You only need to be granted the bulkadmin fixed server role to execute
BULK INSERT. You do NOT need to have sysadmin to execute BULK INSERT
(yes, I have tested this several times).
So this vulnerability leads to a privilege escalation.
Regards,
Aaron
_______________________________
Aaron C. Newman
CTO/Founder
Application Security, Inc.
www.appsecinc.com
Phone: 212-490-6022
Fax: 212-490-6456
- Protection Where It Counts -
-----Original Message-----
From: Hall, Philip [mailto:phall@spss.com]
Sent: Thursday, July 11, 2002 10:57 AM
To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com;
vulnwatch@vulnwatch.org
Subject: RE: Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow
(#NISR11072002)
> To be able to use the 'BULK INSERT' query one must have the
> privileges of the database owner or dbo. Note this does not
> necessarily imply 'sa' equivalence.
In fact, you need to be a member of the sysadmin and bulkadmin fixed
server roles to be able to execute BULK INSERT, both of these have to be
explicitly set, if you're not user 'sa'
--phil
This archive was generated by hypermail 2.1.3 : Fri Jul 12 2002 - 04:53:30 CEST