NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘Database Hacking’

When Databases Attack – Finding Data on SQL Servers

| Monday, November 14th, 2011

Introduction
A few weeks ago I presented a webinar called “When Databases Attack”. It covered some SQL Server database configuration issues that are commonly overlooked and targeted by attackers. For those who are interested it can be viewed HERE. This is a response to some requests for script examples. In this blog I’ll provide a few scripts for finding sensitive data quickly in SQL Server. In the future I’ll provide scripts for other attacks as well.

Finding Sensitive Data
There are a lot of great tools available for finding data quickly on a SQL Server. Some are commercial and some are open source. Most of them can be useful when gathering evidence during PCI penetration tests or when simply trying to determine if sensitive data exists in your database. In this section I’m going to cover how to find and sample data from SQL Servers using my TSQL script, and the Metasploit module based on the script.

TSQL Script – FindDataByKeyword.sql
This script will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the script and take a sample of the data. For more information please refer to the comments in the script.

Important Note: This script does not require SYSADMIN privileges, and will only return results for databases that the user has access to.

  1. Download the “finddatabykeyword.sql” TSQL script from:
    https://github.com/nullbind/Metasploit-Modules/blob/master/finddatabykeyword.sql.
  2. Sign into an existing SQL Server using Management Studio.
  3. Open the “finddatabykeyword.sql” TSQL script. Next, set the “@SAMPLE_COUNT” variable to the number of rows that you would like to sample. If “@SAMPLE_COUNT” is set to 1, then the query will also return the total number of rows for each of the affected columns that contain data.
  4. Then, modify the @KEYWORDS variable to set words to search for. Each keyword should be separated by the “|” character.
  5. Execute the “finddatabykeyword.sql” TSQL script to sample data from columns that match defined keywords.

Find Data by Keyword

Metasploit Module – mssql_findandsampledata.rb

This is my first Metasploit auxiliary module. I recently wrote it with a little help from humble-desser and DarkOperator. The module is essentially a Measploit wrapper for my original TSQL script. Currently, this script will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the keywords option. If column names are found that match the defined keywords and data is present in the associated tables, the script will select a sample of the records from each of the affected tables. The sample size is determined by the samplesize option.

Before I provide an overview of how the module works, I would also like to thank Digininja. His original Interesting Data Finder module (http://www.digininja.org/blog/finding_interesting_db_data.php) was my starting point for this script. Although, I didn’t use much of his IDF module, I did borrow his method for auto sizing columns. So Thanks! I think it’s a good time to mention that I haven’t submitted this to the Metasploit code base yet, because I would like to finish a few additional options. So enjoy the sneak peak! Hopefully some one finds it useful. Below is an overview of how to use the Metasploit module:

  1. Download and install the Metasploit Framework. It can be downloaded from:
    http://metasploit.com
  2. Download the “mssql_findandsampledata.rb” module from:
    https://github.com/nullbind/Metasploit-Modules/blob/master/mssql_findandsampledata.rb
  3. Copy the “mssql_findandsampledata.rb” file into Metasploit. Below are the locations it should be copied to for Metaploit Framework and Pro:

        Metasploit Framework –Windows (Free Version):
        C:\framework\msf3\modules\auxiliary\admin\mssql\

        Metasploit Pro – Windows (Commercial Version)
        C:\metasploit\apps\pro\msf3\modules\auxiliary\admin\mssql\

  4. Open a Metasploit console. Important Note: The pro version of Metasploit is not required.
    1-open-metasploit-console
  5. Select the “mssql_findandsampledata.rb” auxiliary by typing: “use auxiliary/admin/mssql/mssql_FindandSampleData”
    2-select-module-and-show-options
  6. Set the required configuration parameters as illustrated below. Please note that enabling file output is not required. Also, IP ranges and cider notation can be set via RHOSTS.
    3-set-module-options
  7. Type “show options” to confirm you’ve entered your information correctly.
    4-show-set-options
  8. Type “exploit” to enumerate data from the remote SQL Server and write it to a file. If it fails confirm that the IP address, port, username, and password are correct.
    5-typ-exploit-to-gather-data-from-server
  9. Open file in excel for easy viewing and sorting.
    6-review-csv-in-excel


Hopefully someone will find these scripts useful. If anyone has feedback or questions please feel free to email me. I always welcome the opportunity to improve scripts, approach, share knowledge etc. Also, next time I will be releasing a TSQL script and Metasploit module for attacking shared services accounts. In the mean time good hunting.

