NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘penetration testing’

When Databases Attack: SQL Server Express Privilege Inheritance Issue

| Thursday, September 29th, 2011

SQL Server Express is commonly used by database hobbyists, application developers, and small application vendors to manage their application data. By default, it supports a lot of great options that make it a very practical solution to many business problems. However, it also comes configured with a not so great setting that could allow domain users to gain unauthorized access to SQL Server Express instances. In this blog I’ll cover what the issue is, how to attack it, and how to fix it.


How it works
Through privilege inheritance, all domain users have access to default SQL Server Express instances that have remote listeners enabled. This is mainly possible because the local Windows “BUILTIN\Users” group is assigned “connect” privileges during the default installation. Below is a summary of how this configuration allows users to gain unauthorized access to databases.

  1. By default, the “NT AUTHORITY\Authenticated Users” built-in security principal includes all users that have been “authenticated locally by a trusted domain controller.”. That includes all domain user and machine accounts.
  2. By default, the “NT AUTHORITY\Authenticated Users” built-in security principal is added as a member of the local “Users” group in Windows. This can be verified by issuing the following command from a Windows console:

    NET LOCALGROUP USERS
  3. By default, SQL Server Express 2005 and 2008 create a login for the local “BUILTIN\Users” group that provides users with connection privileges. This can be verified by issuing the following query in any default SQL Server Express instance:

    SELECT * FROM sys.server_principals WHERE name = ‘BUILTIN\Users’;
  4. As a result, all user and machine accounts on the same domain as the SQL Server Express instance also inherently have connect permissions to the SQL Server Express instance if a TCP listener has been enabled. Below is a basic example of how to issue a query to one of the affected SQL servers from a Windows console:

    SQLCMD -E -S “AffectedServer1\SQLEXPRESS” -Q “SELECT @@Version”

At a minimum, this default configuration provides an internal attacker with initial access to SQL Server Express instances. That “foot in the door” could potentially be leveraged to gain access to other database servers, systems, and network resources. During penetration tests, this type of issue often leads to exposure of sensitive data, and system access.

How to attack it
Below I’ve outlined one method for accessing SQL Server Express instances as a domain user. Keep in mind that there are a number of ways to accomplish the same thing. For example, it could be run through the “xp_cmdshell” extended stored procedure in order to run with the privileges of the SQL Server service account (which is the domain machine account if configured with “nt authority\system”).  

Note:  You may have to disable/modify your local firewall to ensure that SQLCMD can process the UDP responses from the SQL Servers on the network.

  1. Log into a Windows system with domain credentials.
  2. Install SQL Server Express.
  3. Open up a command prompt.
  4. Enumerate SQL Server instances that you have access to on the domain with the command below.

    FOR /F “” %a in (‘SQLCMD -L’) do SQLCMD -E -S %a -Q “SELECT ‘Vulnerable: ‘+@@SERVERNAME” | FIND /I “Vulnerable:” >> dbservers.txt
  5. Now you have a list of vulnerable SQL Servers that you can issue arbitrary queries to with SQLCMD or SQL Server Management Studio. If you’re a penetration tester, you can also start escalating privileges and gaining unauthorized access to data.

At some point in the near future I’ll also release a TSQL script that will output the list into a pretty table. If you’re interested in similar attacks, I wrote a blog called “When Databases Attack: Hacking with OSQL” that you might like.

How to fix it
Remove the “BUILTIN\Users” login from SQL Server express instances to prevent evil doers from accessing your data.

Conclusions
From what I understand, Microsoft only made this a configuration default in express editions to help make SQL Server easier to deal with on Windows systems with User Access Control (UAC) enabled. So if you’re running any other edition you shouldn’t have to worry about anything unless someone manually added a login for BUILTIN\Users. With that, I have a few words of advice. First, never trust default configurations. Second, always leverage best practice hardening guides to help lock down new systems and applications. Third, don’t forget to configure accounts and securables with least privilege.

Good hunting.

