Re: Microsoft SQL Server password cracking
From: Ben Hutchings (ben.hutchings@ROUNDPOINT.COM)Date: 07/10/02
- Previous message: Bill Barrett: "Re: Microsoft SQL Server password cracking"
- In reply to: Deus, Attonbitus: "Re: Microsoft SQL Server password cracking"
- Next in thread: Bill Barrett: "Re: Microsoft SQL Server password cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Jul 2002 21:22:14 +0100 From: Ben Hutchings <ben.hutchings@ROUNDPOINT.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Wed, 10 Jul 2002, Deus, Attonbitus wrote:
<snip>
> As described in a paper by Chris Anley,
> http://www.nextgenss.com/papers/violating_database_security.pdf,
> a regular user can employ a simple binary patch to client-side apps using
> the ExectuionContext::UID function to explicitly return "UID 1" to table
> selects, thus giving any user "SA" rights to the table. If the user can
> log on, the user can get to any table.
You have misunderstood what the paper says. The patch is for the server
executable (or the in-memory image); SQL Server may have poor security but
it doesn't rely on client-side authentication! So it would be a useful
payload for a buffer overflow exploit, but it does not in itself represent
a vulnerability.
<snip>
> Even if only true SA could get the hashes,
Which still seems to be the case.
> it still allows an attacker much more information than they should be
> able to get- it is similar to pwdump2- you have to be admin on the box
> to use it, but once you get the data, you find that compromising other
> machines downrange is much easier.
Agreed.
- Previous message: Bill Barrett: "Re: Microsoft SQL Server password cracking"
- In reply to: Deus, Attonbitus: "Re: Microsoft SQL Server password cracking"
- Next in thread: Bill Barrett: "Re: Microsoft SQL Server password cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
