The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez. It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network. The indictment doesn't give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas:
- xp_cmdshell was enabled and allowed the attackers to execute the commands of their choice on the server
- web content was served from the database and it was changed to allow executable file uploads to the web server and then execution on the web server
- there was sensitive data stored in tables in the database that allowed the attackers access to machines they could execute code on.
I would be interested in other ways people know of to leverage a SQL injection vulnerability to execute code. Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromize an entire organization. That is why public facing web applications are critical to secure. They are on the front line perimeter of your organization and demand the same care you would put into locking down your firewall, mail server, or VPN. Thinking that attackers who find a web vulnerability will only be able to manipulate web transactions deprioritizes the risk inappropriately. Sometimes a web vulnerability gives them the whole enchilada.