Really hacking sql server 2000
1 / 26

REALLY HACKING SQL SERVER 2000 - PowerPoint PPT Presentation

  • Updated On :

REALLY HACKING SQL SERVER 2000. Less Theory – More Action Jasper Smith . Agenda. Slammer review and Tools SQL Password Sniffing Decoding WITH ENCRYPTION Privilege Escalation UDP 1434 Exploits Links to security resources Questions ?. What’s not covered.

Related searches for REALLY HACKING SQL SERVER 2000

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'REALLY HACKING SQL SERVER 2000' - ivanbritt

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Really hacking sql server 2000 l.jpg


Less Theory – More Action

Jasper Smith

Agenda l.jpg

  • Slammer review and Tools

  • SQL Password Sniffing


  • Privilege Escalation

  • UDP 1434 Exploits

  • Links to security resources

  • Questions ?

What s not covered l.jpg
What’s not covered

  • SQL Injection

  • SQL Password Cracking

First the good news l.jpg
First the Good News !

  • The demos are all on SP2 (8.00.534)

  • A lot of these are fixed in SP3

  • Slammer means a lot of sites are already on SP3 or latest security hotfix

  • Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)

Sql slammer sapphire w32 slammer l.jpg
SQL Slammer (Sapphire/W32.Slammer)

Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service

First patch available July 2002

Difficulty of installing security hotfixes hampered deployment (tools now available)

Too many exposed servers without Firewalls

MSDE difficult to patch and identify – installed by many products

Slammer cont l.jpg
Slammer cont…

  • Because it used UDP rather than TCP it was only limited by available bandwidth

  • At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2]

  • 75,000 hosts affected in first 10 minutes [2]

  • Officially the fastest spreading worm ever

Sql security tools l.jpg
SQL Security Tools

  • SQL ScanScans single PC,IP range or domainCan optionally stop and disable vulnerable instances

  • SQL CheckScans single PCCan optionally stop and disable vulnerable instances

  • SQL Critical UpdateScans single PCInstalls Slammer hotfix even if instance not at SP2

  • SMSDeploySMS install pack to deploy SQL Critical Update

Sql password sniffing l.jpg
SQL Password Sniffing

  • Password is not sent in clear text, howeverthe “encryption” is weak and easily broken

  • Information on the algorithm is available fromThreat Profiling SQL Server by David Litchfield

  • The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1]

Sql password sniffing10 l.jpg
SQL Password Sniffing

  • Simply need to format captured network trace into a varbinary string and run a small UDF to crack

  • Easy to spot password,every other byte is 0xA5

  • Application roles suffer same problem

  • Let’s have a look at the UDF then a demo

Sql password sniffing13 l.jpg
SQL Password Sniffing

  • If at all possible use NT Authentication

  • If you must use SQL Authentication then consider using SSL Encryption

  • Can be enabled for specific connections or server wide for all connections

  • IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL

Decoding with encryption l.jpg


  • Good explanation of issues with it at

  • “Security” by obscurity

  • Key generation relies on Database GUID, object_id and colid from syscomments

  • ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption

Privilege escalation jobs l.jpg
Privilege Escalation – Jobs

  • Any login can make themselves sysadmin with 5 lines of TSQL

  • By default all logins can submit jobs

  • SQL agent issues SETUSER N'guest' WITH NORESETwhen a non sysadmin runs a job

  • Three vulnerable extended stored procedures

    • xp_execresultset

    • xp_printstatements

    • xp_displayparamstmt

  • These procedures cause a reconnection to SQL

Privilege escalation sysxlogins l.jpg
Privilege Escalation – sysxlogins

  • Only possible if you are a sysadmin

  • Use sp_configure to allow updates

  • For any NT login (group or user)

  • Change xstatus from to 18 [1]

  • This will allow you to login using SQL authentication by using the NT login name and no password.

  • NT login still works as normal

Privilege escalation l.jpg
Privilege Escalation

  • Apply SP3 or latest security hotfix

  • Secure extended stored procedures

  • Remove guest user from msdb

  • Audit sysxlogins

  • Audit members of Sysadmin (difficult)

Udp 1434 exploit sqlkill net l.jpg
UDP 1434 Exploit – SQLKill.Net

  • UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02

  • First example uses a harmless discovery tool and changes 1 character from 2 to 8

  • Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1]

Udp 1434 exploit netcat l.jpg
UDP 1434 Exploit - netcat

  • Second example is more complicated

  • Use a stack overflow to call back to netcat listening on attacker pc on UDP 53

  • Network traffic looks like a malformed DNS query and DNS dynamic update

  • Gain remote shell on target server

  • Running in the SQL Server process space

  • Let’s steal a database and for fun delete it and all backups and create an empty database with the same name

Udp 1434 exploit protection l.jpg
UDP 1434 Exploit - Protection

  • SP3 or latest security hotfix;en-us;Q316333

  • Firewall rules to block all UDP 1434 traffic

  • IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSec

Security links l.jpg
Security Links

  • Slammer

  • Securityhttp://www.sqlsecurity.com

References l.jpg

[1] Threat Profiling SQL Server by David Litchfield