Re: Microsoft Security Bulletin (MS00-048)

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

Richard Waymire wrote:
> What bug do you see here?  The only way this can work as you
> describe is if the site administrator screws up on several
> fronts:
>
> 1)  Improper filtering of the data they pass through to SQL Server
> 2)  Running SQL Server as an administrator (not necessary)
> 3)  Having the web site log in to SQL Server as a system
>     administrator (big mistake in any event)
>
> only when those things happen will the "bug" you mention take place.

I definately agree on 1) -- all input data should be properly filtered.
However, about 4 out of 5 home brew ASP applications that I look at
during security reviews do NOT filter their input data. Let's assume
no filtering and try to limit damages.

On 2) -- the SQL Server has to run with a user that has SE_TCB
priviliges, no? (Or it won't be able to log on as other users).
With these priviliges, you can do pretty much anything, since
you're allowed to poke around directly in the system's permission
tables. With full local access, it becomes an easy task to
install a trojan that waits for the domain administrator to
log on, no? (Let's not begin this discussion and leave it at
"full local access doesn't do anything to improve your ulcer")

On 3) -- I didn't see this mentioned in the advisory? The
advisory only stated that the tables and SPs needed to be
owned by the SA, and that the attacker "needed to be
able to authenticate". I took this as the attacker could
authenticate as pretty much anyone, which any web server
happily does for you. Is the advisory just Plain Wrong(tm)
or did I miss something?

Looking forward to your answers,
/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se