Re: Microsoft SQL Server Stored procedures [sp_MSSetServerPropert iesn and sp_MSsetalertinfo] (#NISR03092002A)

From: Karsten Højgaard (KHojgaard@DK.SNT.COM)
Date: 09/04/02


Date:         Wed, 4 Sep 2002 16:15:45 +0200
From: Karsten Højgaard <KHojgaard@DK.SNT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research said:

> [..] It does not allow an
> attacker to compromise the server or data but may be used in conjunction
> with another attack. For example an attacker may not want SQL Server to
> restart on server reboot if they set a shell listening on TCP port 1433.

There's easier ways to access the port than actually halting the process.

An application can normally listen to either a specific interface, or all
interfaces (the normal approach). A little known fact is that a process that
binds to a specific ip silently overrides processes listening on all ips and
the same port(s).

This can be tested by getting netcat for windows at
http://www.atstake.com/research/tools/#network_utilities, and instructing it
to listen on your public ip, e.g. on port 80, while you run IIS or PWS.

Not that IIS is still running, and not returning errors, while actual
connects to the machine's public ip are in fact handled by netcat.

> [..]

Karsten Højgaard
System engineer
SNT Denmark