|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Curt Wilson (netw3_security_at_hushmail.com)
Date: Fri Jan 17 2003 - 11:26:24 CST
('binary' encoding is not supported, stored as-is)
In-Reply-To: <333B07CC372AC246888DBEC1D4E4168B0184F1F1
whp-ex2kmb1.whp.owhc.net>
After more analysis, it appears that the attacker cleared the password
for the TsInternetUser account and then added to administrators group.
System policy disallowed blank passwords, so I'm thinking that once the
user got system level privs through the SQL Server exploit (UDP 1434
publicized by David Litchfield) they used one of the net user commands to
clear the password, or did it from the GUI after they logged in via
RDP/term services. No firewall on the system or network, little
hardening, and being behind on SQL Server post SP2 hotfixes caused the
problem in the first place.
Have performed some stack dump analysis on the SQL server dump, have
found some data that appears to have come from the exploit published by
Litchfield. The fact that the SQL Server faulted on SQLSORT.DLL, the
vulnerable DLL in question, and the partial matching of stack/processor
data has me pretty much convinced that this is what happened.
Anyone know of SQL stack dump resources on the net?
Curt Wilson
www.netw3.com
Netw3 Security
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]