Presentation is loading. Please wait.

Presentation is loading. Please wait.

REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith.

Published byChristian Little Modified over 8 years ago

Similar presentations

Presentation on theme: "REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith."— Presentation transcript:

1 REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith

2 Agenda Slammer review and Tools SQL Password Sniffing Decoding WITH ENCRYPTION Privilege Escalation UDP 1434 Exploits Links to security resources Questions ?

3 What’s not covered SQL Injection http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 http://www.nextgenss.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 http://www.nextgenss.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf SQL Password Cracking http://www.nextgenss.com/papers/cracking-sql-passwords.pdf http://www.nextgenss.com/software/ngssqlcrack.html http://www.nextgenss.com/papers/cracking-sql-passwords.pdf http://www.nextgenss.com/software/ngssqlcrack.html

4 First the Good News ! The demos are all on SP2 (8.00.534) A lot of these are fixed in SP3 Slammer means a lot of sites are already on SP3 or latest security hotfix Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)

5 SQL Slammer (Sapphire/W32.Slammer) Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service First patch available July 2002 Difficulty of installing security hotfixes hampered deployment (tools now available) Too many exposed servers without Firewalls MSDE difficult to patch and identify – installed by many products

6 Spread of Slammer – First 30 mins

7 Slammer cont… Because it used UDP rather than TCP it was only limited by available bandwidth At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2] [2] 75,000 hosts affected in first 10 minutes [2] [2] Officially the fastest spreading worm ever

8 SQL Security Tools SQL Scan Scans single PC,IP range or domain Can optionally stop and disable vulnerable instances SQL Check Scans single PC Can optionally stop and disable vulnerable instances SQL Critical Update Scans single PC Installs Slammer hotfix even if instance not at SP2 SMSDeploy SMS install pack to deploy SQL Critical Update http://www.microsoft.com/sql/downloads/securitytools.asp

9 SQL Password Sniffing Password is not sent in clear text, however the “encryption” is weak and easily broken Information on the algorithm is available from Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf http://www.nextgenss.com/papers/tp-SQL2000.pdf The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1] [1]

10 SQL Password Sniffing Simply need to format captured network trace into a varbinary string and run a small UDF to crack Easy to spot password,every other byte is 0xA5 Application roles suffer same problem Let’s have a look at the UDF then a demo

11 dbo.decoder

12 PASSWORD DEMO

13 SQL Password Sniffing If at all possible use NT Authentication If you must use SQL Authentication then consider using SSL Encryption Can be enabled for specific connections or server wide for all connections IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL

14 Decoding WITH ENCRYPTION dSQLSRVD http://www.geocities.com/d0mn4r/dSQLSRVD.html http://www.geocities.com/d0mn4r/dSQLSRVD.html Good explanation of issues with it at http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt “Security” by obscurity Key generation relies on Database GUID, object_id and colid from syscomments ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption

15 DEMO WITH ENCRYPTION

16 Privilege Escalation – Jobs Any login can make themselves sysadmin with 5 lines of TSQL By default all logins can submit jobs SQL agent issues SETUSER N'guest' WITH NORESET when a non sysadmin runs a job Three vulnerable extended stored procedures xp_execresultset xp_printstatements xp_displayparamstmt These procedures cause a reconnection to SQL

17 Privilege Escalation – sysxlogins Only possible if you are a sysadmin Use sp_configure to allow updates For any NT login (group or user) Change xstatus from to 18 [1] This will allow you to login using SQL authentication by using the NT login name and no password. NT login still works as normal

18 DEMO PRIVILIGE ESCALATION

19 Privilege Escalation Apply SP3 or latest security hotfix Secure extended stored procedures Remove guest user from msdb Audit sysxlogins Audit members of Sysadmin (difficult)

20 UDP 1434 Exploit – SQLKill.Net UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02 First example uses a harmless discovery tool and changes 1 character from 2 to 8 Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1] [1]

21 DEMO KILL SQL SERVER

22 UDP 1434 Exploit - netcat Second example is more complicated Use a stack overflow to call back to netcat listening on attacker pc on UDP 53 Network traffic looks like a malformed DNS query and DNS dynamic update Gain remote shell on target server Running in the SQL Server process space Let’s steal a database and for fun delete it and all backups and create an empty database with the same name

23 DEMO NETCAT

24 UDP 1434 Exploit - Protection SP3 or latest security hotfix http://www.microsoft.com/sql/downloads/2000/sp3.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333 http://www.microsoft.com/sql/downloads/2000/sp3.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333 Firewall rules to block all UDP 1434 traffic IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSec http://support.microsoft.com/?id=813878 http://support.microsoft.com/?id=813878

25 Security Links Slammer http://www.microsoft.com/security/slammer.asp http://www.caida.org/analysis/security/sapphire http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html http://www.nextgenss.com/advisories/mssql-udp.txt http://www.microsoft.com/security/slammer.asp http://www.caida.org/analysis/security/sapphire http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html http://www.nextgenss.com/advisories/mssql-udp.txt Security http://www.sqlsecurity.com http://www.nextgenss.com/research/papers.html http://www.securityfocus.com http://www.microsoft.com/sql/techinfo/administration/2000/security http://www.sqlsecurity.com http://www.nextgenss.com/research/papers.html http://www.securityfocus.com http://www.microsoft.com/sql/techinfo/administration/2000/security

26 References [1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf http://www.nextgenss.com/papers/tp-SQL2000.pdf [2] http://www.caida.org/outreach/papers/2003/sapphire/sapphire.htmlhttp://www.caida.org/outreach/papers/2003/sapphire/sapphire.html

Download ppt "REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google