locked
SQLServer 2012 Performance Dashboard security risk RRS feed

  • Question

  • When you install "Microsoft® SQL Server® 2012 SP1 Performance Dashboard Reports" from the SQL Server 2012 SP1 Feature Pack for example in a startup script with the following command it leaves an ELEVATED notepad.exe in the SYSTEM security context with a readme open! Any standard user can use it to start further elevated processes.

    "%SystemRoot%\System32\msiexec.exe" /i "SQLServer2012_PerformanceDashboard.msi" /Quiet /passive /norestart /l* "%Temp%\SQLServer2012_PerformanceDashboard.log.txt"

    http://go.microsoft.com/fwlink/?LinkID=268168
    http://www.microsoft.com/en-us/download/details.aspx?id=29063
    http://www.microsoft.com/en-us/download/details.aspx?id=35580

    Epic

    Tuesday, March 19, 2013 1:52 PM

All replies

  • Hi Epic,

    Based on my test, the readme.txt will be open automatically after the SQL Server 2012 Performance Dashboard is installed successfully, no matter that we install it through command lines silently or install it manually. The readme.txt guides us on how to use the Performance Dashboard. If you like, you can go ahead and remove this txt file from the following folder:
    C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Performance Dashboard

    Regarding the "SAPBINOTEPAD = notepad.exe" entry within the Performance Dashboard installation log file, it is a common entry during the installation of a .MSI file. 

    Hope this helps.

    Regards,
    Mike Yin

    If you have any feedback on our support, please click here


    Mike Yin
    TechNet Community Support

    Friday, March 22, 2013 10:30 AM
  • Hello Mike,

    how does your answer help us mitigate the security risk I have explained?

    I may have to repeat:

    The Setup leaves an ELEVATED notepad.exe in the SYSTEM security context with a readme open! Any standard user can use it to start further elevated processes. This is an "elevation of privileges" problem.

    Cheers,

    Epic F.

    Friday, March 22, 2013 3:43 PM
  • Maybe I'm missing something here, but if I understand this correctly, you start the Setup, where upon it requests admin priviledges and you have to confirm the UAC prompt. When Setup is completed, there is a Notepad window running with admin permission.

    I can't see how a standard user could take benefit of this. If a standard user were to run the setup, setup would probably find that permssions are lacking. The only way the standard user could take benefit of the elevated Notepad window is if you leave the computer without locking the keyboard. Then again, in that case someone could just find notepad.exe and right-click it and select Run As Administrator.

    What possibly could be a risk is that if you don't see the Notepad window, or just let it sit there, some malware could communicate with and make it do bad things.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Friday, March 22, 2013 10:29 PM
  • Hello Erland,

    indeed, you missed something - the use case that was described in the first sentence of the original post: Deployment via startup script.

    It probably also occurs with Group Policy Software management.

    1.) Package is installed in a startup script

    2.) Standard user logs on

    3.) Standard user sees the open notepad with the readme

    4.) Standard user uses the file --> Open Dialog to browse to System32 and launch cmd.exe (or anything else like powershell, gpedit...)

    5.) Standard user has an elevated shell / whatever

    Although running on the same desktop regarding "malware could communicate with..." as of Windows 6.0 the situation is: "The OS does include some protective measures to keep the obvious and unnecessary avenues of communication blocked, but it would be impossible and undesirable to block them all. Therefore, Microsoft does not consider breaches of that nonexistent security boundary to be security breaches."

    Saturday, March 23, 2013 7:45 AM
  • Even if you remove the readme file notepad will still be started...
    Saturday, March 23, 2013 7:51 AM