHER REFERENCES:
Microsoft knowledge base article about the new user right:
http://support.microsoft.com/default.aspx?scid=kb;[LN];821546

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]