| Author |
Messages |
|
Cesar
 |
| 04/17/2002 11:05 AM |
 Quote
 Reply
 Alert
|
| I have found a new Sql Server 2000 bo, but it's sa only, the question is : This is a security bug or it's just a simple bug. I have been talking with a Microsoft guy and he said they will release a fix in the next service pack, and that the bug has not security implication, because it's sa only. My opinion it's that every little bug that let you do things that you are not supposed to under normal circunstances or in that specific way, should be considered as a security bug. |
|
|
|
|
Chip Andrews
|
| 04/17/2002 4:21 PM |
Quote
Reply
Alert
|
| I believe you are correct and that Microsoft still does not "get it" when it comes to security. Just because a person has 'sa' level context in SQL Server does not mean I necessarily want to give that person operating system-level access (assuming I have disabled the command shell functionality and placed the appropriate written policies in place). What happens here is that now once I have a rogue 'sa' or someone obtains 'sa' privs via escalatation or a brute force attack then I now have an OS-level intruder. In most cases that OS-level intruder will be LocalSystem privilege so I am rooted.
You could make the argument that you are rooted anyway once you have 'sa' privs on a SQL Server running as LocalSystem even without a buffer overflow - and this might be true depending of how well you have it locked down. But why give attackers another vector if you don't have to? This is simply an example of poor containment.
Chip
|
|
|
|
|
Cesar
|
| 04/18/2002 9:38 AM |
Quote
Reply
Alert
|
| Thanks Chip, i thought you would agree with me.
BTW, the overflow is in xp_sqlagent_param extended strored procedure, i will publish the details soon.
Be carefull people with tests!! Some Sql Server functionality become very unestable.
Cesar Cerrudo. |
|
|
|
|
|