使用cmdexec有哪些安全风险?

时间:2022-08-23 05:01:14

We are in the process of migrating from SQL 2000 to SQL 2005. We have hundreds of DTS pacakges, that the development team is reluctant to redevelop using SSIS.

我们正在从SQL 2000迁移到SQL 2005.我们有数百个DTS pacakges,开发团队不愿意使用SSIS进行重新开发。

When migrating these packages to SSIS, I am faced with a problem - many of these packages read from Excel files.

将这些包迁移到SSIS时,我遇到了一个问题 - 许多这些包都是从Excel文件中读取的。

Given that my production Box is 64 bit, I am forced to use CmdExec sub-system to call the 32 bit runtime to execute these packages.

鉴于我的生产Box是64位,我*使用CmdExec子系统来调用32位运行时来执行这些包。

My question here is : What are the security risks involved with using CmdExec subsystem to schedule these SSIS packages as SQL agent jobs?

我的问题是:使用CmdExec子系统将这些SSIS包安排为SQL代理作业涉及哪些安全风险?

Thanks, Raj

3 个解决方案

#1


Whatever account running the job will potentially have access to run commands from the command line - so you need to think about how it will be running and what permissions the account will have.

无论运行该作业的任何帐户都可以从命令行访问运行命令 - 因此您需要考虑它将如何运行以及该帐户将具有哪些权限。

For example, if a user could create a job that would run under the context of your sqlagent and your sql agent was overpriviledged (rights to change security), she could grant herself elevated privs or hurt your machine.

例如,如果用户可以创建一个在sqlagent的上下文中运行的作业,并且您的sql代理程序被过度使用(更改安全性的权限),那么她可以授予自己较高的权限或损害您的计算机。

#2


SQL 2008 introduced a switch for DTExec that allows you to run the packages in 32 bit mode using the native SQL Agent task for SSIS. On the execution tab of the job step properties there is a check box for 32 bit, which translates to the "/X86" switch when looking at the command line view.

SQL 2008为DTExec引入了一个开关,允许您使用SSIS的本机SQL代理任务以32位模式运行软件包。在作业步骤属性的执行选项卡上有一个32位的复选框,在查看命令行视图时转换为“/ X86”开关。

If you are stuck using SQL 2005 then the CMDEXEC option is the only one I know of.

如果您使用SQL 2005,那么CMDEXEC选项是我所知道的唯一选项。

#3


xp_cmdshell is the biggest security risk in SQL Server because it allows a compromised SQL Server box to elevate the attack to the host operating system itself, and from there to the entire network.

xp_cmdshell是SQL Server中最大的安全风险,因为它允许受攻击的SQL Server框将攻击提升到主机操作系统本身,并从那里升级到整个网络。

The typical vector of attack is web site HTTP form -> SQL injection -> xp_cmdshell -> take over SQL hosting machine -> take over domain. If xp_cmdshell is shut down then the attacker has to find other means to elevate its attack from SQL to the host.

典型的攻击向量是网站HTTP表单 - > SQL注入 - > xp_cmdshell - >接管SQL主机 - >接管域名。如果关闭xp_cmdshell,则攻击者必须找到其他方法将其攻击从SQL升级到主机。

Other scenarios exists, like insider users using it to elevate privileges, or using the cmdshell for other purposes, eg. steal a database. All are based on the fact that xp_cmdshell allows arbitrary commands to be executed and on the host, and in some cases the commands executed also inherit the SQL Server service account privileges.

存在其他情况,例如内部用户使用它来提升特权,或者将cmdshell用于其他目的,例如。窃取数据库。所有这些都基于以下事实:xp_cmdshell允许在主机上执行任意命令,在某些情况下,执行的命令也会继承SQL Server服务帐户权限。

There are other commands and extend procedures that can be used by an attacker if xp_cmdshell is blocked, but they far less known. Using the xp_cmdshell vector is in every SQL injection cheat sheet and forum discussion, so is known by everyone and their grand ma.

如果xp_cmdshell被阻止,攻击者可以使用其他命令和扩展过程,但它们知之甚少。使用xp_cmdshell向量是在每个SQL注入备忘单和论坛讨论中,所以每个人和他们的大马都知道。

#1


Whatever account running the job will potentially have access to run commands from the command line - so you need to think about how it will be running and what permissions the account will have.

无论运行该作业的任何帐户都可以从命令行访问运行命令 - 因此您需要考虑它将如何运行以及该帐户将具有哪些权限。

For example, if a user could create a job that would run under the context of your sqlagent and your sql agent was overpriviledged (rights to change security), she could grant herself elevated privs or hurt your machine.

例如,如果用户可以创建一个在sqlagent的上下文中运行的作业,并且您的sql代理程序被过度使用(更改安全性的权限),那么她可以授予自己较高的权限或损害您的计算机。

#2


SQL 2008 introduced a switch for DTExec that allows you to run the packages in 32 bit mode using the native SQL Agent task for SSIS. On the execution tab of the job step properties there is a check box for 32 bit, which translates to the "/X86" switch when looking at the command line view.

SQL 2008为DTExec引入了一个开关,允许您使用SSIS的本机SQL代理任务以32位模式运行软件包。在作业步骤属性的执行选项卡上有一个32位的复选框,在查看命令行视图时转换为“/ X86”开关。

If you are stuck using SQL 2005 then the CMDEXEC option is the only one I know of.

如果您使用SQL 2005,那么CMDEXEC选项是我所知道的唯一选项。

#3


xp_cmdshell is the biggest security risk in SQL Server because it allows a compromised SQL Server box to elevate the attack to the host operating system itself, and from there to the entire network.

xp_cmdshell是SQL Server中最大的安全风险,因为它允许受攻击的SQL Server框将攻击提升到主机操作系统本身,并从那里升级到整个网络。

The typical vector of attack is web site HTTP form -> SQL injection -> xp_cmdshell -> take over SQL hosting machine -> take over domain. If xp_cmdshell is shut down then the attacker has to find other means to elevate its attack from SQL to the host.

典型的攻击向量是网站HTTP表单 - > SQL注入 - > xp_cmdshell - >接管SQL主机 - >接管域名。如果关闭xp_cmdshell,则攻击者必须找到其他方法将其攻击从SQL升级到主机。

Other scenarios exists, like insider users using it to elevate privileges, or using the cmdshell for other purposes, eg. steal a database. All are based on the fact that xp_cmdshell allows arbitrary commands to be executed and on the host, and in some cases the commands executed also inherit the SQL Server service account privileges.

存在其他情况,例如内部用户使用它来提升特权,或者将cmdshell用于其他目的,例如。窃取数据库。所有这些都基于以下事实:xp_cmdshell允许在主机上执行任意命令,在某些情况下,执行的命令也会继承SQL Server服务帐户权限。

There are other commands and extend procedures that can be used by an attacker if xp_cmdshell is blocked, but they far less known. Using the xp_cmdshell vector is in every SQL injection cheat sheet and forum discussion, so is known by everyone and their grand ma.

如果xp_cmdshell被阻止,攻击者可以使用其他命令和扩展过程,但它们知之甚少。使用xp_cmdshell向量是在每个SQL注入备忘单和论坛讨论中,所以每个人和他们的大马都知道。