AppDetective™ Update 2.5.70 - 20 August 2002

NEW CHECKS

Microsoft SQL Server (Pen Test/Security Audit)

Title: Agent Jobs Privilege Escalation
Summary: A security issue exists that allows privilege escalation to be done through the Agent service. By default, the public group is allowed to create jobs that the Agent runs. By crafting a malicious job using extended stored procedures such as xp_execresults, a non-privileged login can gain administrator privileges in the database.

Title: Extended Stored Procedure Privilege Upgrade
Summary: Three extended stored procedures can be used to gain escalated privileges. If a login is connected as a Windows account, these extended stored procedures allow the login to re-authenticate to the SQL Server using the privileges of the account running SQL Server.

Title: Public can create Agent jobs
Summary: A security issue exists that allows privilege escalation to be done through the Agent service. By default, the public group is allowed to create jobs that the Agent runs. By crafting a malicious job using extended stored procedures such as xp_execresults, a non-privileged login can gain administrator privileges in the database.

NEW FEATURE

Task Scheduler
Description: Functionality added to schedule ASAP Updates.