Permalink | Email the Author | No Comments

Tags: , ,

When Databases Attack: SQL Server Express Privilege Inheritance Issue

| Thursday, September 29th, 2011

SQL Server Express is commonly used by database hobbyists, application developers, and small application vendors to manage their application data. By default, it supports a lot of great options that make it a very practical solution to many business problems. However, it also comes configured with a not so great setting that could allow domain users to gain unauthorized access to SQL Server Express instances. In this blog I’ll cover what the issue is, how to attack it, and how to fix it.


How it works
Through privilege inheritance, all domain users have access to default SQL Server Express instances that have remote listeners enabled. This is mainly possible because the local Windows “BUILTIN\Users” group is assigned “connect” privileges during the default installation. Below is a summary of how this configuration allows users to gain unauthorized access to databases.

  1. By default, the “NT AUTHORITY\Authenticated Users” built-in security principal includes all users that have been “authenticated locally by a trusted domain controller.”. That includes all domain user and machine accounts.
  2. By default, the “NT AUTHORITY\Authenticated Users” built-in security principal is added as a member of the local “Users” group in Windows. This can be verified by issuing the following command from a Windows console:

    NET LOCALGROUP USERS
  3. By default, SQL Server Express 2005 and 2008 create a login for the local “BUILTIN\Users” group that provides users with connection privileges. This can be verified by issuing the following query in any default SQL Server Express instance:

    SELECT * FROM sys.server_principals WHERE name = ‘BUILTIN\Users’;
  4. As a result, all user and machine accounts on the same domain as the SQL Server Express instance also inherently have connect permissions to the SQL Server Express instance if a TCP listener has been enabled. Below is a basic example of how to issue a query to one of the affected SQL servers from a Windows console:

    SQLCMD -E -S “AffectedServer1\SQLEXPRESS” -Q “SELECT @@Version”

At a minimum, this default configuration provides an internal attacker with initial access to SQL Server Express instances. That “foot in the door” could potentially be leveraged to gain access to other database servers, systems, and network resources. During penetration tests, this type of issue often leads to exposure of sensitive data, and system access.

How to attack it
Below I’ve outlined one method for accessing SQL Server Express instances as a domain user. Keep in mind that there are a number of ways to accomplish the same thing. For example, it could be run through the “xp_cmdshell” extended stored procedure in order to run with the privileges of the SQL Server service account (which is the domain machine account if configured with “nt authority\system”).  

Note:  You may have to disable/modify your local firewall to ensure that SQLCMD can process the UDP responses from the SQL Servers on the network.

  1. Log into a Windows system with domain credentials.
  2. Install SQL Server Express.
  3. Open up a command prompt.
  4. Enumerate SQL Server instances that you have access to on the domain with the command below.

    FOR /F “” %a in (‘SQLCMD -L’) do SQLCMD -E -S %a -Q “SELECT ‘Vulnerable: ‘+@@SERVERNAME” | FIND /I “Vulnerable:” >> dbservers.txt
  5. Now you have a list of vulnerable SQL Servers that you can issue arbitrary queries to with SQLCMD or SQL Server Management Studio. If you’re a penetration tester, you can also start escalating privileges and gaining unauthorized access to data.

At some point in the near future I’ll also release a TSQL script that will output the list into a pretty table. If you’re interested in similar attacks, I wrote a blog called “When Databases Attack: Hacking with OSQL” that you might like.

