SQL Server Privilege Escalation via DatabaseManager-role: Newly discovered Attack Paths Explained
Read OriginalThis article details two newly discovered privilege escalation paths in SQL Server where members of the ##MS_DatabaseManager## server-role can escalate to sysadmin. The first path abused the sp_syspolicy_purge_history stored procedure and was fixed in recent updates. The second path, which Microsoft decided not to fix, relies on database lifecycle operations and indirect execution through system components. The article emphasizes that ALTER ANY DATABASE permission is sufficient for the attack. It provides practical recommendations including reviewing permissions, implementing server auditing, and adding database auditing on system databases. The findings highlight risks from indirect execution paths, overly broad permissions, and assumptions about safe capabilities.
Comments
No comments yet
Be the first to share your thoughts!
Browser Extension
Get instant access to AllDevBlogs from your browser
Top of the Week
No top articles yet