Black Hat Asia 2021: A new attack surface for Microsoft IIS and SQL Server

Researchers shared the new attack surface against Microsoft IIS and SQL server at the Black Hat Asia 2021 conference.

Unit 42 shared the new attack surface ON Microsoft IIS and SQL server at Black Hat Asia 2021. In the lecture, the researchers introduced a new technology for executing SQL queries on remote databases on IIS and SQL servers through SQL injection and other scenarios. Attackers can use this technology and the vulnerabilities of the Microsoft Jet database engine to remotely attack IIS and SQL servers to obtain system permissions.

Attack surface

The new attack surface discovered by the researchers is caused by remote database access supported by Microsoft Jet database engine, including Jet Red database engine and access connection engine ACE. If this feature is misused or abused by an attacker, it can execute SQL queries on a fully controlled database file on a server controlled by a remote attacker. Once the remote legitimate database file is replaced by a forged database file, executing SQL queries will break the pre-made conditions and assumptions of Microsoft Jet/ACE code and cause security vulnerabilities in Jet components.

Typical attack scenarios are SQL injection and ad hoc. In these two attack scenarios, the attacker can execute arbitrary SQL queries on the forged database on the IIS and SQL server. The Jet vulnerability caused will affect IIS and SQL server. Specifically, when a user executes a SQL query on a table, a database path can be added to the Jet table to allocate a remote database, as shown in Figure 1:

Figure 1. Remote database access SQL in Access and SQL server

In Microsoft Jet and ACE, calling CreateFile will open the remote database file in IIS and SQL server. The input path of the remote database is a UNC path, so SMB and WebDAV will be used to open the remote database, as shown in Figure 2:

Figure 2. Hidden features in IIS and SQL Server

SQL injection and ad hoc are two potential attack scenarios. Similarly, IIS and SQL server are just two potential victims. All components in Windows that support Jet and ACE may be affected by this vulnerability, because the component allows users to execute arbitrary queries on a controllable database.

IIS and SQL server vulnerabilities

An attacker who accesses a remote database can replace a legitimate database file with a fake database. Researchers found that replacing the database is the key to finding vulnerabilities in Microsoft Jet and ACE. Researchers discovered about 100 security vulnerabilities in Microsoft Jet and ACE through the fuzzing strategy, as shown in Figure 3. Most vulnerabilities can be used to attack IIS and SQL servers.

Figure 3. About 100 Jet vulnerabilities

Researchers have proved that a one-byte modification of the database file can cause Jet security vulnerabilities, as shown in Figure 4:

Figure 4. One-byte modification of the database leads to security vulnerabilities

Microsoft Patch

Microsoft assigned the CVE number CVE-2021-28455 to the vulnerability. In May 2021, Microsoft released a security patch for the vulnerability, which provides users with the option of disabling remote database access for Jet components and ACE components. The patch not only fixes a single JET vulnerability, but also alleviates the attack surface of the entire application using Jet components.

For detailed repair steps, see: https://unit42.paloaltonetworks.com/iis-and-sql-server/

in conclusion

IIS and SQL server are the basic components in the Microsoft ecosystem and are widely used in various production systems and services. Microsoft Jet database engine has more than 20 years of history, most of the components have been found to have security vulnerabilities and are easily exploited. The remote database access feature connects Jet vulnerabilities with IIS and SQL server components. Attackers can use this feature to attack IIS and SQL servers, and remotely obtain system permissions through SQL injection.

The Links:   LQ13X02C FLC38XGC6V-06B