How to fix it
Remove the “BUILTIN\Users” login from SQL Server express instances to prevent evil doers from accessing your data.

Conclusions
From what I understand, Microsoft only made this a configuration default in express editions to help make SQL Server easier to deal with on Windows systems with User Access Control (UAC) enabled. So if you’re running any other edition you shouldn’t have to worry about anything unless someone manually added a login for BUILTIN\Users. With that, I have a few words of advice. First, never trust default configurations. Second, always leverage best practice hardening guides to help lock down new systems and applications. Third, don’t forget to configure accounts and securables with least privilege.

Good hunting.

References

  • http://technet.microsoft.com/en-us/library/bb457115.aspx
  • http://msdn.microsoft.com/en-us/library/ms143401(v=sql.90).aspx
  • http://msdn.microsoft.com/en-us/library/ms143684.aspx
  • http://msdn.microsoft.com/en-us/library/bb326612.aspx
Permalink | Email the Author | No Comments

Tags: , , ,

When Databases Attack: Hacking with the OSQL Utility

| Tuesday, July 19th, 2011

The OSQL Utility is a command-line client for SQL Server that has shipped with every version since SQL Server 2000 was released. Many database administrators like it because it’s lightweight, makes scheduling TSQL jobs easy, and can be used for batch processing. Many hackers like it because it provides them with the ability to connect to local and remote database servers without having to provide credentials. This blog will provide some examples that illustrate how the OSQL utility can be used to gain unauthorized access to systems, databases, and sensitive information.

A Little History
All relevant versions of SQL Server have shipped with a command-line SQL Server client. The native command-line clients installed in past versions include: iSQL.exe, OSQL.exe, and SQLCMD.exe. Each utility Microsoft releases has more functionality than the last, but the important thing to note for this discussion is that the basic syntax has remained the same. That includes the –E “trusted connection” switch that will be important later on in this blog. Below I’ve provided a table that outlines which utilities ship with each version of SQL Server.

SQL Server Version

Command-line Utilities

Trusted Connections

SQL Server 7 (and Prior)

iSQL.exe

Yes

SQL Server 2000

iSQL.exe, OSQL.exe

Yes

SQL Server 2005

OSQL.exe, SQLCMD.exe

Yes

SQL Server 2008

OSQL.exe, SQLCMD.exe

Yes

Future versions

SQLCMD.exe

Yes

IMPORTANT NOTE: I focus on OSQL, because it’s installed on most production SQL servers today. However, after version 2008 R2 it will no longer be included in default installations. So, if you find yourself without OSQL, look to the other options.

Finding SQL Servers
Let’s start out by finding some SQL Servers on the network. It’s pretty hard to attack something if you don’t know where it is. There are a number of tools and methods for enumerating SQL Servers, but today I’m going to focus on finding them with native OSQL functionality. Very simply, local and network SQL Servers can be listed by executing the command below:

C:\>osql -L

The command sends a UDP request across the broadcast network and any SQL Server listening will respond. The resulting output will be a list of SQL servers on the broadcast network. So, with one switch, you can turn your database client into a database scanner.
Also, the server list can be directed into a file with the following command:

C:\>osql -L > sql_servers.txt

IMPORTANT NOTE: In older versions of SQL server, OSQL may have to be executed directly from the installation directory. Also, Microsoft warns that “Due to the nature of broadcasting on networks, OSQL may not receive a timely response from all servers. Therefore the list of servers returned may vary for each invocation of this option.” You may want to run the command a few times to ensure you get the full list.

Trusted Connections
Normally when a user queries an SQL Server with OSQL, they provide a username and password to authenticate. As a result, many administrators end up placing sensitive usernames and passwords in their scripts. Depending on the configuration, local, domain, and SQL Server accounts could be exposed. Trusted connections provide database users with the option to query SQL Servers without having to supply their credentials. When the trusted connections option is selected, the OSQL client attempts to authenticate to the database server using the current user context. In a way, this option increases security, because it keeps passwords out of scripts and in some cases can be used to enforce least privilege. However, there are some negatives aspects to having a “Trusted Connection” option: mainly the “Trusted” part.

