Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS00-048)
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Tue, 11 Jul 2000 21:25:41 +0200
Richard Waymire wrote:
What bug do you see here? The only way this can work as you describe is if the site administrator screws up on several fronts: 1) Improper filtering of the data they pass through to SQL Server 2) Running SQL Server as an administrator (not necessary) 3) Having the web site log in to SQL Server as a system administrator (big mistake in any event) only when those things happen will the "bug" you mention take place.
I definately agree on 1) -- all input data should be properly filtered. However, about 4 out of 5 home brew ASP applications that I look at during security reviews do NOT filter their input data. Let's assume no filtering and try to limit damages. On 2) -- the SQL Server has to run with a user that has SE_TCB priviliges, no? (Or it won't be able to log on as other users). With these priviliges, you can do pretty much anything, since you're allowed to poke around directly in the system's permission tables. With full local access, it becomes an easy task to install a trojan that waits for the domain administrator to log on, no? (Let's not begin this discussion and leave it at "full local access doesn't do anything to improve your ulcer") On 3) -- I didn't see this mentioned in the advisory? The advisory only stated that the tables and SPs needed to be owned by the SA, and that the attacker "needed to be able to authenticate". I took this as the attacker could authenticate as pretty much anyone, which any web server happily does for you. Is the advisory just Plain Wrong(tm) or did I miss something? Looking forward to your answers, /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Microsoft Security Bulletin (MS00-048) Microsoft Product Security (Jul 07)
- Re: Microsoft Security Bulletin (MS00-048) Jenik (Jul 08)
- LPRng lpd should not be SETUID root Patrick Powell (Jul 09)
- NetBSD Security Advisory 2000-009 security-officer () NETBSD ORG (Jul 10)
- Re: LPRng lpd should not be SETUID root Cy Schubert - ITSD Open Systems Group (Jul 10)
- NetBSD Security Advisory 2000-010 security-officer () NETBSD ORG (Jul 10)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 10)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd [REVISED] FreeBSD Security Advisories (Jul 11)
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)
- Re: Remote Denial Of Service -- NetWare 5.0 with SP 5 Conrad Wood (Jul 13)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)