Category Archives: 2556

Lateral SQL injection in Oracle

David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn’t even take user input!


The trick is to apply an ”ALTER SESSION SET NLS_DATE_FORMAT” command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ”DATE” (even though it is not).


=== For more information ===


~ Lateral SQL Injection: A New Class of Vulnerability in Oracle


http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Enabling xp_cmdshell in SQL Server 2005

xp_cmdshell is used to spawn a Windows command shell and executes a command line process by the operating system.


In order to minimize the security risk of executing malicious code outside SQL Server 2005, xp_cmdshell is disabled by default, and the following error message will be shown when xp_cmdshell is being executed.


Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure ‘sys.xp_cmdshell’ of component ‘xp_cmdshell’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘xp_cmdshell’ by using sp_configure. For more information about enabling ‘xp_cmdshell’, see “Surface Area Configuration” in SQL Server Books Online.


(*Only* when there is an absolute need to enable the xp_cmdshell option) xp_cmdshell can be enabled by either one of the following methods.


[1] Using the Surface Area Configuration tool (or using the “sac” utility for surface area configuration)


Surface Area Configuration application can be found on the SQL Server
–> Start
  –> Programs
    –> Microsoft SQL Server 2005
      –> Configuration Tools
        –> SQL Server Surface Area Configuration
          –> click on Surface Area Configuration for Features
            –> SQL Sever instance /Database Engine
              –> xp_cmdshell (check the “Enable xp_cmdshell” checkbox)


[2] Running the sp_configure system stored procedure (administrative login required).


– To allow advanced options to be changed.
EXEC sp_configure ‘show advanced options’, 1
GO
– To update the currently configured value for advanced options.
RECONFIGURE
GO
– To enable the feature.
EXEC sp_configure ‘xp_cmdshell’, 1
GO
– To update the currently configured value for this feature.
RECONFIGURE
GO


– To disallow advanced options to be changed.
EXEC sp_configure ‘show advanced options’, 0
GO
– To update the currently configured value for advanced options.
RECONFIGURE
GO



===== For more information =====


- xp_cmdshell (Transact-SQL)
http://msdn2.microsoft.com/en-us/library/ms175046.aspx


- Surface Area Configuration for Features (xp_cmdshell) – Database Engine
http://msdn2.microsoft.com/en-us/library/ms177290.aspx


- xp_cmdshell Option
http://msdn2.microsoft.com/en-us/library/ms190693.aspx


- sac Utility
http://msdn2.microsoft.com/en-us/library/ms162800.aspx


 


===== Other posts that point here =====


~ xp_cmdshell


http://sql-server-performance.com/community/forums/p/25032/139207.aspx

SQL Server service pack installation may save the system administrator password in a file for SQL Server 7.0 and SQL Server 2000

During the installation of SQL Server products and service packs, the password(s) of system administrator (sa) and/or SQL Server Sevices domain account may be stored as clear text or weakly encrypted readable format in the SQL Server Setup files and/or Setup.iss file. These files can be found in the following locations / files, and should be removed when the files are no longer required.

- %Windir% folder
- %Windir%\Temp folder
- Temp folder (as specified in System Control Panel –> Advanced –> Environment Variables)
- %SystemDrive%\MSSQL7\Install\or\Tools folder
- Sqlstp.log
- Sqlsp*.log
- Setup.iss
- Drive:\Program Files\Microsoft SQL Server\MSSQL\Install folder
- Drive:\Program Files\Microsoft SQL Server\MSSQL$InstanceName\Install folder
- Remsetup.ini (at %Windir%)
- remote install script (RemoteComputerName_InstanceName.iss) at %Windir% folder

Users are suggested to do the following on or after the installation of SQL Server products and service packs.
- Copy *.iss file (for
unattended installation) to a security-enhanced location that is not in searchable folders.
- Use Microsoft Windows NT Security Authentication to install SQL Server products and service packs.
- Use LocalSystem account to configure the SQL Services
- After the installation of SQL Server service packs, change the SQL Server system administrator (sa) password and SQL Service domain account password.
- Use the
Killpwd.exe utility to clear the setup files. Killpwd utility automates scanning for the setup files and removes the passwords from them. Killpwd can be found at http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=7BDA4AE4-E287-4A6B-86E4-9AFDB3EA26C9&displaylang=en

References
-
http://support.microsoft.com/kb/263968/en-us