Executing Queries with a Trusted Connection
Let’s take a look at how a database administrator might use this tool to check the version of a remote server. -E Uses a trusted connection for authentication (no credentials are required). I’ve also listed additional switches below:

  • -S Specifies the local or remote server (IP, hostname or hostname\instance)
  • -Q Runs a query and immediately exists
  • -h Indicates number of headers for the output
  • -s Indicates separating character for the output
  • -w Sets the width for the output

The example below will query the SQL Server at 192.168.100.110 for its version.

C:\>osql -E -S 192.168.100.110 -Q “select @@version” -h 1 -s “,” -w 500

Based on this example, it’s obvious that trusted connections are a handy tool for a database administrator. The problem starts to occur when an unauthorized user gets access to the database administrator’s machine or the database administrator decides they want more access to the system. Below are a few additional command line examples for connecting to remote databases using OSQL or SQLCMD.

Connect to a remote database using an IP address:

C:\>SQLCMD –E –S 192.168.100.110 –Q “select @@version”

Connect to a remote database using the instance name:

C:\>SQLCMD –E –S DBSERVER1\BankAppDB –Q “select @@version”

Connect to a remote database using a non standard port:

C:\>SQLCMD –E –S tcp:DBSERVER1,8000 –Q “select @@version”

Executing System Commands with a Trusted Connection
Attackers aren’t the only threat. Both attackers and database administrators can leverage this next trick to escalate their privileges. Using the OSQL utility and the xp_cmdshell extended stored procedure, DBAs and hackers can execute commands with the privileges of the SQL Server service account. Usually I find the SQL Server service account running as SYSTEM, a domain account, or an almighty Domain Admin account.

For those of you who are not as familiar – if we obtain SYSTEM privileges, we have more power than the local administrator account and, if we obtain Domain Admin, we can control most (if not all) of the devices on the network. How does this magic happen? Well, let’s take a look.

In the first example, I will execute the “whoami” command to return the name of the account I’m currently using. In the example below I am running as the “DBAdmin“domain user.

C:\>whoami
demo\dbaadmin

In the second example, I will run the same command using OSQL, a “trusted connection”, and xp_cmdshell. This time, the command returns “nt authority\system”. That means I can run any command as SYSTEM without being a part of any local or domain groups.

C:\>osql -E -S 192.168.100.110 -Q “xp_cmdshell ‘whoami’”
output
———————————————————————————————————————————-
nt authority\system

NULL

(2 rows affected)

If the database user running the command has been assigned the “sysadmin” fixed server role (most DBAs have), then the command above can be executed to determine what user the SQL Server is running as. If not, then escalation may be required.

IMPORTANT NOTE: The command above did not require any credentials and our actions most likely have not been logged. Also, sometimes the SQL Server service is not configured with a local Administrator, SYSTEM, or Domain Admin account. When that is, the case I usually find that it is configured with a shared service account. That can be almost as good.

Leveraging Shared Service Accounts and Trusted Connections
“Shared service account” is a term that describes one account that is used to run many services. The account can be a local or domain Windows account. In this case, we are referring to one account running the SQL Server service on many servers. Server administrators often use this approach because it makes managing database service accounts a whole lot easier. In enterprise environments, it can actually reduce the number of required service accounts by hundreds. However, managing accounts this way does come with some risk.

