REALLY HACKING SQL SERVER 2000

1
REALLY HACKING SQL SERVER 2000

• Less Theory More Action
• Jasper Smith

2
Agenda

• Slammer review and Tools
• SQL Password Sniffing
• Decoding WITH ENCRYPTION
• Privilege Escalation
• UDP 1434 Exploits
• Links to security resources
• Questions ?

3
Whats not covered

• SQL Injectionhttp//www.sqlsecurity.com/DesktopD
  efault.aspx?tabindex2tabid3http//www.nextgen
  ss.com/papers/advanced_sql_injection.pdfhttp//w
  ww.nextgenss.com/papers/more_advanced_sql_injectio
  n.pdf
• SQL Password Crackinghttp//www.nextgenss.com/pa
  pers/cracking-sql-passwords.pdfhttp//www.nextge
  nss.com/software/ngssqlcrack.html

4
First the Good News !

• The demos are all on SP2 (8.00.534)
• A lot of these are fixed in SP3
• Slammer means a lot of sites are already
  on
  SP3 or latest security hotfix
• Slammer served as a wakeup call and focused
  everyone's minds on security (if they
  werent already !!)

5
SQL Slammer (Sapphire/W32.Slammer)

• Memory resident worm that propagates via UDP Port
  1434 and exploits a vulnerability in the SQL
  Server Resolution Service
• First patch available July 2002
• Difficulty of installing security hotfixes
  hampered deployment (tools now available)
• Too many exposed servers without Firewalls
• MSDE difficult to patch and identify installed
  by many products

6
Spread of Slammer First 30 mins
7
Slammer cont

• Because it used UDP rather than TCP it was only
  limited by available bandwidth
• At Slammers peak, it was scanning 55 million
  hosts per second and doubled its numbers every
  8.5 seconds 2
• 75,000 hosts affected in first 10 minutes 2
• Officially the fastest spreading worm ever

8
SQL Security Tools

• SQL ScanScans single PC,IP range or domainCan
  optionally stop and disable vulnerable instances
• SQL CheckScans single PCCan optionally stop and
  disable vulnerable instances
• SQL Critical UpdateScans single PCInstalls
  Slammer hotfix even if instance not at SP2
• SMSDeploySMS install pack to deploy SQL Critical
  Update
• http//www.microsoft.com/sql/downloads/securityto
  ols.asp

9
SQL Password Sniffing

• Password is not sent in clear text, howeverthe
  encryption is weak and easily broken
• Information on the algorithm is available
  fromThreat Profiling SQL Server by David
  Litchfield http//www.nextgenss.com/papers/tp-SQL
  2000.pdf
• The password is converted to a wide character
  format (UNICODE) and each byte XOR'd with a
  constant fixed value of 0xA5 1

10
SQL Password Sniffing

• Simply need to format captured network trace into
  a varbinary string and run a small UDF to crack
• Easy to spot password,every other byte is 0xA5
• Application roles suffer same problem
• Lets have a look at the UDF then a demo

11
dbo.decoder
12
PASSWORD DEMO
13
SQL Password Sniffing

• If at all possible use NT Authentication
• If you must use SQL Authentication then consider
  using SSL Encryption
• Can be enabled for specific connections or server
  wide for all connections
• IPSEC is also available on Windows 2000 and
  higher but considerably more effort to set up
  than SSL

14
Decoding WITH ENCRYPTION

• dSQLSRVDhttp//www.geocities.com/d0mn4r/dSQLSRVD.
  html
• Good explanation of issues with it
  athttp//www.sqlsecurity.com/uploads/sql2k_spcryp
  to.txt
• Security by obscurity
• Key generation relies on Database GUID, object_id
  and colid from syscomments
• ALTER statement allows us to use the same key to
  encrypt our own known text thus algorithm
  degenerates to simple XOR encryption

15
DEMO WITH ENCRYPTION
16
Privilege Escalation Jobs

• Any login can make themselves sysadmin with 5
  lines of TSQL
• By default all logins can submit jobs
• SQL agent issues SETUSER N'guest' WITH
  NORESETwhen a non sysadmin runs a job
• Three vulnerable extended stored procedures
• xp_execresultset
• xp_printstatements
• xp_displayparamstmt
• These procedures cause a reconnection to SQL

17
Privilege Escalation sysxlogins

• Only possible if you are a sysadmin
• Use sp_configure to allow updates
• For any NT login (group or user)
• Change xstatus from to 18 1
• This will allow you to login using SQL
  authentication by using the NT login name and no
  password.
• NT login still works as normal

18
DEMO PRIVILIGE ESCALATION
19
Privilege Escalation

• Apply SP3 or latest security hotfix
• Secure extended stored procedures
• Remove guest user from msdb
• Audit sysxlogins
• Audit members of Sysadmin (difficult)

20
UDP 1434 Exploit SQLKill.Net

• UDP 1434 Buffer Overflows made famous by Slammer
  but reported and fixed July 02
• First example uses a harmless discovery tool and
  changes 1 character from 2 to 8
• Heap overflow caused by the strtok() function
  expecting a colon () but not finding one and
  passing a NULL pointer to the atoi() function
  causing an AV 1

21
DEMO KILL SQL SERVER
22
UDP 1434 Exploit - netcat

• Second example is more complicated
• Use a stack overflow to call back to netcat
  listening on attacker pc on UDP 53
• Network traffic looks like a malformed DNS query
  and DNS dynamic update
• Gain remote shell on target server
• Running in the SQL Server process space
• Lets steal a database and for fun delete it and
  all backups and create an empty database with the
  same name

23
DEMO NETCAT
24
UDP 1434 Exploit - Protection

• SP3 or latest security hotfixhttp//www.microsof
  t.com/sql/downloads/2000/sp3.asphttp//support.mi
  crosoft.com/default.aspx?scidkben-usQ316333
• Firewall rules to block all UDP 1434 traffic
• IPSEC policies blocking UDP 1434 How to Block
  Specific Network Protocols and Ports by Using
  IPSechttp//support.microsoft.com/?id813878

25
Security Links

• Slammerhttp//www.microsoft.com/security/slammer
  .asphttp//www.caida.org/analysis/security/sapphi
  rehttp//www.caida.org/outreach/papers/2003/sapph
  ire/sapphire.htmlhttp//www.nextgenss.com/advisor
  ies/mssql-udp.txt
• Securityhttp//www.sqlsecurity.comhttp//www.ne
  xtgenss.com/research/papers.htmlhttp//www.securi
  tyfocus.comhttp//www.microsoft.com/sql/techinfo/
  administration/2000/security

26
References

• 1 Threat Profiling SQL Server by David
  Litchfield http//www.nextgenss.com/papers/tp-SQL
  2000.pdf
• 2 http//www.caida.org/outreach/papers/2003/sapp
  hire/sapphire.html