Privilege-Elevation Vulnerability in SQL Server Web Tasks

David Litchfield of Next Generation Security Software discovered a vulnerability that lets users with PUBLIC permissions execute the xp_runwebtask extended system stored procedure and perform inserts, deletes, and updates on the Web tasks table, as reported by Ken Pfeil on the Security Administrator Web site ( http://www.secadministrator.com/articles/index.cfm?articleid=27033 ). Attackers can elevate their privileges by updating a database owner's Web task and executing the task through the stored procedure. Attackers could then, for example, run OS commands or add themselves to the SYSADMIN group. The vulnerability affects SQL Server 2000 and 7.0, Microsoft Desktop Engine (MSDE) 2000, and Microsoft Data Engine 1.0. Microsoft has released Security Bulletin MS02-061 (Elevation of Privilege in SQL Server Web Tasks) and recommends that affected users apply the cumulative patch mentioned in the bulletin. For complete information, go to

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp , and for details of the vulnerability discovery, go to http://www.nextgenss.com/advisories/mssql-webtasks.txt .