Configuring SQL Servers with a shared service account usually creates a trust relationship between every database server using the account. This happens because of privilege inheritance. In the OSQL command example below, the database admin is able to access a database that the account does not have privileges to. The inheritance happens as follows:

  1. The database admin (sysadmin) is able to execute a local command on SQL Server 1 with the SQL Server service account’s privileges using the OSQL utility, a “trusted connection, and the xp_cmdshell extended store procedure.
    (SYSADMIN on Server 1 = Service Account Privileges on Server 1)
  2. In versions of SQL server prior to 2008, the SQL Server service account is automatically placed in the local administrators group. That means the shared service account can authenticate to any SQL Server using it.
    (Service Account Privileges on Server 1 = Administrator Privileges on Server 2)
  3. In versions of SQL server prior to 2008, the local administrators group is assigned the sysadmin fixed server role. As a result, the shared service account has the privileges to run queries and local commands on Server 2. Through inheritance, so does the sysadmin from Server 1. (Administrator Privileges on Server 2 = SYADMIN on Server 2)

IMPORTANT NOTE: Despite of the fact that SQL Server 2008 ships with more secure configurations, administrators often change them back to the 2005 default settings.

Below is my crazy privilege inheritance abstract that shows the privilege flow starting from an SQL injection attack vector. Hopefully it helps to illustrate the process.

Crazy Privilege Inheritance Abstract

Crazy Privilege Inheritance Abstract

The real world attack would use a process like the one below. The database admin could first verify that their account can execute commands with the shared account’s privileges with the command below:

C:\>osql -E -S 192.168.100.110 -Q “xp_cmdshell ‘whoami’”
output
———————————————————————————————————————————-
DEMO\Shared
NULL

(2 rows affected)

Next, the database admin can enumerate SQL Server targets with the command below:
C:\>osql -L
Servers:
DB1
HVA
LVA (192.168.100.110)

Then, the database admin can issue commands on the remote SQL Server targets that use the DEMO\Shared account. 

IMPORTANT NOTE: In this example, the database admin is using the interactive mode to issue queries to the servers.

Using Shared Service Account to Gain Unauthorized Access

Using Shared Service Account to Gain Unauthorized Access

Batch Attacks
Let’s automate some of this. We can use simple Windows batch scripts and our OSQL tool to run queries across the accessible databases on the broadcast network. Below is a simple command-line example that will write the hostname and SQL Server version to “accessible_servers.txt” for each server that the database administrator has access to.

C:\FOR /F %i in (‘osql –L’) do osql –E –S %i –Q “selectrtrim(CONVERT(char(50),SERVERPROPERTY(‘servername’)))+‘ (‘+rtrim(CONVERT(char(20),SERVERPROPERTY(‘productversion’)))+‘)’+‘ ‘+rtrim(CONVERT(char(30),SERVERPROPERTY(‘Edition’)))+‘ ‘+rtrim(CONVERT(char(20),SERVERPROPERTY(‘ProductLevel’)))+char(10)”

The output will look something like the text below.

IMPORTANT NOTE: The login timeout errors usually indicate that the database user does not have access to the target SQL Server. It does not mean that a database service is not listening on that server.

[SQL Native Client]Named Pipes Provider: Could not open a connec-tion to SQL
Server [53].
[SQL Native Client]Login timeout expired
[SQL Native Client]An error has occurred while establishing a connection to
the server. When connecting to SQL Server 2005, this failure may be caused by
the fact that under the default settings SQL Server does not allow remote
connections.
—————————————————————-
—————————————————————-
HVA (9.00.4053.00) Express Edition SP3
(1 row affected)
—————————————————————-
LVA (9.00.4053.00) Express Edition SP3
(1 row affected)

We could, of course, automate queries to execute local commands, install software, and search for sensitive data on target servers, but I’ll save that for another day.

Wrap Up
The main lesson here is that configuring accounts with LEAST PRIVILEGE is important. Another take away should be that most of these attacks don’t generate any alerts. So, consider creating triggers on sensitive stored procedures like xp_cmdshell to generate audit trails. If you don’t feel like creating triggers manually, policy based management can be used. Policy based management has been around since SQL Server 2008, and allows DBAs to enforce detective and preventative controls on a SQL Server. The policies can be centrally managed to enforce controls across all of the 2005 and 2008 SQL Servers in your environment. I’ve provided a link below and strongly recommend DBAs take a look if they are not already familiar.

