exploit the possibilities

Red-Gate SQL Monitor Authentication Bypass

Red-Gate SQL Monitor Authentication Bypass
Posted Aug 10, 2017
Authored by Paul Taylor

Red-Gate SQL Monitor versions prior to 3.10 and 4.2 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2015-9098
SHA-256 | 5e3f0df68ea641671280b1467e481962702b174de3dc96ca797c169e68c6861c

Red-Gate SQL Monitor Authentication Bypass

Change Mirror Download
# Exploit Title: Red-Gate SQL Monitor authentication bypass
# Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2
# Date: 2017-08-10
# Red-Gate made a security announcement and publicly released the fixed version more than two years before this exploit was published
# Vendor Advisory: http://www.red-gate.com/products/dba/sql-monitor/entrypage/security-vulnerability
# Software Link: ftp://support.red-gate.com/patches/SqlMonitorWeb/09Apr2015/SQLMonitorWeb.exe
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Tested on: SQLMonitor 4.1.2.404, SQLMonitor 4.1.0.2226
# CVE: CVE-2015-9098

1. Description

A remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these machines using an account with SQL admin privileges, then code execution on the operating system can result in full system compromise (if Microsoft SQL Server is running with local administrator privileges).

2. Proof of Concept

Fingerprint the Red-Gate SQL monitor version on the target machine, by examining the web page source code on the log in page. E.g. "/static/4.1.0.2226/Content/RedGate.Response.css" implies version 4.1.0.2226.

Download and install the corresponding version of SQL monitor on a test VM. Microsoft SQL Express can be used to get base monitor to work properly, and test out the functionality. Connect the SQL monitor and base monitor together on your test VM machine and log in.

Then browse to "Configuration / Base Monitor connection" and update the Base Monitor computer details to a different Base Monitor IP address and Port number (on the target or victim machine). Click "Change connection". Now you will be connecting to the target Base Monitor without authentication, but with full privileges.

Use Configuration / Custom-metrics / Create, and then provide a Metric name and Description, and enter a T-SQL query. If Base Monitor is running with SQL admin rights, and MS SQL is running with Windows administrator rights, then the following will work:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE with override;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE with override;
EXEC xp_cmdshell 'net user testuser MyLongPassword_1 /add'
EXEC xp_cmdshell 'net localgroup administrators testuser /add'

Select a SQL server instance (or all instances), and then select "Specify databases" and type: master
Click "Test metric collection."
In the popup dialog, ensure the desired instances are ticked, and then click "Test metric collection".

This will execute your SQL query with the rights of the Base Monitor SQL user, and any xp_cmdshell with the rights of the service account in use by MSSQL.

The return value will contain an error, because the result is not an integer, but you should be able to see some of the xp_cmdshell command response in the error, e.g. "Unable to convert.... The command completed successfully"

3. Solution:

Update to latest version of Red-Gate SQL monitor
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close