SA0236 : The xp_cmdshell system stored procedure used |
 |
Using the xp_cmdshell poses a security risk.
DescriptionThe issue at hand is the potential security vulnerability introduced by the use of xp_cmdshell in T-SQL code. This extended stored procedure is capable of executing system commands directly from the SQL Server environment. While this functionality may offer convenience, it also opens up significant security risks since it bypasses usual database access controls and can be exploited to run unauthorized commands on the server’s operating system.
For example:
1-- Example of risky use of xp_cmdshell 2EXEC xp_cmdshell 'dir C:';
The above query allows a user to execute operating system commands, which can escalate into misuse of the server if unauthorized users gain access. This practice contradicts SQL Server best practices for maintaining security and stability.
-
Potential for unauthorized access to server resources.
-
Risk of escalated privileges if attackers exploit the functionality.
How to fixMitigate the security risks associated with using xp_cmdshell in T-SQL code by following these steps.
Follow these steps to address the issue:
-
Review the necessity of using xp_cmdshell and explore alternative approaches to achieve the same functionality without direct shell command execution.
-
If xp_cmdshell is unavoidable, avoid building direct dependencies on xp_cmdshell within your application.
-
Configure the xp_cmdshell Proxy Account to use an unprivileged account, and ensure that the SQL Server instance’s service account has the least privileges required.
-
Instead of granting EXECUTE permissions directly on xp_cmdshell, encapsulate xp_cmdshell calls within a custom stored procedure with controlled access.
-
Avoid concatenating any user- or application-supplied string parameters to commands executed through xp_cmdshell. If string parameters must be included, escape special characters to prevent code injection, such as by adding the shell escape character (^).
For example:
1-- Example of secured xp_cmdshell use within a stored procedure 2CREATE PROCEDURE SafeProcedure AS 3BEGIN 4 EXEC xp_cmdshell 'echo HelloWorld'; 5END;
ScopeThe rule has a Batch scope and is applied only on the SQL script.
ParametersRule has no parameters.
RemarksThe rule does not need Analysis Context or SQL Connection.
Effort To FixCategoriesDesign Rules, Security Rules
Additional InformationExample Test SQL|
SQL
1xp_cmdshell 'whoami.exe' 2 3EXECUTE xp_cmdshell 'whoami.exe' ; 4 5EXEC master..xp_cmdshell 'dir *.exe' 6 7DECLARE @result int; 8EXEC @result = xp_cmdshell 'dir *.exe'; |
Analysis Results| Message | Line | Column | |
|---|---|---|---|
| 1 | SA0236 : The xp_cmdshell system stored procedure used. | 1 | 0 |
| 2 | SA0236 : The xp_cmdshell system stored procedure used. | 3 | 8 |
| 3 | SA0236 : The xp_cmdshell system stored procedure used. | 5 | 13 |
| 4 | SA0236 : The xp_cmdshell system stored procedure used. | 8 | 15 |
See Also