SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


DTS Package SAVE AS - Possible security vulnerability?


DTS Package SAVE AS - Possible security vulnerability?

Author
Message
augdaug
augdaug
Grasshopper
Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)

Group: General Forum Members
Points: 10 Visits: 205
I am posting this not only to point out what appears to be a security vulnerability but to hear opinions on how to resolve the issue.

The end result is this;
A developer working on physical server A can use the SAVE AS funtion to install a DTS package on physical server B although this developer has only connect and select rights to a single database on server B.

More detailed infrastructure overview:
1. Both physical servers are on the same domain.
2. Both servers are running only one (default) instance of SQL Server 2008.
3. Both servers use integrated Active Directory security.
4. User is not a member of any priveledged group.
5. When user connects to Prod server via SSMS, as expected all rights are limited, the user can not even view DTS packages.
6. If user builds a DTS package on the Test server and using the SAVE AS option, changes the server name to the Prod server, the package WILL BE created on the Prod server!

Thoughts?
Luis Cazares
Luis Cazares
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16701 Visits: 19108
It doesn't matter where the DTS is saved, because the connections aren't changed to the prod server.
What are you afraid of?


Luis C.
General Disclaimer:
Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?


How to post data/code on a forum to get the best help: Option 1 / Option 2
augdaug
augdaug
Grasshopper
Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)

Group: General Forum Members
Points: 10 Visits: 205
Actually, the package connections in this case, had already been changed to point to production, in preparation for deployment; but to answer your question, I'm not afraid as the ability to run the package in production is secured and I am not seeing any vulnerability at that level. My goal with this post was simply to validate through the community whether or not this issue should be considered a significant concern and secondly, to garner advice on how to prevent it, as I'm sure my auditors are going spot that the object creation date precedes the change request approval date and after reading my documented explanation, they are likely to ask... What did I do in order to prevent unauthorized users from installing DTS packages to production servers in the future?
Andreas.Wolter
Andreas.Wolter
SSC Veteran
SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)SSC Veteran (247 reputation)

Group: General Forum Members
Points: 247 Visits: 1056
Are aou rally talkin about DTS?

For SSIS that user needs to be in a certain (ssis-)role, to be allowed to store packages in msdb.
No special risk there afaik

Andreas

---------------------------------------------------
MVP SQL Server
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master Data Platform, SQL Server 2012
www.insidesql.org/blogs/andreaswolter
www.andreas-wolter.com
Erland Sommarskog
Erland Sommarskog
SSCrazy
SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)SSCrazy (2.1K reputation)

Group: General Forum Members
Points: 2129 Visits: 872
This is obviously a security issue, since this permits a user to replace an existing package that is scheduled to run with his own package which may do all sorts of evil things.

Now, you cannot accuse me to know too much about SSIS or DTS, but so much is clear, this is not security flaw in SQL Server as such, but a problem in your environment.

Since I don't know SSIS/DTS, I don't know exactly how the connection is made, but I would guess that there is a linked server set up. It sounds that this linked server has a login mapping so that this user maps to sa or somesuch on the prod server.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
augdaug
augdaug
Grasshopper
Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)

Group: General Forum Members
Points: 10 Visits: 205
Indeed, it is a DTS package; a legacy item from SQL2k that has yet to merit enough priority to migrate... maybe this issue will help to elevate that priority! ;-)
augdaug
augdaug
Grasshopper
Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)Grasshopper (10 reputation)

Group: General Forum Members
Points: 10 Visits: 205
Thank you Erland for your input. We do use linked servers in our environment and this was something that I had not checked, but upon doing so, I found that there are no links between the production and development servers. I feel you are correct in thinking that this will likely be the result of incomplete or inaccurate passing of credentials between machines. I rechecked all rights that this user has on the production box, server and database and all showed only a standard membership in a Public Active Directory group with only connect and read rights. I am puzzled over this. I have dug around, but can find no specific documentation about exactly what actions are being performed when the DTS Package Designer executes a save as action. All security documents that I can find refer to the required permissions to create or alter a package. Because we are now aware and alert to the issue, we are talking over potential test scenarios to try to trap the failure, but will likely be a few weeks before we can do that kind of research. I will definitely post my findings here as discoveries are made and again, I appreciate your input.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search