References

  • http://technet.microsoft.com/en-us/library/bb457115.aspx
  • http://msdn.microsoft.com/en-us/library/ms143401(v=sql.90).aspx
  • http://msdn.microsoft.com/en-us/library/ms143684.aspx
  • http://msdn.microsoft.com/en-us/library/bb326612.aspx
Permalink | Email the Author | No Comments

Tags: , , ,

The value of multi-layer / comprehensive pen testing

| Wednesday, July 20th, 2011

For the past five years it seems like almost everything in information security has focused on application security and, for the NetSPI consulting practices, our application security business (app pen testing, code review, etc.) has significantly increased.  In that time, we have seen areas like network and systems vulnerability assessments change due to the commoditization of those services. Qualys, nCircle, and Rapid7 have all created a less expensive way to do a fairly simple scan of networks and systems that provide some level of comfort that networks and systems are secure.

Today it’s pretty common to hear people say “we’ve got the network covered; now we’re really interested in pursuing our application security.” In 2006 I remember Charlie Johnson, head of the consulting practice at Symantec, talking about apps being the only thing that mattered and that he was thinking of committing the Symantec consulting team to secure application development. He may have just been thinking out loud, but securing applications has become the focus of many IT security groups almost to the exclusion of focusing on risk to the organization.

Don’t get me wrong, application security is a huge problem and it will remain a problem for many years. However, there are many other areas of risk (perhaps greater risk) that cannot be ignored. At the technical level, system security for off-the-shelf software is a persistent problem. Organizations still struggle to patch quickly and there are often systems with exceptions to the patching process that weaken an organization’s domain and system security. While patching is still an issue, the biggest vulnerabilities are found within network and system configurations. In most (90-95%) of our pen tests we find weak configurations that lead to the complete compromise of an environment. In addition, in many organizations, database groups are silo’d off and don’t get the security attention that they need. Because of this, we find an excessive level of insecure configurations, embedded passwords, and inappropriate trust relationships that can lead to compromise.

With all of these technical vulnerabilities, it’s amazing that an even wider security hole can be found within the physical operations, business process, and personnel at organizations. This is still usually the easiest way to break into an organization. Often it’s combined with technical exploits, but social engineering provides an almost failsafe way to get information and access within technology environments.

I don’t think we should reduce our focus on application security – there’s a lot to do there and it will take many years to secure this aspect of IT within organizations. However, I think it’s incredibly important not to lose sight of what constitutes risk. If you really want to understand and reduce IT related risk, you’ve got to look comprehensively at risk within all aspects of your IT environment – process, physical, network, systems, database, and applications. Because while you may not be looking at these things, it’s certain that at some point, someone looking for the easiest way in will be looking at exploiting these weaknesses.

Permalink | Email the Author | No Comments

Tags: , , ,

When Databases Attack: Hacking with the OSQL Utility

| Tuesday, July 19th, 2011

The OSQL Utility is a command-line client for SQL Server that has shipped with every version since SQL Server 2000 was released. Many database administrators like it because it’s lightweight, makes scheduling TSQL jobs easy, and can be used for batch processing. Many hackers like it because it provides them with the ability to connect to local and remote database servers without having to provide credentials. This blog will provide some examples that illustrate how the OSQL utility can be used to gain unauthorized access to systems, databases, and sensitive information.

A Little History
All relevant versions of SQL Server have shipped with a command-line SQL Server client. The native command-line clients installed in past versions include: iSQL.exe, OSQL.exe, and SQLCMD.exe. Each utility Microsoft releases has more functionality than the last, but the important thing to note for this discussion is that the basic syntax has remained the same. That includes the –E “trusted connection” switch that will be important later on in this blog. Below I’ve provided a table that outlines which utilities ship with each version of SQL Server.

SQL Server Version

Command-line Utilities

Trusted Connections

SQL Server 7 (and Prior)

iSQL.exe

Yes

SQL Server 2000

iSQL.exe, OSQL.exe

Yes

SQL Server 2005

OSQL.exe, SQLCMD.exe

Yes

SQL Server 2008

OSQL.exe, SQLCMD.exe

Yes

Future versions

SQLCMD.exe

Yes

IMPORTANT NOTE: I focus on OSQL, because it’s installed on most production SQL servers today. However, after version 2008 R2 it will no longer be included in default installations. So, if you find yourself without OSQL, look to the other options.

