Signature Detail

DB: MS-SQL SP_START_JOB Program Execution

This signature detects attempts to use the sp_start_job command on a Microsoft SQL Server 2000 database. A successful attack can allow the attackers to execute arbitrary code.

Extended Description

Microsoft SQL Server 2000 uses an Agent which is responsible for restarting the SQL Server service, replication, and running scheduled jobs. Some of the jobs that the Agent executes have weak permissions, which could allow a user with low permissions to perform actions on the database in the context of the SQL Server Service Account when used in conjunction with the Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability (BID 5481).

Affected Products

• Microsoft data_engine_2000
• Microsoft data_engine_(msde) 1.0
• Microsoft sql_server 7.0
• Microsoft sql_server 7.0 SP1
• Microsoft sql_server 7.0 SP2
• Microsoft sql_server 7.0 SP3
• Microsoft sql_server 7.0 SP4
• Microsoft sql_server_2000 SP1
• Microsoft sql_server_2000 SP2
• Microsoft sql_server_2000

References

• BugTraq: 5483
• CVE: CVE-2002-1138
• URL: http://www.xatrix.org/article.php?s=1851
• URL: http://www.microsoft.com/technet/security/bulletin/ms02-056.mspx
• URL: http://www.microsoft.com/technet/security/bulletin/ms02-043.mspx