Re: Blank passwords, TsInternetUser added to Administrators
From: Curt Wilson (netw3_security@hushmail.com)
Date: 01/17/03
- Previous message: Williamson, Scott: "Bypass Traverse Checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 17 Jan 2003 17:26:24 -0000 From: Curt Wilson <netw3_security@hushmail.com> To: focus-ms@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <333B07CC372AC246888DBEC1D4E4168B0184F1F1@whp-ex2kmb1.whp.owhc.net>
After more analysis, it appears that the attacker cleared the password
for the TsInternetUser account and then added to administrators group.
System policy disallowed blank passwords, so I'm thinking that once the
user got system level privs through the SQL Server exploit (UDP 1434
publicized by David Litchfield) they used one of the net user commands to
clear the password, or did it from the GUI after they logged in via
RDP/term services. No firewall on the system or network, little
hardening, and being behind on SQL Server post SP2 hotfixes caused the
problem in the first place.
Have performed some stack dump analysis on the SQL server dump, have
found some data that appears to have come from the exploit published by
Litchfield. The fact that the SQL Server faulted on SQLSORT.DLL, the
vulnerable DLL in question, and the partial matching of stack/processor
data has me pretty much convinced that this is what happened.
Anyone know of SQL stack dump resources on the net?
Curt Wilson
www.netw3.com
Netw3 Security
- Next message: Jim Harrison (ISA): "RE: AD replication over WAN"
- Previous message: Williamson, Scott: "Bypass Traverse Checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
