Re: [PEN-TEST] SQL Server blank account

[Stephen Arehart <sarehart () CELLOMICS COM>]

Seth:
        Greetings! I hope you're doing well!
        I'm no hacker, but depending on how SQL Server is installed, if the
xp_cmdshell stored procedure is available, this can be a real problem.
Consider the following queries:

osql -E -q "xp_cmdshell 'net user foo bar /add'"  /* Adds local user "foo"
with password of "bar" to local machine. */
osql -E -q "xp_cmdshell 'net user Administrators foo /add' /* puts foo in
the Administrator's group. */

At which point, the foo account can do whatever it desires.

One can attempt such a hack by examining database statements in application
code. For instance, consider the following SQL statement sent over as a post
request in a CGI script:

my $sql = "SELECT * from table where userid = $userid"; # in perl

and $userid is a parameter from a textbox on an HTML form. It's easy to fool
the cgi request by typing

user: foo; GO; xp_cmdshell 'net user foo bar /add';GO;

into the text box. At this point, $userid = "foo; GO; xp_cmdshell 'net user
foo bar /add'; GO;

The user presses the "submit" button on the form and....bingo! They now have
an account on the local machine.
This explanation is a little terse; see
http://packetstorm.securify.com/0002-exploits/rfp2k01.txt for a more
in-depth explanation - basically it amounts to fooling the database into
executing stuff it shouldn't. This is a problem for applications that don't
check their input parameters well.
        Usually SQL Server is installed under the security context of the
local admin or under the "LocalSystem" account("setuid Admin"), so the
command prompt called from the xp_cmdshell procedure runs under Admin
context (the commands above would certainly then work).
If some really smart person decided to have a domain-level account that runs
SQL Server *without* removing this stored procedure, and that account was
given admin access, it's possible through the similar procedure to add a
user to the domain and promote them to a domain admin.

Drop the xp_cmdshell from your install - you'll feel better.
Check out http://www.sqlsecurity.com for other interesting tidbits. Good
luck!

==================================
Stephen V. Arehart
Database Application Development
Software Engineering
Cellomics, Inc.
mailto: sarehart () cellomics com
http://www.cellomics.com
==================================


> -----Original Message-----
> From: Seth Georgion [mailto:sgeorgion () E-CLOSER COM]
> Sent: Tuesday, August 29, 2000 12:20 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] SQL Server blank account
>
>
> Okay, so here is a question that we've encountered,
> internally, that seems
> to have been made more relevant by the recent Napster related
> defacements.
> Specifically, how is it that a hacker can subvert a system,
> i.e. deface web
> pages, change user accounts, on a system with a SQL
> installation and a known
> username and password. For example let's say you have a
> Windows machine with
> an IIS install and a SQL install, given an attacker with a valid,
> administrator SQL username and password how would they be able to take
> control of the server?