REALLY HACKING  SQL SERVER 2000 Less Theory – More Action Jasper Smith
Agenda <ul><li>Slammer review and Tools </li></ul><ul><li>SQL Password Sniffing </li></ul><ul><li>Decoding WITH ENCRYPTION...
What’s not covered <ul><li>SQL Injection http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 http://www.next...
First the Good News ! <ul><li>The demos are all on SP2 (8.00.534) </li></ul><ul><li>A lot of these are fixed in SP3 </li><...
SQL Slammer (Sapphire/W32.Slammer) <ul><li>Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerabi...
Spread of Slammer – First 30 mins
Slammer cont… <ul><li>Because it used UDP rather than TCP it was only limited by available bandwidth  </li></ul><ul><li>At...
SQL Security Tools <ul><li>SQL Scan Scans single PC,IP range or domain Can optionally stop and disable vulnerable instance...
SQL Password Sniffing <ul><li>Password is not sent in clear text, however the “encryption” is weak and easily broken </li>...
SQL Password Sniffing <ul><li>Simply need to format captured network trace into a varbinary string and run a small UDF to ...
dbo.decoder
PASSWORD DEMO
SQL Password Sniffing <ul><li>If at all possible use NT Authentication </li></ul><ul><li>If you must use SQL Authenticatio...
Decoding WITH ENCRYPTION <ul><li>dSQLSRVD http://www.geocities.com/d0mn4r/dSQLSRVD.html </li></ul><ul><li>Good explanation...
DEMO WITH ENCRYPTION
Privilege Escalation – Jobs <ul><li>Any login can make themselves sysadmin with 5 lines of TSQL </li></ul><ul><li>By defau...
Privilege Escalation – sysxlogins <ul><li>Only possible if you are a sysadmin </li></ul><ul><li>Use sp_configure to allow ...
DEMO PRIVILIGE ESCALATION
Privilege Escalation <ul><li>Apply SP3 or latest security hotfix </li></ul><ul><li>Secure extended stored procedures </li>...
UDP 1434 Exploit – SQLKill.Net <ul><li>UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02 </l...
DEMO KILL SQL SERVER
UDP 1434 Exploit - netcat <ul><li>Second example is more complicated </li></ul><ul><li>Use a stack overflow to call back t...
DEMO NETCAT
UDP 1434 Exploit - Protection <ul><li>SP3 or latest security hotfix http://www.microsoft.com/sql/downloads/2000/sp3.asp ht...
Security Links <ul><li>Slammer http://www.microsoft.com/security/slammer.asp http://www.caida.org/analysis/security/sapphi...
References <ul><li>[1] Threat Profiling SQL Server by David Litchfield  http://www.nextgenss.com/papers/tp-SQL2000.pdf </l...
Upcoming SlideShare
Loading in …5
×

REALLY HACKING SQL SERVER 2000

1,871 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,871
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Taken from Reference [2] The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes. Propagation speed was Sapphire&apos;s novel feature: in the first minute, the infected population doubled in size every 8.5 (±1) seconds. The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable machines were infected within 10-minutes of the worm&apos;s release
  • Taken from Reference [2] Peaked around 3 minutes in Sapphire&apos;s spreading strategy is based on random scanning -- it selects IP addresses at random to infect, eventually finding all susceptible hosts. Random scanning worms initially spread exponentially rapidly, but the rapid infection of new hosts becomes less effective as the worm spends more effort retrying addresses that are either already infected or immune In contrast, Sapphire&apos;s scanner was limited by each compromised machine&apos;s bandwidth to the Internet. Since the SQL Server vulnerability was exploitable using a single packet to UDP port 1434, the worm was able to send these scans without requiring a response from the potential victim One implication of this advance is that smaller susceptible populations are now vulnerable to attack. Formerly, small populations (&lt;20,000 machines or less on the Internet) were not viewed as particularly vulnerable to worms, as the probability of finding a susceptible machine in any given scan is quite low. However, a worm which can infect a population of 75,000 hosts in 10 minutes can similarly infect a population of 20,000 hosts in under an hour. Thus, exploits for less popular software present a viable breeding ground for new worms.
