Privilege Elevation Vulnerability in Microsoft SQL Server and Microsoft Desktop Engine

A vulnerability exists in SQL Server and MSDE that can result in an unprivileged user gaining control of a database.

Ken Pfeil

August 15, 2002

2 Min Read
ITPro Today logo in a gray background | ITPro Today

ReportedAugust 15, 2002, by Microsoft.

VERSIONS AFFECTED

 

  • Microsoft SQL Server 2000

  • Microsoft SQL Server 7.0

  • Microsoft Desktop Engine (MSDE) 2000

  • Microsoft Desktop Engine (MSDE) 1.0

 

DESCRIPTION

A vulnerability exists in SQL Server and MSDE that can result in an unprivileged user gaining control of a database. This vulnerability stems from weak default permissions on extended stored procedures that let the unprivileged user run these stored procedures with Administrator privileges. The affected extended stored procedures are:

  • xp_execresultset

  • xp_printstatements

  • xp_displayparamstmt

 

Detailedinformation regarding this vulnerability is available on the discoverer’s Website.

 

VENDORRESPONSE

 

Thevendor, Microsoft, has released SecurityBulletin MS02-043(Cumulative Patch for SQL Server) to address this vulnerability and recommendsthat affected users download and apply the appropriate patch mentioned in thesecurity bulletin.

 

CREDIT
Discovered by DavidLitchfield of NGSSoftware.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like