Black Hat Asia A trio of researchers from Palo Alto Networks has detailed vulnerabilities in the JET Engine database present on millions of Windows machines and demonstrated how they can be used to attack SQL server and Microsoft’s Internet Information Server as if attackers had the ability to execute code on the systems and said Microsoft has dismissed some of their findings as not worthy of a fix.
In a talk today at Black Hat Asia titled “Give Me a SQL Injection, I Shall PWN IIS and SQL Server”, the three explained that they’ve found the JET database engine – for years supplied as the underlying tech for Microsoft Access and still downloadable today – has many vulnerabilities. Among them is the ability to link to and query remote databases, even though the tool was not intended for such purposes.
Senior principal researcher Tao Yan, principal researcher Qi Deng and senior distinguished engineer Bo Qu demonstrated using JET to reach remote instances of SQL server, then used SQL injection to crash the database. SQL injections also took down Internet Information Server (IIS).
Tao said access to remote databases is possible thanks to what he called a “hidden” method that allows a combination of SMB and WEBDAV to make a connection. That combo also allows creation of files on IIS and SQL, through another hidden function.
“You can get at a remote system privileges with only SQL injection,” Tao said, describing the possibility of doing so as enormous given the prevalence of JET, and the fact that it remains freely available and happily runs on versions of Windows dating back decades.
The researchers said they’ve shared their work with Microsoft, but the software giant has rebuffed them on grounds that the problems identified do not cross a defined security boundary.
Tao said the three believe Microsoft will eventually patch JET and will withhold details of their work until remedies arrive, but added he has no firm indication of when Microsoft plans to deliver a fix. ®