APPENDIX B
Dangerous Extended Stored Procedures
The following stored procedures could allow an attacker to gain information about the server or to perform actions that could lead to the compromise of the machine. Permissions on these SQL Server stored procedures should be carefully controlled, and should not be granted to the public role. Alternatively, the procedures can be removed entirely from the database:
use master exec sp_dropextendedproc 'xp_regread'
SQLSecurity.com provides scripts to drop and restore potentially dangerous stored procedures (Extended Stored Proc Removal and Restore Scripts at http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26). These scripts can be used when installing service packs that require extended stored procedure access.
If procedures are dropped it is also a good idea to remove the dll they are present in to prevent an attacker from re-adding them using sp_addextendedproc. The functions exported by a dll can be viewed using the dumpbin tool, which is included with Microsoft Visual Studio:
C:Program FilesMicrosoft SQL ServerMSSQLBinn>dumpbin /exports xplog70.dll Microsoft (R) COFF/PE Dumper Version 7.10.3077 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file xplog70.dll File Type: DLL Section contains the following exports for XPLOG70.dll 00000000 characteristics 398D1636 time date stamp Sun Aug 06 08:39:34 2000 0.00 version 1 ordinal base 8 number of functions 8 number of names ordinal hint RVA name 1 0 00001055 __GetXpVersion 2 1 00001073 xp_cmdshell 3 2 00001082 xp_enumgroups 4 3 00001037 xp_logevent 5 4 0000108C xp_loginconfig 6 5 00001005 xp_msver 7 6 0000101E xp_sprintf 8 7 00001069 xp_sscanf Summary 1000 .CRT 3000 .data 1000 .idata 1000 .rdata 1000 .reloc 1000 .rsrc A000 .text
Alternatively, exports can be viewed with commercial tools such as PE Explorer (http://www.heaventools.com/download.htm).