Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS00-048)
From: rwaymi () MICROSOFT COM (Richard Waymire)
Date: Tue, 11 Jul 2000 12:40:07 -0700
for 2) The service account for SQL Server only needs SETCB privs if you want xp_cmdshell to be callable by a non-sql server system administrator. Otherwise you can revoke this right and SQL Server will still function correctly. for 3) Yes, the vulnerability allowed this. A basic misunderstanding between what you're saying for #3 and what I'm saying is that I'm assuming you have patched your server and then carrying the discussion forward. Clearly you are at great risk without this patch being applied. Richard Richard Waymire, MCT, MCSE+I, MCSD, MCDBA SQL Server Enterprise Program Manager -----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () enternet se] Sent: Tuesday, July 11, 2000 12:26 PM To: Richard Waymire Cc: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Microsoft Security Bulletin (MS00-048) Richard Waymire wrote:
What bug do you see here? The only way this can work as you describe is if the site administrator screws up on several fronts: 1) Improper filtering of the data they pass through to SQL Server 2) Running SQL Server as an administrator (not necessary) 3) Having the web site log in to SQL Server as a system administrator (big mistake in any event) only when those things happen will the "bug" you mention take place.
I definately agree on 1) -- all input data should be properly filtered. However, about 4 out of 5 home brew ASP applications that I look at during security reviews do NOT filter their input data. Let's assume no filtering and try to limit damages. On 2) -- the SQL Server has to run with a user that has SE_TCB priviliges, no? (Or it won't be able to log on as other users). With these priviliges, you can do pretty much anything, since you're allowed to poke around directly in the system's permission tables. With full local access, it becomes an easy task to install a trojan that waits for the domain administrator to log on, no? (Let's not begin this discussion and leave it at "full local access doesn't do anything to improve your ulcer") On 3) -- I didn't see this mentioned in the advisory? The advisory only stated that the tables and SPs needed to be owned by the SA, and that the attacker "needed to be able to authenticate". I took this as the attacker could authenticate as pretty much anyone, which any web server happily does for you. Is the advisory just Plain Wrong(tm) or did I miss something? Looking forward to your answers, /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Microsoft Security Bulletin (MS00-048) Microsoft Product Security (Jul 07)
- Re: Microsoft Security Bulletin (MS00-048) Jenik (Jul 08)
- LPRng lpd should not be SETUID root Patrick Powell (Jul 09)
- NetBSD Security Advisory 2000-009 security-officer () NETBSD ORG (Jul 10)
- Re: LPRng lpd should not be SETUID root Cy Schubert - ITSD Open Systems Group (Jul 10)
- NetBSD Security Advisory 2000-010 security-officer () NETBSD ORG (Jul 10)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 10)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd [REVISED] FreeBSD Security Advisories (Jul 11)
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)
- Re: Remote Denial Of Service -- NetWare 5.0 with SP 5 Conrad Wood (Jul 13)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)