Privilege Elevation Vulnerability in Microsoft SQL Server and Microsoft Desktop Engine

Reported August 15, 2002, by Microsoft.



  • Microsoft SQL Server 2000

  • Microsoft SQL Server 7.0

  • Microsoft Desktop Engine (MSDE) 2000

  • Microsoft Desktop Engine (MSDE) 1.0



A vulnerability exists in SQL Server and MSDE that can result in an unprivileged user gaining control of a database. This vulnerability stems from weak default permissions on extended stored procedures that let the unprivileged user run these stored procedures with Administrator privileges. The affected extended stored procedures are:

  • xp_execresultset

  • xp_printstatements

  • xp_displayparamstmt


Detailed information regarding this vulnerability is available on the discoverer’s Web site.




The vendor, Microsoft, has released Security Bulletin MS02-043 (Cumulative Patch for SQL Server) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the security bulletin.


Discovered by David Litchfield of NGSSoftware.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.