REALLY HACKING SQL SERVER 2000 - PowerPoint PPT Presentation

Really hacking sql server 2000 l.jpg
Download
1 / 26

REALLY HACKING SQL SERVER 2000. Less Theory – More Action Jasper Smith . Agenda. Slammer review and Tools SQL Password Sniffing Decoding WITH ENCRYPTION Privilege Escalation UDP 1434 Exploits Links to security resources Questions ?. What’s not covered.

Related searches for REALLY HACKING SQL SERVER 2000

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

REALLY HACKING SQL SERVER 2000

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Really hacking sql server 2000 l.jpg

REALLY HACKING SQL SERVER 2000

Less Theory – More Action

Jasper Smith


Agenda l.jpg

Agenda

  • Slammer review and Tools

  • SQL Password Sniffing

  • Decoding WITH ENCRYPTION

  • Privilege Escalation

  • UDP 1434 Exploits

  • Links to security resources

  • Questions ?


What s not covered l.jpg

What’s not covered

  • SQL Injectionhttp://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3http://www.nextgenss.com/papers/advanced_sql_injection.pdfhttp://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

  • SQL Password Crackinghttp://www.nextgenss.com/papers/cracking-sql-passwords.pdfhttp://www.nextgenss.com/software/ngssqlcrack.html


First the good news l.jpg

First the Good News !

  • The demos are all on SP2 (8.00.534)

  • A lot of these are fixed in SP3

  • Slammer means a lot of sites are already on SP3 or latest security hotfix

  • Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)


Sql slammer sapphire w32 slammer l.jpg

SQL Slammer (Sapphire/W32.Slammer)

Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service

First patch available July 2002

Difficulty of installing security hotfixes hampered deployment (tools now available)

Too many exposed servers without Firewalls

MSDE difficult to patch and identify – installed by many products


Spread of slammer first 30 mins l.jpg

Spread of Slammer – First 30 mins


Slammer cont l.jpg

Slammer cont…

  • Because it used UDP rather than TCP it was only limited by available bandwidth

  • At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2]

  • 75,000 hosts affected in first 10 minutes [2]

  • Officially the fastest spreading worm ever


Sql security tools l.jpg

SQL Security Tools

  • SQL ScanScans single PC,IP range or domainCan optionally stop and disable vulnerable instances

  • SQL CheckScans single PCCan optionally stop and disable vulnerable instances

  • SQL Critical UpdateScans single PCInstalls Slammer hotfix even if instance not at SP2

  • SMSDeploySMS install pack to deploy SQL Critical Update

    http://www.microsoft.com/sql/downloads/securitytools.asp


Sql password sniffing l.jpg

SQL Password Sniffing

  • Password is not sent in clear text, howeverthe “encryption” is weak and easily broken

  • Information on the algorithm is available fromThreat Profiling SQL Server by David Litchfieldhttp://www.nextgenss.com/papers/tp-SQL2000.pdf

  • The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1]


Sql password sniffing10 l.jpg

SQL Password Sniffing

  • Simply need to format captured network trace into a varbinary string and run a small UDF to crack

  • Easy to spot password,every other byte is 0xA5

  • Application roles suffer same problem

  • Let’s have a look at the UDF then a demo


Dbo decoder l.jpg

dbo.decoder


Password demo l.jpg

PASSWORD DEMO


Sql password sniffing13 l.jpg

SQL Password Sniffing

  • If at all possible use NT Authentication

  • If you must use SQL Authentication then consider using SSL Encryption

  • Can be enabled for specific connections or server wide for all connections

  • IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL


Decoding with encryption l.jpg

Decoding WITH ENCRYPTION

  • dSQLSRVDhttp://www.geocities.com/d0mn4r/dSQLSRVD.html

  • Good explanation of issues with it athttp://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt

  • “Security” by obscurity

  • Key generation relies on Database GUID, object_id and colid from syscomments

  • ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption


Demo with encryption l.jpg

DEMO WITH ENCRYPTION


Privilege escalation jobs l.jpg

Privilege Escalation – Jobs

  • Any login can make themselves sysadmin with 5 lines of TSQL

  • By default all logins can submit jobs

  • SQL agent issues SETUSER N'guest' WITH NORESETwhen a non sysadmin runs a job

  • Three vulnerable extended stored procedures

    • xp_execresultset

    • xp_printstatements

    • xp_displayparamstmt

  • These procedures cause a reconnection to SQL


Privilege escalation sysxlogins l.jpg

Privilege Escalation – sysxlogins

  • Only possible if you are a sysadmin

  • Use sp_configure to allow updates

  • For any NT login (group or user)

  • Change xstatus from to 18 [1]

  • This will allow you to login using SQL authentication by using the NT login name and no password.

  • NT login still works as normal


Demo privilige escalation l.jpg

DEMO PRIVILIGE ESCALATION


Privilege escalation l.jpg

Privilege Escalation

  • Apply SP3 or latest security hotfix

  • Secure extended stored procedures

  • Remove guest user from msdb

  • Audit sysxlogins

  • Audit members of Sysadmin (difficult)


Udp 1434 exploit sqlkill net l.jpg

UDP 1434 Exploit – SQLKill.Net

  • UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02

  • First example uses a harmless discovery tool and changes 1 character from 2 to 8

  • Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1]


Demo kill sql server l.jpg

DEMO KILL SQL SERVER


Udp 1434 exploit netcat l.jpg

UDP 1434 Exploit - netcat

  • Second example is more complicated

  • Use a stack overflow to call back to netcat listening on attacker pc on UDP 53

  • Network traffic looks like a malformed DNS query and DNS dynamic update

  • Gain remote shell on target server

  • Running in the SQL Server process space

  • Let’s steal a database and for fun delete it and all backups and create an empty database with the same name


Demo netcat l.jpg

DEMO NETCAT


Udp 1434 exploit protection l.jpg

UDP 1434 Exploit - Protection

  • SP3 or latest security hotfixhttp://www.microsoft.com/sql/downloads/2000/sp3.asphttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333

  • Firewall rules to block all UDP 1434 traffic

  • IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSechttp://support.microsoft.com/?id=813878


Security links l.jpg

Security Links

  • Slammerhttp://www.microsoft.com/security/slammer.asphttp://www.caida.org/analysis/security/sapphirehttp://www.caida.org/outreach/papers/2003/sapphire/sapphire.htmlhttp://www.nextgenss.com/advisories/mssql-udp.txt

  • Securityhttp://www.sqlsecurity.comhttp://www.nextgenss.com/research/papers.htmlhttp://www.securityfocus.comhttp://www.microsoft.com/sql/techinfo/administration/2000/security


References l.jpg

References

[1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf

[2]http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html


  • Login