Databases Reference
In-Depth Information
attacker can see what your active policy is and what it entails by issuing the
following sequence of commands:
exec xp_regread 'HKEY_LOCAL_MACHINE',
'SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local',
'ActivePolicy'
This returns a policy name, for example:
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\
ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}
The attacker can then execute:
exec xp_regread 'HKEY_LOCAL_MACHINE',
'SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\
ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}',
'description'
exec xp_regread 'HKEY_LOCAL_MACHINE',
'SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\
ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}',
'ipsecData'
exec xp_regread 'HKEY_LOCAL_MACHINE',
'SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\
ipsecPolicy{7238523c-70fa-11d1-864c-14a300000000}',
'ipsecISAKMPReference'
These are two powerful extended procedures an attacker can use to get a
full snapshot of your Windows host and everything that is installed there.
You should either completely remove these procedures or limit their access
to privileged accounts. Providing PUBLIC role access to them is completely
unacceptable. If you really don't want to sleep at night, remember that there
is also an equivalent
extended stored procedure.
Many extended stored procedures provide access to operating system
facilities from within SQL Server in addition to
xp_regwrite
. Some of them
are extremely dangerous because they fully expose the operating system to
the SQL Server instance. All of these are in most cases an unnecessary vul-
nerability, and you should remove them or limit access to them. Table 7.1
details these problematic SQL Server 2000 extended procedures.
Three more undocumented extended procedures that can be readily
used by an attacker to run arbitrary dynamic SQL without having proper
privileges are:
xp_regread
Search WWH ::
Custom Search