Martin Poon - Microsoft MVP blog [SQL Server] : Security

Lateral SQL injection in Oracle

Martin Poon — Mon, 28 Apr 2008 05:41:00 GMT

David Litchfield has just released a paper, showing that it is possible to do SQL injection using DATE or even NUMBER data types to exploit a PL/SQL procedure in Oracle RDBMS! The attacker can exploit a PL/SQL procedure that doesn't even take user input!

The trick is to apply an ''ALTER SESSION SET NLS_DATE_FORMAT'' command in order to change the NLS variable such that the PL/SQL compiler will accept an arbitrary SQL as a ''DATE'' (even though it is not).

=== For more information ===

~ Lateral SQL Injection: A New Class of Vulnerability in Oracle

http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Enabling xp_cmdshell in SQL Server 2005

Martin Poon — Tue, 03 Oct 2006 11:33:00 GMT

xp_cmdshell is used to spawn a Windows command shell and executes a command line process by the operating system.

In order to minimize the security risk of executing malicious code outside SQL Server 2005, xp_cmdshell is disabled by default, and the following error message will be shown when xp_cmdshell is being executed.

Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online.

(*Only* when there is an absolute need to enable the xp_cmdshell option) xp_cmdshell can be enabled by either one of the following methods.

[1] Using the Surface Area Configuration tool (or using the "sac" utility for surface area configuration)

Surface Area Configuration application can be found on the SQL Server
--> Start
--> Programs
    --> Microsoft SQL Server 2005
      --> Configuration Tools
        --> SQL Server Surface Area Configuration
          --> click on Surface Area Configuration for Features
            --> SQL Sever instance /Database Engine
              --> xp_cmdshell (check the "Enable xp_cmdshell" checkbox)

[2] Running the sp_configure system stored procedure (administrative login required).

-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
GO
-- To update the currently configured value for advanced options.
RECONFIGURE
GO
-- To enable the feature.
EXEC sp_configure 'xp_cmdshell', 1
GO
-- To update the currently configured value for this feature.
RECONFIGURE
GO

-- To disallow advanced options to be changed.
EXEC sp_configure 'show advanced options', 0
GO
-- To update the currently configured value for advanced options.
RECONFIGURE
GO

===== For more information =====

- xp_cmdshell (Transact-SQL)
http://msdn2.microsoft.com/en-us/library/ms175046.aspx

- Surface Area Configuration for Features (xp_cmdshell) - Database Engine
http://msdn2.microsoft.com/en-us/library/ms177290.aspx

- xp_cmdshell Option
http://msdn2.microsoft.com/en-us/library/ms190693.aspx

- sac Utility
http://msdn2.microsoft.com/en-us/library/ms162800.aspx

===== Other posts that point here =====

~ xp_cmdshell

http://sql-server-performance.com/community/forums/p/25032/139207.aspx

SQL Server service pack installation may save the system administrator password in a file for SQL Server 7.0 and SQL Server 2000

Martin Poon — Mon, 18 Sep 2006 12:45:00 GMT

During the installation of SQL Server products and service packs, the password(s) of system administrator (sa) and/or SQL Server Sevices domain account may be stored as clear text or weakly encrypted readable format in the SQL Server Setup files and/or Setup.iss file. These files can be found in the following locations / files, and should be removed when the files are no longer required.

- %Windir% folder
- %Windir%\Temp folder
- Temp folder (as specified in System Control Panel --> Advanced --> Environment Variables)
- %SystemDrive%\MSSQL7\Install\or\Tools folder
- Sqlstp.log
- Sqlsp*.log
- Setup.iss
- Drive:\Program Files\Microsoft SQL Server\MSSQL\Install folder
- Drive:\Program Files\Microsoft SQL Server\MSSQL$InstanceName\Install folder
- Remsetup.ini (at %Windir%)
- remote install script (RemoteComputerName_InstanceName.iss) at %Windir% folder

Users are suggested to do the following on or after the installation of SQL Server products and service packs.
- Copy *.iss file (for unattended installation) to a security-enhanced location that is not in searchable folders.
- Use Microsoft Windows NT Security Authentication to install SQL Server products and service packs.
- Use LocalSystem account to configure the SQL Services
- After the installation of SQL Server service packs, change the SQL Server system administrator (sa) password and SQL Service domain account password.
- Use the Killpwd.exe utility to clear the setup files. Killpwd utility automates scanning for the setup files and removes the passwords from them. Killpwd can be found at http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=7BDA4AE4-E287-4A6B-86E4-9AFDB3EA26C9&displaylang=en

References
- http://support.microsoft.com/kb/263968/en-us