Finding SQL Servers
Let’s start out by finding some SQL Servers on the network. It’s pretty hard to attack something if you don’t know where it is. There are a number of tools and methods for enumerating SQL Servers, but today I’m going to focus on finding them with native OSQL functionality. Very simply, local and network SQL Servers can be listed by executing the command below:

C:\>osql -L

The command sends a UDP request across the broadcast network and any SQL Server listening will respond. The resulting output will be a list of SQL servers on the broadcast network. So, with one switch, you can turn your database client into a database scanner.
Also, the server list can be directed into a file with the following command:

C:\>osql -L > sql_servers.txt

IMPORTANT NOTE: In older versions of SQL server, OSQL may have to be executed directly from the installation directory. Also, Microsoft warns that “Due to the nature of broadcasting on networks, OSQL may not receive a timely response from all servers. Therefore the list of servers returned may vary for each invocation of this option.” You may want to run the command a few times to ensure you get the full list.

Trusted Connections
Normally when a user queries an SQL Server with OSQL, they provide a username and password to authenticate. As a result, many administrators end up placing sensitive usernames and passwords in their scripts. Depending on the configuration, local, domain, and SQL Server accounts could be exposed. Trusted connections provide database users with the option to query SQL Servers without having to supply their credentials. When the trusted connections option is selected, the OSQL client attempts to authenticate to the database server using the current user context. In a way, this option increases security, because it keeps passwords out of scripts and in some cases can be used to enforce least privilege. However, there are some negatives aspects to having a “Trusted Connection” option: mainly the “Trusted” part.

Executing Queries with a Trusted Connection
Let’s take a look at how a database administrator might use this tool to check the version of a remote server. -E Uses a trusted connection for authentication (no credentials are required). I’ve also listed additional switches below:

  • -S Specifies the local or remote server (IP, hostname or hostname\instance)
  • -Q Runs a query and immediately exists
  • -h Indicates number of headers for the output
  • -s Indicates separating character for the output
  • -w Sets the width for the output

The example below will query the SQL Server at 192.168.100.110 for its version.

C:\>osql -E -S 192.168.100.110 -Q “select @@version” -h 1 -s “,” -w 500

Based on this example, it’s obvious that trusted connections are a handy tool for a database administrator. The problem starts to occur when an unauthorized user gets access to the database administrator’s machine or the database administrator decides they want more access to the system. Below are a few additional command line examples for connecting to remote databases using OSQL or SQLCMD.

Connect to a remote database using an IP address:

C:\>SQLCMD –E –S 192.168.100.110 –Q “select @@version”

Connect to a remote database using the instance name:

C:\>SQLCMD –E –S DBSERVER1\BankAppDB –Q “select @@version”

Connect to a remote database using a non standard port:

C:\>SQLCMD –E –S tcp:DBSERVER1,8000 –Q “select @@version”

Executing System Commands with a Trusted Connection
Attackers aren’t the only threat. Both attackers and database administrators can leverage this next trick to escalate their privileges. Using the OSQL utility and the xp_cmdshell extended stored procedure, DBAs and hackers can execute commands with the privileges of the SQL Server service account. Usually I find the SQL Server service account running as SYSTEM, a domain account, or an almighty Domain Admin account.

For those of you who are not as familiar – if we obtain SYSTEM privileges, we have more power than the local administrator account and, if we obtain Domain Admin, we can control most (if not all) of the devices on the network. How does this magic happen? Well, let’s take a look.

In the first example, I will execute the “whoami” command to return the name of the account I’m currently using. In the example below I am running as the “DBAdmin“domain user.

C:\>whoami
demo\dbaadmin

In the second example, I will run the same command using OSQL, a “trusted connection”, and xp_cmdshell. This time, the command returns “nt authority\system”. That means I can run any command as SYSTEM without being a part of any local or domain groups.

C:\>osql -E -S 192.168.100.110 -Q “xp_cmdshell ‘whoami’”
output
———————————————————————————————————————————-
nt authority\system

NULL

(2 rows affected)

If the database user running the command has been assigned the “sysadmin” fixed server role (most DBAs have), then the command above can be executed to determine what user the SQL Server is running as. If not, then escalation may be required.

IMPORTANT NOTE: The command above did not require any credentials and our actions most likely have not been logged. Also, sometimes the SQL Server service is not configured with a local Administrator, SYSTEM, or Domain Admin account. When that is, the case I usually find that it is configured with a shared service account. That can be almost as good.

Leveraging Shared Service Accounts and Trusted Connections
“Shared service account” is a term that describes one account that is used to run many services. The account can be a local or domain Windows account. In this case, we are referring to one account running the SQL Server service on many servers. Server administrators often use this approach because it makes managing database service accounts a whole lot easier. In enterprise environments, it can actually reduce the number of required service accounts by hundreds. However, managing accounts this way does come with some risk.

