Vigil@nce - Microsoft SQL Server: privilege elevation via RESTORE DATABASE
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who has to CREATE DATABASE privilege, can
restore a database, in order to gain system privileges.
Severity: 1/4
Creation date: 12/04/2012
IMPACTED PRODUCTS
– Microsoft SQL Server
DESCRIPTION OF THE VULNERABILITY
The RESTORE DATABASE command is used to create a database from a
dump file. The user must have the CREATE DATABASE privilege, in
order to be allowed to use this command.
However, if the dump contains special SQL queries, they are
injected in the database, and run with privileges of the system
administrator. Technical details are unknown.
A local attacker, who has to CREATE DATABASE privilege, can
therefore restore a database, in order to gain system privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN