Instantly share code, notes, and snippets.

Embed
What would you like to do?
SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.
Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.
Scenario
--------
Give Public role members privileges to execute xp_regwrite.
GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public]
Issue
-----
By default, non sysadmin logins can only use xp_regwrite on the followin registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication
Write access appears to be recursive, with the exception of:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures
Solution
--------
An undocumentated registry key exists that allow admins to set a white list of registry locations that can be written
to by non sysadmin logins via xp_regwrite. Simply add the registry location you wish to white list to registry keys below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
Xp_regread Allowed Paths
REG_MULTI_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
Xp_regwrite Allowed Paths
REG_MULTI_SZ
Notes
-----
This may have some potential as a persistence method since it could be used in place of xp_cmdshell,
and execute without sysadmin privileges.
Source: https://support.microsoft.com/en-us/kb/887165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment