• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability

Microsoft has reported a vulnerability in SQL Server. According to the report, the vulnerability may be exploited by malicious database users to elevate privileges.

Web tasks create HTML files containing queried data. They are invoked with a stored procedure. By default, the privileges required to execute the stored procedure are minimal. This poses a threat as unprivileged SQL users may run the procedure and invoke Web Tasks. This may result in elevated privileges.

In addition, the table that stores Web Tasks itself has weak permission settings. Malicious users may also be able to modify, delete or create Web Tasks further compounding the threat.