Webinar - Attacking SQL Server CLR Assemblies
Presented by Scott Sutherland @ NetSPI
During this webinar we’ll be reviewing how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments. This is a live review of content previously covered in the blog https://blog.netspi.com/attacking-sql-server-clr-assemblies/.
What are SQL Server CLR assemblies?
They are .net DLLs that can be imported into SQL Server to extend the native functionality
All code will run under the context of the SQL Server service account by default
CLR Assemblies are supported by SQL Server 2008 to Present
Pros vs. Cons for Offensive Use Cases
- Command execution without xp_cmdshell
- Custom code can be defined
- Commands can be executed WITHOUT having to access a file on disk
- Assemblies can be created by a non-sysadmin if privileges are granted
- Requires server level configuration changes
- Requires database level configuration changes
- Doesn’t work well on SQL Server versions prior to 2008
What’s required to use CLR assemblies?
- Sysadmin privileges (usually)
- The following privilege can also work:
- CREATE ASSEMBLY
- ALTER ASSEMBLY
- DDL_ADMIN Role
Server level setting: “clr enabled” set to 1
Server level setting: “clr strict security” set to 0 (2017 and later)
- Database level setting: “is_trustworthy” is set to “1”
- (or) use the default “msdb” database
What’s the high-level process?
- Compile a .net assembly DLL
- Log into the SQL Server with the required privileges
- Configure the SQL Server to meet the minimum requirements
- Create Assembly from the file or hex decimal string
- Note: The assembly is stored in a SQL Server table
- Create Procedure that maps to CLR methods
- Run your procedure