Last active
February 15, 2021 10:28
-
-
Save nullbind/03af8d671621a6e1cef770bace19a49e to your computer and use it in GitHub Desktop.
SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations. | |
Scenario | |
-------- | |
Give Public role members privileges to execute xp_regwrite. | |
GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public] | |
Issue | |
----- | |
By default, non sysadmin logins can only use xp_regwrite on the followin registry keys. | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE> | |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE> | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication | |
Write access appears to be recursive, with the exception of: | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures | |
Solution | |
-------- | |
An undocumentated registry key exists that allow admins to set a white list of registry locations that can be written | |
to by non sysadmin logins via xp_regwrite. Simply add the registry location you wish to white list to registry keys below. | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\ | |
Xp_regread Allowed Paths | |
REG_MULTI_SZ | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\ | |
Xp_regwrite Allowed Paths | |
REG_MULTI_SZ | |
Notes | |
----- | |
This may have some potential as a persistence method since it could be used in place of xp_cmdshell, | |
and execute without sysadmin privileges. | |
Source: https://support.microsoft.com/en-us/kb/887165 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment