Explore an in-depth security overview of Microsoft SQL Server in this Black Hat Windows 2001 conference talk. Delve into various security modes, authentication methods, and potential vulnerabilities associated with SQL Server. Learn about Windows Authentication Mode, Mixed Mode, and their implications for system security. Discover techniques for SQL Server discovery, account acquisition, and privilege escalation. Examine the risks of SQL code injection and its consequences. Gain insights into best practices for securing SQL Server, including configuration management and network scanning. Understand the challenges in detecting and preventing SQL injection attacks, and the importance of good coding practices. This comprehensive talk covers a wide range of topics, from C2 style auditing to potential future security enhancements for SQL Server.
Overview
Syllabus
Intro
BLACK HAT WINDOWS 2000 SECURITY
Biztalk Server 2000 Commerce Server 2000 Application Center Server 2000 Third-Party Apps (MSDE)
Windows Authentication Mode Requires user to be authenticated by Windows NT/2000 This is the new default for SQL Server 2000
SQL Server Security Modes (cont.) Mixed Mode Both SQL Server and Windows Authentication -Lacks strong authentication controls such as password complexity, expiration, lockout, or history when using SQL Server logins Provided for backwards compatibility and Windows 98/Me installations Personal
Good Idea - What's the problem? Microsoft recommends Windows Authentication Mode - Sounds like a no-brainer The Problems
C2 Style Auditing exec sp_configure 'C2 Audit Mode', 1
Microsoft has made some great strides to improve the security of SQL Server Some ideas for future releases
Fingerprinting/Discovery Acquiring Access Privilege Escalation Potential Pitfalls Custom DLL - Application Requirements - Source Disclosure
SQL Server Discovery Multiple instancing capabilities of SQL Server 2000 make enumeration a functional requirement A specially formed UDP packet directed at port 1434 will cause the SQL 2K listener service to divulge information about every instance of SQL
Since the listener may exist on multiple machines, it is possible to send a broadcast UDP packet to port 1434 to discover all instances of SQL Server 2000 on a subnet - Osql-L (will return a raw listing) Capture returned packets
Account Acquisition (cont.) Sniffing (mixed or NT security mode) -LOphtcrack (to obtain NT account) TCP 1433 traffic (non SSL) Connection strings (mixed mode) - Client registry (regedit) - Imbedded in ASP source or client-side script (RDS) Config files (global asa, connectine, etc.)
Privilege Escalation xp_cmdshell -- Extended stored procedure that allows access to the operating system
Create a backdoor account Trojan sp_password to capture passwords to use on operating system Use tftp to pull a trojan extended stored procedure Use this SQL Server to launch attacks against other hosts
Sensible configuration management will help secure SQL Server itself Take the time to scan your networks and determine what people on the inside and the
SQL Code Injection Best Practices .NET Beta Functionality The Future "What can I do TODAY?"
Ability of an attacker to inject unintended SQL statements into application - Consequences
Scope of SQL Injection SQL injection attacks rarely alerts IDS systems especially over SSL Difficult to track down all the areas of exploitation since the only real solution is manual code review No amount OS security, firewalls, patch diligence will stop SQL injection. The solution is good coding practices
Taught by
Black Hat
