Bugtraq mailing list archives
Re: Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B)
From: "Chip Andrews" <chip () sqlsecurity com>
Date: Mon, 26 Aug 2002 15:26:30 -0400
I'm not sure how you can categorize this as "human error" since the default SQL Server installation includes the 'guest' user in master, msdb, and tempdb databases. This gives all logins, no matter how lowly, access to thoses databases and objects inside that have permissions granted to the 'public' role. I think you'll find MS has been most gracious with those permissions. That, and the aforementioned buffer overflows, are the crux of the problem. Chip Andrews www.sqlsecurity.com ----- Original Message ----- From: "Brent Glover" <brent.glover () team telstraclear co nz> To: <bugtraq () securityfocus com> Sent: Sunday, August 25, 2002 5:01 PM Subject: Re: Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B)
In-Reply-To: <015601c244d2$fa6f8a30$2500a8c0@HEPHAESTUS> IMHO - This is more a human error driven feature than a high risk vulnerability. Whilst what David says is true - the assumption has been made that a login has access to the "msdb" database by default - this assumption is incorrect. The only way this vulnerability can be exploited is if a DBA (mad of course ;-)) has given access for a login account to the "msdb" database. Brent Glover Database specialist
Current thread:
- Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B) David Litchfield (Aug 16)
- <Possible follow-ups>
- Re: Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B) Brent Glover (Aug 26)
- Re: Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B) David Litchfield (Aug 26)
- Re: Microsoft SQL Server Agent Jobs Vulnerabilities (#NISR15002002B) Chip Andrews (Aug 27)