New security hole
-
Hi all,
just in case you haven't notice it yet, take a look at this one
http://www.atstake.com/research/advisories/2003/a070803-1.txt
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Yowch! Thanks for the info. Now, how do we reconcile this with the fact some folks are having issues with Win 2K SP4... it's a no-win situation.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
What security access is required for the account under which the SQL Server is running under on the server.
I am sure that many people may be using an sa account, but is this really necessary? What is the minimum security level necessary?
-
The problem is that this extended stored procedure, though it can be executed by public (and since guest is required in master this means anyone who has login rights to the SQL Server), the extended stored procedure runs under the context of the account specified for the SQL Server service itself.
That means if you have SQL Server running under the context of localsystem or as a user account that has administrative rights to the system, a user is able to check for the existance of files using that user context. This means that users can basically see files they might normally be barred from.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
I guess this should accelerate any evaluations of SP4!
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
quote:
That means if you have SQL Server running under the context of localsystem or as a user account that has administrative rights to the system, a user is able to check for the existance of files using that user context. This means that users can basically see files they might normally be barred from.My understanding was that the exploit goes a lot further than that. It allows anyone who can get a program running on the target (admittedly you are in trouble by then) to get that program to run in the context of the sql server account. In the example, the exploit program sets up a named pipe and waits until anything is piped into it. When this happens (in this case by executing an extended stored procedure that directs output to the pipe), the exploit program is running in the context of whatever context the system was in when the data was *sent* to the named pipe (in this case whatever account is running SQL Server).
SQL Server is used to illustrate this I guess because it's very easy to direct output to a named pipe, and the app typically runs as system. However, named pipes can be set up and connected to by any windows app - I haven't tried to reproduce the sploit, but if it's true and I've read it correctly, it is a biggy.
Going back to our discussion on disclosure, I think whoever sat on this for a YEAR, really deserves an ice white panama 🙂
I've skim read the large list of bug fixes included in SP4 -- I get the impression that some of the security fixes that are mentioned in broad terms could also be papering over similarly big holes ...
Edited by - planet115 on 07/10/2003 07:59:03 AM
-
Ah, good point. I went and reread the @Stake advisory. xp_file_exists is just one of the easiest methods to exploit the vulnerability.
SP4 has a lot of security patches in it. Just look at the slew of advisories that flew from Microsoft yesterday.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
quote:
SP4 has a lot of security patches in it. Just look at the slew of advisories that flew from Microsoft yesterday.I only received one. What 'newsletter' have you subscribed to?
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
There were 3 that came out yesterday. I'm on several different security lists. But here are two good ones:
NTBugTraq:
Microsoft Security Notification Service:
http://register.microsoft.com/regsys/pic.asp
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
Hi Brian,
quote:
There were 3 that came out yesterday. I'm on several different security lists. But here are two good ones:I thought you meant 3 mails just from M$.
I know these list and would like to add another good one http://www.securityfocus.com/
SEveral mailing lists available under
http://www.securityfocus.com/archive
There is also a weekly vulnerability newsletter, but i can't remember at the moment who is the sender.
Cheers,
Frank
Edited by - a5xo3z1 on 07/10/2003 09:10:30 AM
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
3 came from NTBugTraq. 2 of them I got from Microsoft as well.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
quote:
3 came from NTBugTraq. 2 of them I got from Microsoft as well.maybe you are more privileged
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
I don't put a lot of trust in getting everything sent from any one source. So I sign up for multiple ones.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley -
quote:
I don't put a lot of trust in getting everything sent from any one source. So I sign up for multiple ones.that's a kind of paranoid thinking I like!
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
This recent flurry of vulnerabilities shows the validity of that sort of thinking. Got all 3 from NTBugTraq. Got 3 from several of the security newsgroups. Only got 2 from Microsoft and a couple of others. Sad, isn't it, that we have to be so distrustful nowadays.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply