Signature Detail

DB: MS-SQL Stored Procedure Arbitrary File Access

This signature detects attempts to exploit a known vulnerability in Microsoft SQL Server 2000 and 7. Attackers can call one of four stored procedures (sp_add_job, sp_add_jobstep, sp_add_jobserver, sp_start_job) to create or overwrite arbitrary files on the server.

Extended Description

Microsoft SQL Server 2000 uses an Agent which is responsible for restarting the SQL Server service, replication, and running scheduled jobs. Some of the jobs that the Agent executes have weak permissions, which could allow a user with low permissions to perform actions on the database in the context of the SQL Server Service Account when used in conjunction with the Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability (BID 5481).

Affected Products

• Microsoft Data Engine 2000
• Microsoft Data Engine (MSDE) 1.0
• Microsoft SQL Server 7.0
• Microsoft SQL Server 7.0 SP1
• Microsoft SQL Server 7.0 SP2
• Microsoft SQL Server 7.0 SP3
• Microsoft SQL Server 7.0 SP4
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SQL Server 2000

References

• CVE: CVE-2002-1138
• URL: http://www.microsoft.com/technet/security/Bulletin/MS02-043.mspx
• URL: http://www.nextgenss.com/advisories/mssql-esppu.txt