1 / 26

REALLY HACKING SQL SERVER 2000

REALLY HACKING SQL SERVER 2000. Less Theory – More Action Jasper Smith . Agenda. Slammer review and Tools SQL Password Sniffing Decoding WITH ENCRYPTION Privilege Escalation UDP 1434 Exploits Links to security resources Questions ?. What’s not covered.

ivanbritt
Télécharger la présentation

REALLY HACKING SQL SERVER 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith

  2. Agenda • Slammer review and Tools • SQL Password Sniffing • Decoding WITH ENCRYPTION • Privilege Escalation • UDP 1434 Exploits • Links to security resources • Questions ?

  3. What’s not covered • SQL Injectionhttp://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3http://www.nextgenss.com/papers/advanced_sql_injection.pdfhttp://www.nextgenss.com/papers/more_advanced_sql_injection.pdf • SQL Password Crackinghttp://www.nextgenss.com/papers/cracking-sql-passwords.pdfhttp://www.nextgenss.com/software/ngssqlcrack.html

  4. First the Good News ! • The demos are all on SP2 (8.00.534) • A lot of these are fixed in SP3 • Slammer means a lot of sites are already on SP3 or latest security hotfix • Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)

  5. SQL Slammer (Sapphire/W32.Slammer) Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service First patch available July 2002 Difficulty of installing security hotfixes hampered deployment (tools now available) Too many exposed servers without Firewalls MSDE difficult to patch and identify – installed by many products

  6. Spread of Slammer – First 30 mins

  7. Slammer cont… • Because it used UDP rather than TCP it was only limited by available bandwidth • At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2] • 75,000 hosts affected in first 10 minutes [2] • Officially the fastest spreading worm ever

  8. SQL Security Tools • SQL ScanScans single PC,IP range or domainCan optionally stop and disable vulnerable instances • SQL CheckScans single PCCan optionally stop and disable vulnerable instances • SQL Critical UpdateScans single PCInstalls Slammer hotfix even if instance not at SP2 • SMSDeploySMS install pack to deploy SQL Critical Update http://www.microsoft.com/sql/downloads/securitytools.asp

  9. SQL Password Sniffing • Password is not sent in clear text, howeverthe “encryption” is weak and easily broken • Information on the algorithm is available fromThreat Profiling SQL Server by David Litchfieldhttp://www.nextgenss.com/papers/tp-SQL2000.pdf • The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1]

  10. SQL Password Sniffing • Simply need to format captured network trace into a varbinary string and run a small UDF to crack • Easy to spot password,every other byte is 0xA5 • Application roles suffer same problem • Let’s have a look at the UDF then a demo

  11. dbo.decoder

  12. PASSWORD DEMO

  13. SQL Password Sniffing • If at all possible use NT Authentication • If you must use SQL Authentication then consider using SSL Encryption • Can be enabled for specific connections or server wide for all connections • IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL

  14. Decoding WITH ENCRYPTION • dSQLSRVDhttp://www.geocities.com/d0mn4r/dSQLSRVD.html • Good explanation of issues with it athttp://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt • “Security” by obscurity • Key generation relies on Database GUID, object_id and colid from syscomments • ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption

  15. DEMO WITH ENCRYPTION

  16. Privilege Escalation – Jobs • Any login can make themselves sysadmin with 5 lines of TSQL • By default all logins can submit jobs • SQL agent issues SETUSER N'guest' WITH NORESETwhen a non sysadmin runs a job • Three vulnerable extended stored procedures • xp_execresultset • xp_printstatements • xp_displayparamstmt • These procedures cause a reconnection to SQL

  17. Privilege Escalation – sysxlogins • Only possible if you are a sysadmin • Use sp_configure to allow updates • For any NT login (group or user) • Change xstatus from to 18 [1] • This will allow you to login using SQL authentication by using the NT login name and no password. • NT login still works as normal

  18. DEMO PRIVILIGE ESCALATION

  19. Privilege Escalation • Apply SP3 or latest security hotfix • Secure extended stored procedures • Remove guest user from msdb • Audit sysxlogins • Audit members of Sysadmin (difficult)

  20. UDP 1434 Exploit – SQLKill.Net • UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02 • First example uses a harmless discovery tool and changes 1 character from 2 to 8 • Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1]

  21. DEMO KILL SQL SERVER

  22. UDP 1434 Exploit - netcat • Second example is more complicated • Use a stack overflow to call back to netcat listening on attacker pc on UDP 53 • Network traffic looks like a malformed DNS query and DNS dynamic update • Gain remote shell on target server • Running in the SQL Server process space • Let’s steal a database and for fun delete it and all backups and create an empty database with the same name

  23. DEMO NETCAT

  24. UDP 1434 Exploit - Protection • SP3 or latest security hotfixhttp://www.microsoft.com/sql/downloads/2000/sp3.asphttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333 • Firewall rules to block all UDP 1434 traffic • IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSechttp://support.microsoft.com/?id=813878

  25. Security Links • Slammerhttp://www.microsoft.com/security/slammer.asphttp://www.caida.org/analysis/security/sapphirehttp://www.caida.org/outreach/papers/2003/sapphire/sapphire.htmlhttp://www.nextgenss.com/advisories/mssql-udp.txt • Securityhttp://www.sqlsecurity.comhttp://www.nextgenss.com/research/papers.htmlhttp://www.securityfocus.comhttp://www.microsoft.com/sql/techinfo/administration/2000/security

  26. References [1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf [2]http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html

More Related