Full Report
While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba’s) Essentially i was tryign to track down something in sp_addserver. The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called. For the life of me though, i could not track down sys.sp_MSaddserver_internal. Turns out the answer is reasonably well documented [SQL Books Online], with 2005 – MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]
Analysis Summary
# Main Topic
Discovery of hidden/internal SQL Server stored procedures (`sys.sp\_MSaddserver\_internal`) referenced by user-facing procedures (`sp\_addserver`) due to Microsoft moving system objects into a hidden, read-only database in SQL Server 2005 and later versions.
## Key Points
- The author investigated the execution flow of `sys.sp_addserver` (located in the Master DB) and found it calls an internal procedure: `sys.sp_MSaddserver_internal`.
- `sys.sp_MSaddserver_internal` was not immediately locatable via standard SQL Server catalogs.
- The resolution is that Microsoft moved these system stored procedures into a hidden, read-only database starting with SQL Server 2005.
- These hidden database files (.mdf) can be accessed by copying the physical files and attaching them, a process documented online.
## Threat Actors
- None mentioned. The context describes a security research/discovery activity, not exploitation by threat actors.
## TTPs
- **Information Gathering/System Enumeration:** Probing and tracing the execution flow of standard SQL Server stored procedures (`sp_addserver`).
- **Database Discovery:** Identifying the location/mechanism for system objects hidden by default (i.e., recognizing the object relocation strategy used by MSFT).
## Affected Systems
- Microsoft SQL Server (specifically noted in relation to SQL Server 2005 and later versions).
- The system stored procedures (`sp_addserver`, `sys.sp_MSaddserver_internal`) residing within the Master system database and underlying hidden system DBs.
## Mitigations
- **Awareness:** DBAs and security professionals should be aware that core system stored procedures may rely on undocumented or hidden system databases/objects, necessitating knowledge of the physical database file structure for deep analysis.
- **Access Control:** While not directly related to hiding the proc, securing access to the physical system database files (`.mdf`) remains crucial.
## Conclusion
The core finding is a documentation shift by Microsoft regarding system stored procedure location, moving them to hidden, read-only system databases starting in SQL Server 2005. While this is a standard architectural change, it complicates security analysis and auditing unless the analyst knows how to map and view these relocated objects by physically attaching the database files for inspection.