Category: 2556

David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn’t even take user input!

The trick is to apply an ”ALTER SESSION SET NLS_DATE_FORMAT” command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ”DATE” (even though it is not).

=== For more information ===

~ Lateral SQL Injection: A New Class of Vulnerability in Oracle

http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

xp_cmdshell is used to spawn a Windows command shell and executes a command line process by the operating system.

In order to minimize the security risk of executing malicious code outside SQL Server 2005, xp_cmdshell is disabled by default, and the following error message will be shown when xp_cmdshell is being executed.

Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure ‘sys.xp_cmdshell’ of component ‘xp_cmdshell’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘xp_cmdshell’ by using sp_configure. For more information about enabling ‘xp_cmdshell’, see “Surface Area Configuration” in SQL Server Books Online.

(*Only* when there is an absolute need to enable the xp_cmdshell option) xp_cmdshell can be enabled by either one of the following methods.

[1] Using the Surface Area Configuration tool (or using the “sac” utility for surface area configuration)

Surface Area Configuration application can be found on the SQL Server
–> Start
  –> Programs
    –> Microsoft SQL Server 2005
      –> Configuration Tools
        –> SQL Server Surface Area Configuration
          –> click on Surface Area Configuration for Features
            –> SQL Sever instance /Database Engine
              –> xp_cmdshell (check the “Enable xp_cmdshell” checkbox)

[2] Running the sp_configure system stored procedure (administrative login required).

— To allow advanced options to be changed.
EXEC sp_configure ‘show advanced options’, 1
GO
— To update the currently configured value for advanced options.
RECONFIGURE
GO
— To enable the feature.
EXEC sp_configure ‘xp_cmdshell’, 1
GO
— To update the currently configured value for this feature.
RECONFIGURE
GO

— To disallow advanced options to be changed.
EXEC sp_configure ‘show advanced options’, 0
GO
— To update the currently configured value for advanced options.
RECONFIGURE
GO

===== For more information =====

– xp_cmdshell (Transact-SQL)
http://msdn2.microsoft.com/en-us/library/ms175046.aspx

– Surface Area Configuration for Features (xp_cmdshell) – Database Engine
http://msdn2.microsoft.com/en-us/library/ms177290.aspx

– xp_cmdshell Option
http://msdn2.microsoft.com/en-us/library/ms190693.aspx

– sac Utility
http://msdn2.microsoft.com/en-us/library/ms162800.aspx

 

===== Other posts that point here =====

~ xp_cmdshell

http://sql-server-performance.com/community/forums/p/25032/139207.aspx

During the installation of SQL Server products and service packs, the password(s) of system administrator (sa) and/or SQL Server Sevices domain account may be stored as clear text or weakly encrypted readable format in the SQL Server Setup files and/or Setup.iss file. These files can be found in the following locations / files, and should be removed when the files are no longer required.

– %Windir% folder
– %Windir%\Temp folder
– Temp folder (as specified in System Control Panel –> Advanced –> Environment Variables)
– %SystemDrive%\MSSQL7\Install\or\Tools folder
– Sqlstp.log
– Sqlsp*.log
– Setup.iss
– Drive:\Program Files\Microsoft SQL Server\MSSQL\Install folder
– Drive:\Program Files\Microsoft SQL Server\MSSQL$InstanceName\Install folder
– Remsetup.ini (at %Windir%)
– remote install script (RemoteComputerName_InstanceName.iss) at %Windir% folder

Users are suggested to do the following on or after the installation of SQL Server products and service packs.
– Copy *.iss file (for unattended installation) to a security-enhanced location that is not in searchable folders.
– Use Microsoft Windows NT Security Authentication to install SQL Server products and service packs.
– Use LocalSystem account to configure the SQL Services
– After the installation of SQL Server service packs, change the SQL Server system administrator (sa) password and SQL Service domain account password.
– Use the Killpwd.exe utility to clear the setup files. Killpwd utility automates scanning for the setup files and removes the passwords from them. Killpwd can be found at http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=7BDA4AE4-E287-4A6B-86E4-9AFDB3EA26C9&displaylang=en

References
– http://support.microsoft.com/kb/263968/en-us