This paper discusses the feasibility of violating the access control, authentication and audit mechanisms of a running process in the Windows server operating systems. Specifically, it discusses the feasibility of totally disabling application – enforced access control in a running service, taking SQL Server 2000 as a sizeable and meaningful example. Topics relating to “runtime patching” exploits are discussed. A three-byte patch is provided that disables access control in SQL Server. Some miscellaneous SQL Server security issues are discussed.
Most real – world “exploits” provide the attacker with some form of shell; this will be a remote connection to a command – line processor running on the target host. There are a number of ways in which the attacker can communicate with the shell running on the target host; TCP is the most common method, though UDP and even ICMP shell exploits have been widely discussed.
The reason most exploits provide a shell is that the shell provides the most flexible and powerful programming environment; most of the facilities of the host can be easily accessed – the file system, various trusted network connections and so on. The attacker will typically use the shell to attempt to leverage a greater level access to the resources of the host and the target network.
This paper discusses a situation in which the attacker wishes to subvert the security mechanisms of an application environment, rather than the operating system itself. This situation is common when attacking databases, for a number of reasons, though primarily because total control of the operating system does not confer the ability to easily retrieve and manipulate information in the database.
Author: Chris Anley
