Give Me a SQL Injection, I Shall PWN IIS and SQL Server

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 11:20 a.m. (40 minutes).

<p>IIS and SQL Servers play very important roles in the Microsoft Ecosystem. They have been considered unbreakable for many years, and over one decade has passed since the last severe IIS memory corruption vulnerability was disclosed. Are they unbreakable? What about having a SQL injection? Can a SQL injection in the ACCESS database only be used to view unexpected data in the database? What is the relationship between IIS/SQL Server and the ancient (~30 years old) Microsoft JET database engine from the attacker's perspective?<br><br>This presentation will answer all of those questions. It discloses a novel attack surface to attack IIS and SQL Servers based on a SQL injection. This attack surface opens a new world for attackers to have a chance to get RCE (Remote Code Execution) with "NT AUTHORITY\SYSTEM" privilege from a mere SQL injection on the latest Windows system. It discusses attack surface details and corresponding impacts in 3 classical attack scenarios in the real world: IIS+Access, IIS+SQL Server, and IIS+Webshell. It also shows 20-year old examples from dozens of vulnerabilities we found across all Windows versions released in the last two decades under this attack surface. In addition, it also includes how to defend and mitigate this attack surface especially for those systems which are no longer supported by Microsoft.</p>

Presenters:

  • Tao Yan - Senior Principal Researcher, Palo Alto Networks
    Tao Yan (@Ga1ois) is a senior principal researcher at Palo Alto Networks. His interests include bug findings, exploits, mitigation bypass, sandbox escape, and privilege escalation on various applications and modules including browsers, Flash, RDP, COM, etc. He has also been involved with exploits, APTs, malware detection, and defense. Tao has been listed as the #7 researcher in 2016 and #4 researcher in 2017 for MSRC. In addition, he has spoken at several security conferences including CanSecWest, POC, HITCON, Recon, and Bluehat.
  • Qi Deng - Senior Security Researcher, Palo Alto Networks
    Qi Deng (@ev1lkow) is a senior security researcher at Palo Alto Networks. His research interests include web security, network security and system security.
  • Bo Qu - Senior Distinguished Engineer, Palo Alto Networks
    Dr. Bo Qu is a Sr. Distinguished Engineer at Palo Alto Networks. His skills include vulnerability research and coverage, bug hunting, reverse engineering, binary diff, exploitability research and analysis, and vulnerability reproducing and coverage. He also conducts research on iOS, Android, and other mobile OS security.

Links:

Similar Presentations: