NGSSoftware Insight Security Research Advisory

Name: sp_MSSetServerPropertiesn and sp_MSsetalertinfo
Systems: Microsoft SQL Server 2000
Severity: Low Risk
Category: Configuration
Vendor URL: http://www.microsoft.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL:
http://www.ngssoftware.com/advisorie...Properties.txt
Date: 3rd September 2002
Advisory number: #NISR03092002A


Details
*******
sp_MSSetServerProperties is a stored procedure for internal use.
sp_MSSetServerProperties calls xp_instance_regwrite to change whether SQL
Server starts up automatically or manually and as the 'public' role can
execute this stored procedure, by default, it means that low privileged
users can modify this. This is a low risk issue. It does not allow an
attacker to compromise the server or data but may be used in conjunction
with another attack. For example an attacker may not want SQL Server to
restart on server reboot if they set a shell listening on TCP port 1433.

The sp_MSsetalertinfo stored procedure can be execute by the public role and
allows low privileged users to modify alert information such as the e-mail
address where alerts should be sent to.


Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 22nd of August. SQL
Server administrators are advised to disallow the 'public' role from
executing these stored procedure using the following Transact SQL.

use master
go
drop execute on [sp_MSSetServerProperties] to [public]
go
drop execute on [sp_MSsetalertinfo] to [public]
go

A check and fix for these problems have been added to NGSSQUirreL, an SQL
Server security management tool, of which more information is available from
the NGSSite: http://www.nextgenss.com/.