  • Hotfix installer for future releases
  • Reference [1] Threat Profiling SQL Server by David Litchfield from ngssoftware http://www.nextgenss.com/papers/tp-SQL2000.pdf “ The password is converted to a wide character format, or UNICODE, and each byte XOR&apos;d with a constant fixed value of 0xA5. Of course, this is easy to work out because every second byte of the &apos;encrypted&apos; password on the wire 0xA5 and we know that the password is in UNICODE with every second byte being a NULL and when any number is XOR&apos;d with 0 (or NULL) the result is the same: 0x41 xor 0x00 = 0x41, 0xA5 xor 0x00 = 0xA5. This means that, provided one can run a network sniffer between the client and the SQL Server, it is a trivial task to capture someone’s authentication details and unXOR it to get the original password back out. Once this has been done then of course access to the SQL Server can be gained. This is perhaps one of the reasons why Microsoft recommend using Windows NT/2000 based authentication as opposed to SQL logins; the latter is extremely weak.”
  • Reference [1] “ The password is converted to a wide character format, or UNICODE, and each byte XOR&apos;d with a constant fixed value of 0xA5. Of course, this is easy to work out because every second byte of the &apos;encrypted&apos; password on the wire 0xA5 and we know that the password is in UNICODE with every second byte being a NULL and when any number is XOR&apos;d with 0 (or NULL) the result is the same: 0x41 xor 0x00 = 0x41, 0xA5 xor 0x00 = 0xA5.”
  • dOMNAR&apos;s SQL Server SysComments Decryptor http://www.geocities.com/d0mn4r/dSQLSRVD.html Quote below taken from http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt So here&apos;s how stored procedure (and view and trigger) encryption works on SQL Server 2000: Take the database&apos;s GUID (generated when the db is created), the object id (from sysobjects) and the colid (from syscomments) and concatenate them. 2. Hash the key using SHA. 3. Use the SHA hash as an RC4 key, generate a sequence of bytes equal in length to the stored procedure text. 4. XOR this stream of bytes against the stored procedure text.
  • Reference [1] “ There are three (know to the author) extended stored procedures that can be abused by a Windows authenticated user to bypass access control: xp_execresultset xp_printstatements xp_displayparamstmt These three procedures, exported by xprepl.dll will allow an user to run an abritrary query. However, what opens them up to abuse is that when the query is run it is done through a reconnection to the server. In this way SQL Server will log onto itself and run the query with its privileges. An example would be exec xp_displayparamstmt N&apos;exec master..xp_cmdshell &apos;&apos;dir &gt; c:esp-results.txt&apos;&apos;&apos;,N&apos;master&apos;,1 Note that this will only work if the user has been authenticated via Windows; it will not work if the user is an SQL login. To protect against this one should prevent &apos;public&apos; access to these extended stored procedures. SQL Logins can still abuse extended stored procedures but they must do so by submitting a job to the SQL Agent. The &apos;Public&apos; role is allowed to create and submit jobs to be executed by the SQL Agent. To do this one would use a combination of several stored procedures in the msdb database such as sp_add_job and sp_add_job_step, etc. As the SQL Agent is considerably more privileged than a simple login, often running in the security context of the local system account, it must ensure that, when a T-SQL job is submitted to it, it can&apos;t be abused. To defend against this is performs a SETUSER N&apos;guest&apos; WITH NORESET This effectively drops its high level of privileges so no low privileged login can submit something like exec master..xp_cmdshell &apos;dir‘”
  • Whilst it might be easily noticeable that user foo is now a sysadmin, it is less likely there is any auditing on the sysxlogins table xstatus column thus you can effectively piggyback on an NT sysadmin whilst your account remains low priv.
  • Nested groups, leavers and starters, hundreds of servers makes it hard to audit NT groups and logins for sysadmin access.
  • Reference [1] Need sqlping.net from http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=5&amp;tabid=7 “ By sending a single byte (0x08) UDP packet to 1434 it&apos;s possible to kill the SQL Server. What starts as a simple DoS however turns into a heap overflow when you attempt to work out what&apos;s going on. When the server dies it has just called strtok(). The strtok() function looks for a given token (character) in a string and returns a pointer to the token if one is found. If the token is not found then a NULL pointer is returned. SQL Server, when it calls strtok() is looking for a colon (:) but as there isn&apos;t one then strtok() returns NULL but whoever coded this part of the server didn&apos;t check to see if the function had succeeded or not. They pass the pointer to atoi() but, as it&apos;s NULL, SQL crashes - the exception isn&apos;t handled. Atoi() converts a string to an integer”
  • Show C# code in Visual studio and the change of the 2 to an 8. Demonstrate normal sqlping first followed by sqlping2
  • Reference [1] Appendix A – need to compile the C++ demo code Netcat is available on the web – search google for it “ When SQL Server receives a packet with the first byte set to 0x04 it takes what ever comes after the 0x04, plugs into a buffer and attempts to open a registry key using the buffer. Whilst preparing to open the registry key, however, it performs an unsafe string copy and we overflow the stackbased buffer overwriting the saved return address on the stack. This allows a complete system compromise without ever needing to authenticate. What exacerbates this problem is the fact that this is going over UDP so, firstly, its easy to spoof the IP address making it look like the attack came from somewhere else, or even, indeed from a host on the &amp;quot;inside&amp;quot; - this will get around a great deal of firewalls. Secondly if the attacker sets the UDP source port to 53, making it look like a response to a DNS query, then again this will bypass a large number of firewalls.”
