Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: Stephen Arehart <sarehart () CELLOMICS COM>
Date: Tue, 29 Aug 2000 14:19:22 -0400
Seth: Greetings! I hope you're doing well! I'm no hacker, but depending on how SQL Server is installed, if the xp_cmdshell stored procedure is available, this can be a real problem. Consider the following queries: osql -E -q "xp_cmdshell 'net user foo bar /add'" /* Adds local user "foo" with password of "bar" to local machine. */ osql -E -q "xp_cmdshell 'net user Administrators foo /add' /* puts foo in the Administrator's group. */ At which point, the foo account can do whatever it desires. One can attempt such a hack by examining database statements in application code. For instance, consider the following SQL statement sent over as a post request in a CGI script: my $sql = "SELECT * from table where userid = $userid"; # in perl and $userid is a parameter from a textbox on an HTML form. It's easy to fool the cgi request by typing user: foo; GO; xp_cmdshell 'net user foo bar /add';GO; into the text box. At this point, $userid = "foo; GO; xp_cmdshell 'net user foo bar /add'; GO; The user presses the "submit" button on the form and....bingo! They now have an account on the local machine. This explanation is a little terse; see http://packetstorm.securify.com/0002-exploits/rfp2k01.txt for a more in-depth explanation - basically it amounts to fooling the database into executing stuff it shouldn't. This is a problem for applications that don't check their input parameters well. Usually SQL Server is installed under the security context of the local admin or under the "LocalSystem" account("setuid Admin"), so the command prompt called from the xp_cmdshell procedure runs under Admin context (the commands above would certainly then work). If some really smart person decided to have a domain-level account that runs SQL Server *without* removing this stored procedure, and that account was given admin access, it's possible through the similar procedure to add a user to the domain and promote them to a domain admin. Drop the xp_cmdshell from your install - you'll feel better. Check out http://www.sqlsecurity.com for other interesting tidbits. Good luck! ================================== Stephen V. Arehart Database Application Development Software Engineering Cellomics, Inc. mailto: sarehart () cellomics com http://www.cellomics.com ==================================
-----Original Message----- From: Seth Georgion [mailto:sgeorgion () E-CLOSER COM] Sent: Tuesday, August 29, 2000 12:20 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] SQL Server blank account Okay, so here is a question that we've encountered, internally, that seems to have been made more relevant by the recent Napster related defacements. Specifically, how is it that a hacker can subvert a system, i.e. deface web pages, change user accounts, on a system with a SQL installation and a known username and password. For example let's say you have a Windows machine with an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)