A team of researchers have detailed vulnerabilities in the JET database engine.
Three researchers at Palo Alto Networks have detailed vulnerabilities in the JET database engine. They have also demonstrated how those flaws can be exploited to ultimately execute malicious code. The code payloads are delivered on systems running Microsoft’s SQL Server and Internet Information Services (IIS) web server.
At Black Hat Asia, senior principal researcher Tao Yan, principal researcher Qi Deng, and senior distinguished engineer Bo Qu explained it is possible to configure JET to access and query remote databases.
“IS and SQL Servers play very important roles in the Microsoft Ecosystem,” they said. “They have been considered unbreakable for many years, and over one decade has passed since the last severe IIS memory corruption vulnerability was disclosed.”
Disclosing a “novel attack surface” to attack IIS and SQL Servers
However, may questions have been raised. Are they unbreakable? What about having a SQL injection? Can a SQL injection in the ACCESS database only be used to view unexpected data in the database? What is the relationship between IIS/SQL Server and the ancient (~30 years old) Microsoft JET database engine from the attacker’s perspective?
“This presentation will answer all of those questions,” they said. “It discloses a novel attack surface to attack IIS and SQL Servers based on a SQL injection.”
Their presentation also discussed attack surface details and corresponding impacts in 3 classical attack scenarios in the real world: IIS+Access, IIS+SQL Server, and IIS+Webshell. It also showed 20-year old examples from dozens of vulnerabilities we found across all Windows versions released in the last two decades under this attack surface. I
The researchers said they shared their work with Microsoft. However, the tech giant waived them off, saying the problems they identified do not cross a defined security boundary.
The three researchers do believe Microsoft will eventually patch JET. They have also promised to withhold details of their findings until such remedies arrive. But the trio have no firm indication of when the Windows titan plans to deliver such a fix.