  • Highly recommend NGS Software site papers and advisories which is where most of these exploits were sourced.
  • REALLY HACKING SQL SERVER 2000

    1. 1. REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith
    2. 2. Agenda <ul><li>Slammer review and Tools </li></ul><ul><li>SQL Password Sniffing </li></ul><ul><li>Decoding WITH ENCRYPTION </li></ul><ul><li>Privilege Escalation </li></ul><ul><li>UDP 1434 Exploits </li></ul><ul><li>Links to security resources </li></ul><ul><li>Questions ? </li></ul>
    3. 3. What’s not covered <ul><li>SQL Injection http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 http://www.nextgenss.com/papers/advanced_sql_injection.pdf http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf </li></ul><ul><li>SQL Password Cracking http://www.nextgenss.com/papers/cracking-sql-passwords.pdf http://www.nextgenss.com/software/ngssqlcrack.html </li></ul>
    4. 4. First the Good News ! <ul><li>The demos are all on SP2 (8.00.534) </li></ul><ul><li>A lot of these are fixed in SP3 </li></ul><ul><li>Slammer means a lot of sites are already on SP3 or latest security hotfix </li></ul><ul><li>Slammer served as a wakeup call and focused everyone's minds on security (if they weren’t already !!) </li></ul>
    5. 5. SQL Slammer (Sapphire/W32.Slammer) <ul><li>Memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in the SQL Server Resolution Service </li></ul><ul><li>First patch available July 2002 </li></ul><ul><li>Difficulty of installing security hotfixes hampered deployment (tools now available) </li></ul><ul><li>Too many exposed servers without Firewalls </li></ul><ul><li>MSDE difficult to patch and identify – installed by many products </li></ul>
    6. 6. Spread of Slammer – First 30 mins
    7. 7. Slammer cont… <ul><li>Because it used UDP rather than TCP it was only limited by available bandwidth </li></ul><ul><li>At Slammer’s peak, it was scanning 55 million hosts per second and doubled it’s numbers every 8.5 seconds [2] </li></ul><ul><li>75,000 hosts affected in first 10 minutes [2] </li></ul><ul><li>Officially the fastest spreading worm ever </li></ul>
    8. 8. SQL Security Tools <ul><li>SQL Scan Scans single PC,IP range or domain Can optionally stop and disable vulnerable instances </li></ul><ul><li>SQL Check Scans single PC Can optionally stop and disable vulnerable instances </li></ul><ul><li>SQL Critical Update Scans single PC Installs Slammer hotfix even if instance not at SP2 </li></ul><ul><li>SMSDeploy SMS install pack to deploy SQL Critical Update </li></ul><ul><li>http://www.microsoft.com/sql/downloads/securitytools.asp </li></ul>
    9. 9. SQL Password Sniffing <ul><li>Password is not sent in clear text, however the “encryption” is weak and easily broken </li></ul><ul><li>Information on the algorithm is available from Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf </li></ul><ul><li>The password is converted to a wide character format (UNICODE) and each byte XOR'd with a constant fixed value of 0xA5 [1] </li></ul>
    10. 10. SQL Password Sniffing <ul><li>Simply need to format captured network trace into a varbinary string and run a small UDF to crack </li></ul><ul><li>Easy to spot password,every other byte is 0xA5 </li></ul><ul><li>Application roles suffer same problem </li></ul><ul><li>Let’s have a look at the UDF then a demo </li></ul>
    11. 11. dbo.decoder
    12. 12. PASSWORD DEMO
    13. 13. SQL Password Sniffing <ul><li>If at all possible use NT Authentication </li></ul><ul><li>If you must use SQL Authentication then consider using SSL Encryption </li></ul><ul><li>Can be enabled for specific connections or server wide for all connections </li></ul><ul><li>IPSEC is also available on Windows 2000 and higher but considerably more effort to set up than SSL </li></ul>
