Another quick follow-up point to yesterday’s security presentation at TechEd: Marcus Marray showed a SQL injection exploit (based on the Hacme Bank demo, the XP_CMDSHELL stored procedure, and Sec-1 injector.pl) which results in a remote shell.
What surprised me is that the tool used by that attack script to assemble (as in, translate to machine code) the shell – debug.exe – is in fact present on my XPSP2 machine. It got me thinking – is that tool present by default on Windows Server 2003 machines, as well as Vista and Longhorn Server? Since I’m currently traveling and don’t have access to those images, I’ll have to check on that.
When I’ve read in the past about locking down Linux machines, one piece of common advice is essentially this: don’t make a hacker’s job easier by leaving a compiler installed on your hardened server. A quick search on the net shows that there may be some best-practice docs out there regarding debug.exe and Windows, but it’s not obvious.
On the other hand, if an attacker gets far enough that the only thing blocking him is the minor inconvenience of uploading some compiler/assembler/interpreter, then perhaps it’s already too late.