3 Replies Latest reply on Apr 3, 2012 3:31 AM by JoeBidgood

    SQL Query For Manually Adding New Global Admin Account

    jwestad

      McAfee Support said it was possible but refused to release the code. So I wanted to share this simple query for whoever needs it. Please note this is not a vulnerability becuase you need access to the SQL DB first.

      INSERT INTO dbo.OrionUsers (Name, AuthURI, Admin, Disabled, Visible, Interacctive, Removable)
      VALUES ('NEWUSER', 'auth:pwd?pwd=NEWPWD, 'True', 'False', 'True', 'True', 'True')
      

       

       
      

        • 1. Re: SQL Query For Manually Adding New Global Admin Account
          JoeBidgood

          Hi...

           

          A couple of points:

           

          1) As it stands, this won't work - "Interactive" only has one C, AuthURI needs to contain a password hash rather than a plaintext password, and it also needs to be terminated with a '.

          An easier method is to create an account with a known username/password pair on another ePO server and then extract the name and authuri values.

           

          2) There's no vulnerability as long as the account information you're using is known only to yourself. If you were using a name/authuri from an external source, then you could introduce a vulnerability if you did not immediately change the password, or remove the account once you've used it to reset the password for whichever account requires it.

           

          HTH -

           

          Joe

          • 2. Re: SQL Query For Manually Adding New Global Admin Account
            jwestad

            Hey Joe,

             

            Nice catch, and I appricaite your insight!. As you can see the site was giving me issues.

             

            The part I disagree with is your note on the AuthURI requiring to contain a password hash. I have tested this on a few boxes and 2 of the 3 did take the password entered here. We noticed that it was converted to a hash upon initial log in. If you are using a domain user and have issues with the 'auth:pwd?pwd=NEWPWD' then 'auth:ntlm?domain=DOMAIN.COM&user=DomainUser' will work perfectly. 

             

            Additionally in a vulnerability aspect we have also tested gaining access to certain version of SQL Server 2005 and early 2008 with mixed results of success. End event is if someone from the outside can run an exploit gaining write access to our DB then we are at risk of loosing essential protection components to ensure they do not cause harm to our systems.

             

            To give you a little background on why this started our old ePO admin left and upon leaving removed all user accounts from ePO and the SQL DB so we where not able to get into anything.. Even though I am an admin if I am able to get into the SQL DB and modify these tables with having only physical access to the network then I would think many others could as well. The overall fix for the vulnerability is ensuring that your SQL DB is at the latest "supported" version.

            • 3. Re: SQL Query For Manually Adding New Global Admin Account
              JoeBidgood

              The part I disagree with is your note on the AuthURI requiring to contain a password hash. I have tested this on a few boxes and 2 of the 3 did take the password entered here. We noticed that it was converted to a hash upon initial log in. If you are using a domain user and have issues with the 'auth:pwd?pwd=NEWPWD' then 'auth:ntlm?domain=DOMAIN.COM&user=DomainUser' will work perfectly. 

               

              Can I ask which ePO version you're using? I have been unable to get this to work on any of my test machines, and certainly as far as I know there is no function to hash a clear text password at first login...

               

               

              End event is if someone from the outside can run an exploit gaining write access to our DB then we are at risk of loosing essential protection components to ensure they do not cause harm to our systems.

               

              This is true - if anyone has unauthorised admin access to your databases, you have a very big problem indeed

               

              HTH -

               

              Joe