REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

System Security Scanning and Discovery Chapter 14.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

System and Network Security Practices COEN 351 E-Commerce Security.

Chapter 7 HARDENING SERVERS.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Hacking Web Server Defiana Arnaldy, M.Si

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Hands-On Ethical Hacking and Network Defense Chapter 8 Microsoft Operating System Vulnerabilities.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

MIGRATING FROM MICROSOFT EXCHANGE SERVER AND OTHER MAIL SYSTEMS Appendix B.

Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Computer Security and Penetration Testing

Learningcomputer.com SQL Server 2008 Configuration Manager.

Attacking Applications: SQL Injection & Buffer Overflows.

Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.

Module 14 Configuring Security for SQL Server Agent.

© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.

System Hacking Active System Intrusion. Aspects of System Hacking System password guessing Password cracking Key loggers Eavesdropping Sniffers Man in.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

TCOM Information Assurance Management System Hacking.

Retina Network Security Scanner

Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.

Module 7: Implementing Security Using Group Policy.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Operating System Hardening. Vulnerabilities Unique vulnerabilities for: – Different operating systems – Different vendors – Client and server systems.

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

Module 8 Implementing Security Using Group Policy.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

Unit 2 Personal Cyber Security and Social Engineering Part 2.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Defense In Depth: Minimizing the Risk of SQL Injection

Working at a Small-to-Medium Business or ISP – Chapter 8

Introduction to SQL Server 2000 Security

Limiting SQL Server Exposure

The Dirty Business of Auditing

Hands-On Ethical Hacking and Network Defense

– Chapter 3 – Device Security (B)

Limiting SQL Server Exposure

Lecture 2 - SQL Injection

Linux Security.

We Need To Talk Security

Presentation transcript:

REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith

Agenda Slammer review and Tools SQL Password Sniffing Decoding WITH ENCRYPTION Privilege Escalation UDP 1434 Exploits Links to security resources Questions ?

What’s not covered SQL Injection SQL Password Cracking

First the Good News ! The demos are all on SP2 ( ) A lot of these are fixed in SP3 Slammer means a lot of sites are already on SP3 or latest security hotfix Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!)

SQL Slammer (Sapphire/W32.Slammer) Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service First patch available July 2002 Difficulty of installing security hotfixes hampered deployment (tools now available) Too many exposed servers without Firewalls MSDE difficult to patch and identify – installed by many products

Spread of Slammer – First 30 mins

Slammer cont… Because it used UDP rather than TCP it was only limited by available bandwidth At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2] [2] 75,000 hosts affected in first 10 minutes [2] [2] Officially the fastest spreading worm ever

SQL Security Tools SQL Scan Scans single PC,IP range or domain Can optionally stop and disable vulnerable instances SQL Check Scans single PC Can optionally stop and disable vulnerable instances SQL Critical Update Scans single PC Installs Slammer hotfix even if instance not at SP2 SMSDeploy SMS install pack to deploy SQL Critical Update

SQL Password Sniffing Password is not sent in clear text, however the “encryption” is weak and easily broken Information on the algorithm is available from Threat Profiling SQL Server by David Litchfield The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1] [1]

SQL Password Sniffing Simply need to format captured network trace into a varbinary string and run a small UDF to crack Easy to spot password,every other byte is 0xA5 Application roles suffer same problem Let’s have a look at the UDF then a demo

dbo.decoder

PASSWORD DEMO

SQL Password Sniffing If at all possible use NT Authentication If you must use SQL Authentication then consider using SSL Encryption Can be enabled for specific connections or server wide for all connections IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL

Decoding WITH ENCRYPTION dSQLSRVD Good explanation of issues with it at “Security” by obscurity Key generation relies on Database GUID, object_id and colid from syscomments ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption

DEMO WITH ENCRYPTION

Privilege Escalation – Jobs Any login can make themselves sysadmin with 5 lines of TSQL By default all logins can submit jobs SQL agent issues SETUSER N'guest' WITH NORESET when a non sysadmin runs a job Three vulnerable extended stored procedures xp_execresultset xp_printstatements xp_displayparamstmt These procedures cause a reconnection to SQL

Privilege Escalation – sysxlogins Only possible if you are a sysadmin Use sp_configure to allow updates For any NT login (group or user) Change xstatus from to 18 [1] This will allow you to login using SQL authentication by using the NT login name and no password. NT login still works as normal

DEMO PRIVILIGE ESCALATION

Privilege Escalation Apply SP3 or latest security hotfix Secure extended stored procedures Remove guest user from msdb Audit sysxlogins Audit members of Sysadmin (difficult)

UDP 1434 Exploit – SQLKill.Net UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02 First example uses a harmless discovery tool and changes 1 character from 2 to 8 Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1] [1]

DEMO KILL SQL SERVER

UDP 1434 Exploit - netcat Second example is more complicated Use a stack overflow to call back to netcat listening on attacker pc on UDP 53 Network traffic looks like a malformed DNS query and DNS dynamic update Gain remote shell on target server Running in the SQL Server process space Let’s steal a database and for fun delete it and all backups and create an empty database with the same name

DEMO NETCAT

UDP 1434 Exploit - Protection SP3 or latest security hotfix Firewall rules to block all UDP 1434 traffic IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSec

Security Links Slammer Security

References [1] Threat Profiling SQL Server by David Litchfield [2]