On Wed, 10 Jul 2002, Deus, Attonbitus wrote:
<snip>
> As described in a paper by Chris Anley,
> http://www.nextgenss.com/papers/violating_database_security.pdf,
> a regular user can employ a simple binary patch to client-side apps using
> the ExectuionContext::UID function to explicitly return "UID 1" to table
> selects, thus giving any user "SA" rights to the table. If the user can
> log on, the user can get to any table.

You have misunderstood what the paper says. The patch is for the server
executable (or the in-memory image); SQL Server may have poor security but
it doesn't rely on client-side authentication! So it would be a useful
payload for a buffer overflow exploit, but it does not in itself represent
a vulnerability.

<snip>
> Even if only true SA could get the hashes,

Which still seems to be the case.

> it still allows an attacker much more information than they should be
> able to get- it is similar to pwdump2- you have to be admin on the box
> to use it, but once you get the data, you find that compromising other
> machines downrange is much easier.

Agreed.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]