References

Permalink | Email the Author | No Comments

Tags: , , ,

When Databases Attack: Secure360

| Monday, June 6th, 2011

Antti and I presented our revised version of “When Databases Attack” at the Secure360 conference in Minneapolis a few weeks ago. We included some new SQL script examples based on some feedback from the BSides Minneapolis crowd. Thanks everyone who provided feedback! Go BSides! Feel free to download it HERE if your interested. Hopefully it provides some examples that people can actually use in their environments. We are also working on a database worm that communicates with a bot controller that leverages a number of the trust relationships we cover in “When Databases Attack”. We have included a few screen shots of the front end in the new slide deck. We also submitted it as a presentation for DEF CON 19 so wish us luck!

Permalink | Email the Author | No Comments

Tags: ,

When Databases Attack: Entry Points

| Wednesday, January 26th, 2011

Secure database configurations are important. However, many database administrators fail to lock down accounts that are used by trusted services. As a result, trusted services can often be used as entry points into database servers. Over time attackers have become very efficient at identifying those entry points, gaining access to confidential information, and pretty much being evil. This blog covers MS SQL Server entry points that can potentially be used to execute arbitrary queries via trusted database accounts.

Threats
Never discount the insider threat. Even if the administrator isn’t the culprit, their account can be impersonated and their password can be stolen. Also, insider attacks typically don’t trigger alerts in the same way that brute force attacks do because all of the actions appear to be legitimate from the system’s perspective. That makes enforcing the least privilege on accounts and objects even more important. Below I’ve listed a few accounts types that usually have more privileges than they really should. You may want to keep an eye on them.

  1. Application Database Accounts
    Database accounts used by applications typically have more privileges than they need to perform their function. In my experience I’ve found that most database accounts used by applications are assigned sysadmin privileges or actually use the SA account. As a result, every developer with access to the account can execute arbitrary queries and system commands on the database server. Application accounts should really only be assigned the access they require on the associated application database.
  2. Database Administrator Accounts
    Of course it makes sense to give database administrators access to manage their own databases. However, nine times out of ten they are able to elevate their privileges and access other databases and systems through inherited SQL Server service account permissions. So only give DBA access when it’s needed, set strong passwords, and audit administrative account activity.
  3. Server Administrator Accounts
    Similar to database administrators, local server administrators usually have more power than they realize due to inherited permissions. In SQL Server versions prior to 2008, the local Windows administrators group is assigned the sysadmin role by default. As a result, every local administrator is inherently also a database administrator. The lesson here is: Don’t assign the local administrators group sysadmin database privileges.
  4. Database Service Accounts
    In most environments SQL Server service accounts are part of the local administrators group. As a result, service accounts usually have sysadmin database privileges just like any other local administrator account. Shared SQL Server service accounts are another very common problem/practice in large environments because they make managing accounts easier. However, the reality is that the shared service accounts compound the issue by opening unwanted lines of trust between all of the database servers. When using shared service accounts, anyone who can administer one database server can also access data on every other server using the shared service account. Local commands and queries can be executed as the SQL Server service account by executing the OSQL command with the “-E” switch via the xp_cmdshell extended stored procedure. Contrary to what your parents may have taught you, when it comes to SQL Server service accounts, it’s not nice to share.

Entry Points
Below is a list of potential entry points into MS SQL Servers. Generally speaking, a database entry point is anywhere a user or application interfaces with a database. The idea is simple enough, and I think that most IT professionals understand it. What they don’t always understand is what those entry points are, or they forget that any interface used legitimately can also potentially be used by an attacker. The list below is intended to shed a little light into both areas. Most of the entry points can also be used to access other data management systems like Oracle and MySQL. However, I haven’t supplied any details for those platforms.

