really hacking sql server 2000

REALLY HACKING SQL SERVER 2000

Less Theory – More Action

Jasper Smith

Agenda

Slammer review and ToolsSQL Password SniffingDecoding WITH ENCRYPTIONPrivilege EscalationUDP 1434 Exploits Links to security resourcesQuestions ?

What’s not covered

SQL Injection

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

SQL Password Cracking

http://www.nextgenss.com/papers/cracking-sql-passwords.pdf

http://www.nextgenss.com/software/ngssqlcrack.html

First the Good News !

The demos are all on SP2 (8.00.534)

A lot of these are fixed in SP3

Slammer means a lot of sites are already on SP3 or latest security hotfix

Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)

SQL Slammer (Sapphire/W32.Slammer)

Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service

First patch available July 2002

Difficulty of installing security hotfixes hampered deployment (tools now available)

Too many exposed servers without Firewalls

MSDE difficult to patch and identify – installed by many products

Spread of Slammer – First 30 mins

Slammer cont…

Because it used UDP rather than TCP it was only limited by available bandwidth

At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2]

75,000 hosts affected in first 10 minutes [2]

Officially the fastest spreading worm ever

SQL Security Tools SQL Scan

Scans single PC,IP range or domainCan optionally stop and disable vulnerable instances

SQL CheckScans single PCCan optionally stop and disable vulnerable instances

SQL Critical UpdateScans single PCInstalls Slammer hotfix even if instance not at SP2

SMSDeploySMS install pack to deploy SQL Critical Update

http://www.microsoft.com/sql/downloads/securitytools.asp

SQL Password Sniffing

Password is not sent in clear text, howeverthe “encryption” is weak and easily broken

Information on the algorithm is available fromThreat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf

The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1]

SQL Password Sniffing

Simply need to format captured network trace into a varbinary string and run a small UDF to crack

Easy to spot password,every other byte is 0xA5

Application roles suffer same problem

Let’s have a look at the UDF then a demo

dbo.decoder

PASSWORD DEMO

SQL Password Sniffing

If at all possible use NT AuthenticationIf you must use SQL Authentication then

consider using SSL EncryptionCan be enabled for specific connections or

server wide for all connectionsIPSEC is also available on Windows 2000

and higher but considerably more effort to set up than SSL

Decoding WITH ENCRYPTIONdSQLSRVD

http://www.geocities.com/d0mn4r/dSQLSRVD.htmlGood explanation of issues with it at

http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt

“Security” by obscurityKey generation relies on Database GUID,

object_id and colid from syscommentsALTER statement allows us to use the

same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption

DEMO WITH ENCRYPTION

Privilege Escalation – Jobs Any login can make themselves sysadmin with 5

lines of TSQL By default all logins can submit jobs SQL agent issues

SETUSER N'guest' WITH NORESETwhen a non sysadmin runs a job

Three vulnerable extended stored procedures• xp_execresultset• xp_printstatements• xp_displayparamstmt

These procedures cause a reconnection to SQL

Privilege Escalation – sysxlogins

Only possible if you are a sysadminUse sp_configure to allow updatesFor any NT login (group or user)Change xstatus from to 18 [1]

This will allow you to login using SQL authentication by using the NT login name and no password.

NT login still works as normal

DEMO PRIVILIGE ESCALATION

Privilege EscalationApply SP3 or latest security hotfix

Secure extended stored procedures

Remove guest user from msdb

Audit sysxlogins

Audit members of Sysadmin (difficult)

UDP 1434 Exploit – SQLKill.Net

UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02

First example uses a harmless discovery tool and changes 1 character from 2 to 8

Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1]

DEMO KILL SQL SERVER

UDP 1434 Exploit - netcat

Second example is more complicatedUse a stack overflow to call back to netcat

listening on attacker pc on UDP 53Network traffic looks like a malformed

DNS query and DNS dynamic updateGain remote shell on target server Running in the SQL Server process spaceLet’s steal a database and for fun delete it

and all backups and create an empty database with the same name

DEMO NETCAT

UDP 1434 Exploit - Protection

SP3 or latest security hotfix

http://www.microsoft.com/sql/downloads/2000/sp3.asphttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333

Firewall rules to block all UDP 1434 traffic

IPSEC policies blocking UDP 1434

How to Block Specific Network Protocols and Ports by Using IPSechttp://support.microsoft.com/?id=813878

Security LinksSlammer

http://www.microsoft.com/security/slammer.asphttp://www.caida.org/analysis/security/sapphirehttp://www.caida.org/outreach/papers/2003/sapphire/sapphire.htmlhttp://www.nextgenss.com/advisories/mssql-udp.txt

Security

http://www.sqlsecurity.comhttp://www.nextgenss.com/research/papers.htmlhttp://www.securityfocus.comhttp://www.microsoft.com/sql/techinfo/administration/2000/security

References

[1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf

[2] http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html