    14. 14. Decoding WITH ENCRYPTION <ul><li>dSQLSRVD http://www.geocities.com/d0mn4r/dSQLSRVD.html </li></ul><ul><li>Good explanation of issues with it at http://www.sqlsecurity.com/uploads/sql2k_spcrypto.txt </li></ul><ul><li>“Security” by obscurity </li></ul><ul><li>Key generation relies on Database GUID, object_id and colid from syscomments </li></ul><ul><li>ALTER statement allows us to use the same key to encrypt our own “known” text thus algorithm degenerates to simple XOR encryption </li></ul>
    15. 15. DEMO WITH ENCRYPTION
    16. 16. Privilege Escalation – Jobs <ul><li>Any login can make themselves sysadmin with 5 lines of TSQL </li></ul><ul><li>By default all logins can submit jobs </li></ul><ul><li>SQL agent issues SETUSER N'guest' WITH NORESET when a non sysadmin runs a job </li></ul><ul><li>Three vulnerable extended stored procedures </li></ul><ul><ul><li>xp_execresultset </li></ul></ul><ul><ul><li>xp_printstatements </li></ul></ul><ul><ul><li>xp_displayparamstmt </li></ul></ul><ul><li>These procedures cause a reconnection to SQL </li></ul>
    17. 17. Privilege Escalation – sysxlogins <ul><li>Only possible if you are a sysadmin </li></ul><ul><li>Use sp_configure to allow updates </li></ul><ul><li>For any NT login (group or user) </li></ul><ul><li>Change xstatus from to 18 [1] </li></ul><ul><li>This will allow you to login using SQL authentication by using the NT login name and no password. </li></ul><ul><li>NT login still works as normal </li></ul>
    18. 18. DEMO PRIVILIGE ESCALATION
    19. 19. Privilege Escalation <ul><li>Apply SP3 or latest security hotfix </li></ul><ul><li>Secure extended stored procedures </li></ul><ul><li>Remove guest user from msdb </li></ul><ul><li>Audit sysxlogins </li></ul><ul><li>Audit members of Sysadmin (difficult) </li></ul>
    20. 20. UDP 1434 Exploit – SQLKill.Net <ul><li>UDP 1434 Buffer Overflows made famous by Slammer but reported and fixed July 02 </li></ul><ul><li>First example uses a harmless discovery tool and changes 1 character from 2 to 8 </li></ul><ul><li>Heap overflow caused by the strtok() function expecting a colon (:) but not finding one and passing a NULL pointer to the atoi() function causing an AV [1] </li></ul>
    21. 21. DEMO KILL SQL SERVER
    22. 22. UDP 1434 Exploit - netcat <ul><li>Second example is more complicated </li></ul><ul><li>Use a stack overflow to call back to netcat listening on attacker pc on UDP 53 </li></ul><ul><li>Network traffic looks like a malformed DNS query and DNS dynamic update </li></ul><ul><li>Gain remote shell on target server </li></ul><ul><li>Running in the SQL Server process space </li></ul><ul><li>Let’s steal a database and for fun delete it and all backups and create an empty database with the same name </li></ul>
    23. 23. DEMO NETCAT
    24. 24. UDP 1434 Exploit - Protection <ul><li>SP3 or latest security hotfix http://www.microsoft.com/sql/downloads/2000/sp3.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316333 </li></ul><ul><li>Firewall rules to block all UDP 1434 traffic </li></ul><ul><li>IPSEC policies blocking UDP 1434 How to Block Specific Network Protocols and Ports by Using IPSec http://support.microsoft.com/?id=813878 </li></ul>
    25. 25. Security Links <ul><li>Slammer http://www.microsoft.com/security/slammer.asp http://www.caida.org/analysis/security/sapphire http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html http://www.nextgenss.com/advisories/mssql-udp.txt </li></ul><ul><li>Security http://www.sqlsecurity.com http://www.nextgenss.com/research/papers.html http://www.securityfocus.com http://www.microsoft.com/sql/techinfo/administration/2000/security </li></ul>
    26. 26. References <ul><li>[1] Threat Profiling SQL Server by David Litchfield http://www.nextgenss.com/papers/tp-SQL2000.pdf </li></ul><ul><li>[2] http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html </li></ul>

    ×