  1. Database Listener
    By default, SQL Servers listen on port 1433. In most cases they are configured to allow connections from anywhere on the network. As a result attackers can attempt to use exploits and weak passwords to gain unauthorized access. Based on my experience, there is at least one SQL Server account configured with a weak password. There are a number of tools to help identify such accounts. I like to use the SQLPing3 scanner. It does a good job of identifying SQL Servers and weak account passwords with the right word list. It also does a good job of finding SQL Servers on non-default ports along with all of the associated instance information. If you’re not a fan of SQLPing3, pretty much any vulnerability scanner will find the default database credentials for a SQL Server on the default port. The general idea for this bullet is to patch regularly and set strong passwords for all database accounts. If you’re using SQL Server 2005 or later I suggest inheriting the local or domain account policies to help enforce strong passwords.
  2. ODBC
    Open Database Connectivity (ODBC) is a middle layer of software that helps facilitate communication between applications and database servers. If an ODBC connection is already configured, it can be used to execute arbitrary queries against the database server through applications that use it. Examples include but are not limited to, Access, Excel, and Word. Additionally, some configurations allow attackers to extract usernames and passwords from ODBC configuration files. For example, Cain & Able has a nice ODBC password extractor for SQL Server 2005. If the password is recovered, attackers can connect directly to the SQL Server using SQL Server Management Studio.
  3. Client-Server Applications
    I think a lot of developers are under the impression that if a client application’s GUI doesn’t give users the option to execute arbitrary database queries then it’s not possible. Unfortunately that is far from the truth. Many applications can be decompiled with tools like .NET Reflector and the Boomerang Decompiler. Once decompiled the connection strings are often accessible in clear text. In some case the connections strings can even be accessed with a hex editor prior to being decompiled. Also, tools like Echo Mirage can be used to intercept and modify network traffic between the application and the server. Users and attackers can actually conduct thick application SQL injection by modifying the database queries in the TCP payload. If you’re interested, Mike Anderson wrote a brief blog on the subject which is available at http://www.netspi.com/blog/2010/05/04/echo-mirage-piercing-the-veil-of-thick-application-security/. The take away here should be to obfuscate or encrypt your code, and encrypt all application communication with the server.
  4. Web Applications
    Web applications present a number potential entry points. My goal today is not to provide a comprehensive list, but I will include some examples. If an attacker can access clear text connection strings in source code or configuration files such as the web.config, then the attacker can user them to connect to the backend database. Vulnerabilities that provide read access to such files vary from application to application, but the result is the same. If you are using clear text connection strings, consider encrypting them or using integrated authentication. SQL injection is another big one, which I’m sure doesn’t come as a shock to anyone. In many cases SQL injection can be used to bypass firewalls and execute arbitrary queries on the backend database. For SQL injection use common sense and best practice coding methods. I would spend more time on solutions for SQL injection, but there are volumes on the subject available online. Finally, some web applications actually support the functionality to build SQL queries on the fly. Technically it doesn’t qualify as SQL injection, but it definitely has the same result. The fix? Don’t do that. :)
  5. Web Services
    There are surprising amounts of web services running applications behind the scenes out there. I’ve seen quite of few used by both web applications and client-server applications. SOAP, REST, and RPC web services all still seem to be pretty popular right now. Overall, SOAP web services seem to be used more by web applications, and REST/RPC web services seem to be used more by client-server applications. Regardless of the web service type, I’ve seen many of the same issues that affect traditional web applications causing security holes that provide attackers with arbitrary query access.

While assessing the security of your database servers make sure to consider more than the local database configuration. While the local database configuration needs to be secure, connections from trusted services can also be used as entry points by attackers. Make sure to lock down accounts from those trusted services or you may be unwittingly providing full database access to internal and external attackers.

– Boo evil

Reference Links

Permalink | Email the Author | No Comments

Tags: , ,

« Older Entries