Privilege Elevation Vulnerability in Microsoft SQL Server and Microsoft Desktop Engine
A vulnerability exists in SQL Server and MSDE that can result in an unprivileged user gaining control of a database.
August 15, 2002
ReportedAugust 15, 2002, by Microsoft.
VERSIONS AFFECTED
Microsoft SQL Server 2000
Microsoft SQL Server 7.0
Microsoft Desktop Engine (MSDE) 2000
Microsoft Desktop Engine (MSDE) 1.0
DESCRIPTION
A vulnerability exists in SQL Server and MSDE that can result in an unprivileged user gaining control of a database. This vulnerability stems from weak default permissions on extended stored procedures that let the unprivileged user run these stored procedures with Administrator privileges. The affected extended stored procedures are:
xp_execresultset
xp_printstatements
xp_displayparamstmt
Detailedinformation regarding this vulnerability is available on the discoverer’s Website.
VENDORRESPONSE
Thevendor, Microsoft, has released SecurityBulletin MS02-043(Cumulative Patch for SQL Server) to address this vulnerability and recommendsthat affected users download and apply the appropriate patch mentioned in thesecurity bulletin.
CREDIT
Discovered by DavidLitchfield of NGSSoftware.
Read more about:
MicrosoftAbout the Author
You May Also Like