really hacking sql server 2000
TRANSCRIPT
REALLY HACKING SQL SERVER 2000
Less Theory – More Action
Jasper Smith
Agenda
Slammer review and ToolsSQL Password SniffingDecoding WITH ENCRYPTIONPrivilege EscalationUDP 1434 Exploits Links to security resourcesQuestions ?
What’s not covered
SQL Injection
http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
SQL Password Cracking
http://www.nextgenss.com/papers/cracking-sql-passwords.pdf
http://www.nextgenss.com/software/ngssqlcrack.html
First the Good News !
The demos are all on SP2 (8.00.534)
A lot of these are fixed in SP3
Slammer means a lot of sites are already on SP3 or latest security hotfix
Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)
SQL Slammer (Sapphire/W32.Slammer)
Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service
First patch available July 2002
Difficulty of installing security hotfixes hampered deployment (tools now available)
Too many exposed servers without Firewalls
MSDE difficult to patch and identify – installed by many products
Spread of Slammer – First 30 mins
Slammer cont…
Because it used UDP rather than TCP it was only limited by available bandwidth
At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2]
75,000 hosts affected in first 10 minutes [2]
Officially the fastest spreading worm ever
SQL Security Tools SQL Scan
Scans single PC,IP range or domainCan optionally stop and disable vulnerable instances
SQL CheckScans single PCCan optionally stop and disable vulnerable instances
SQL Critical UpdateScans single PCInstalls Slammer hotfix even if instance not at SP2
SMSDeploySMS install pack to deploy SQL Critical Update
http://www.microsoft.com/sql/downloads/securitytools.asp
SQL Password Sniffing
Password is not sent in clear text, howeverthe “encryption” is weak and easily broken
Information on the algorithm is available fromThreat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf
The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1]
SQL Password Sniffing
Simply need to format captured network trace into a varbinary string and run a small UDF to crack
Easy to spot password,every other byte is 0xA5
Application roles suffer same problem
Let’s have a look at the UDF then a demo
dbo.decoder
PASSWORD DEMO
SQL Password Sniffing
If at all possible use NT AuthenticationIf you must use SQL Authentication then
consider using SSL EncryptionCan be enabled for specific connections or
server wide for all connectionsIPSEC is also available on Windows 2000
and higher but considerably more effort to set up than SSL
Decoding WITH ENCRYPTIONdSQLSRVD
http://www.geocities.com/d0mn4r/dSQLSRVD.htmlGood explanation of issues with it at
http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt
“Security” by obscurityKey generation relies on Database GUID,
object_id and colid from syscommentsALTER statement allows us to use the
same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption
DEMO WITH ENCRYPTION
Privilege Escalation – Jobs Any login can make themselves sysadmin with 5
lines of TSQL By default all logins can submit jobs SQL agent issues
SETUSER N'guest' WITH NORESETwhen a non sysadmin runs a job
Three vulnerable extended stored procedures• xp_execresultset• xp_printstatements• xp_displayparamstmt
These procedures cause a reconnection to SQL
Privilege Escalation – sysxlogins
Only possible if you are a sysadminUse sp_configure to allow updatesFor any NT login (group or user)Change xstatus from to 18 [1]
This will allow you to login using SQL authentication by using the NT login name and no password.
NT login still works as normal
DEMO PRIVILIGE ESCALATION
Privilege EscalationApply SP3 or latest security hotfix
Secure extended stored procedures
Remove guest user from msdb
Audit sysxlogins
Audit members of Sysadmin (difficult)
UDP 1434 Exploit – SQLKill.Net
UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02
First example uses a harmless discovery tool and changes 1 character from 2 to 8
Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1]
DEMO KILL SQL SERVER
UDP 1434 Exploit - netcat
Second example is more complicatedUse a stack overflow to call back to netcat
listening on attacker pc on UDP 53Network traffic looks like a malformed
DNS query and DNS dynamic updateGain remote shell on target server Running in the SQL Server process spaceLet’s steal a database and for fun delete it
and all backups and create an empty database with the same name
DEMO NETCAT
UDP 1434 Exploit - Protection
SP3 or latest security hotfix
http://www.microsoft.com/sql/downloads/2000/sp3.asphttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333
Firewall rules to block all UDP 1434 traffic
IPSEC policies blocking UDP 1434
How to Block Specific Network Protocols and Ports by Using IPSechttp://support.microsoft.com/?id=813878
Security LinksSlammer
http://www.microsoft.com/security/slammer.asphttp://www.caida.org/analysis/security/sapphirehttp://www.caida.org/outreach/papers/2003/sapphire/sapphire.htmlhttp://www.nextgenss.com/advisories/mssql-udp.txt
Security
http://www.sqlsecurity.comhttp://www.nextgenss.com/research/papers.htmlhttp://www.securityfocus.comhttp://www.microsoft.com/sql/techinfo/administration/2000/security
References
[1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf
[2] http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html