Configuring SQL Servers with a shared service account usually creates a trust relationship between every database server using the account. This happens because of privilege inheritance. In the OSQL command example below, the database admin is able to access a database that the account does not have privileges to. The inheritance happens as follows:

  1. The database admin (sysadmin) is able to execute a local command on SQL Server 1 with the SQL Server service account’s privileges using the OSQL utility, a “trusted connection, and the xp_cmdshell extended store procedure.
    (SYSADMIN on Server 1 = Service Account Privileges on Server 1)
  2. In versions of SQL server prior to 2008, the SQL Server service account is automatically placed in the local administrators group. That means the shared service account can authenticate to any SQL Server using it.
    (Service Account Privileges on Server 1 = Administrator Privileges on Server 2)
  3. In versions of SQL server prior to 2008, the local administrators group is assigned the sysadmin fixed server role. As a result, the shared service account has the privileges to run queries and local commands on Server 2. Through inheritance, so does the sysadmin from Server 1. (Administrator Privileges on Server 2 = SYADMIN on Server 2)

IMPORTANT NOTE: Despite of the fact that SQL Server 2008 ships with more secure configurations, administrators often change them back to the 2005 default settings.

Below is my crazy privilege inheritance abstract that shows the privilege flow starting from an SQL injection attack vector. Hopefully it helps to illustrate the process.

Crazy Privilege Inheritance Abstract

Crazy Privilege Inheritance Abstract

The real world attack would use a process like the one below. The database admin could first verify that their account can execute commands with the shared account’s privileges with the command below:

C:\>osql -E -S 192.168.100.110 -Q “xp_cmdshell ‘whoami’”
output
———————————————————————————————————————————-
DEMO\Shared
NULL

(2 rows affected)

Next, the database admin can enumerate SQL Server targets with the command below:
C:\>osql -L
Servers:
DB1
HVA
LVA (192.168.100.110)

Then, the database admin can issue commands on the remote SQL Server targets that use the DEMO\Shared account. 

IMPORTANT NOTE: In this example, the database admin is using the interactive mode to issue queries to the servers.

Using Shared Service Account to Gain Unauthorized Access

Using Shared Service Account to Gain Unauthorized Access

Batch Attacks
Let’s automate some of this. We can use simple Windows batch scripts and our OSQL tool to run queries across the accessible databases on the broadcast network. Below is a simple command-line example that will write the hostname and SQL Server version to “accessible_servers.txt” for each server that the database administrator has access to.

C:\FOR /F %i in (‘osql –L’) do osql –E –S %i –Q “selectrtrim(CONVERT(char(50),SERVERPROPERTY(‘servername’)))+‘ (‘+rtrim(CONVERT(char(20),SERVERPROPERTY(‘productversion’)))+‘)’+‘ ‘+rtrim(CONVERT(char(30),SERVERPROPERTY(‘Edition’)))+‘ ‘+rtrim(CONVERT(char(20),SERVERPROPERTY(‘ProductLevel’)))+char(10)”

The output will look something like the text below.

IMPORTANT NOTE: The login timeout errors usually indicate that the database user does not have access to the target SQL Server. It does not mean that a database service is not listening on that server.

[SQL Native Client]Named Pipes Provider: Could not open a connec-tion to SQL
Server [53].
[SQL Native Client]Login timeout expired
[SQL Native Client]An error has occurred while establishing a connection to
the server. When connecting to SQL Server 2005, this failure may be caused by
the fact that under the default settings SQL Server does not allow remote
connections.
—————————————————————-
—————————————————————-
HVA (9.00.4053.00) Express Edition SP3
(1 row affected)
—————————————————————-
LVA (9.00.4053.00) Express Edition SP3
(1 row affected)

We could, of course, automate queries to execute local commands, install software, and search for sensitive data on target servers, but I’ll save that for another day.

Wrap Up
The main lesson here is that configuring accounts with LEAST PRIVILEGE is important. Another take away should be that most of these attacks don’t generate any alerts. So, consider creating triggers on sensitive stored procedures like xp_cmdshell to generate audit trails. If you don’t feel like creating triggers manually, policy based management can be used. Policy based management has been around since SQL Server 2008, and allows DBAs to enforce detective and preventative controls on a SQL Server. The policies can be centrally managed to enforce controls across all of the 2005 and 2008 SQL Servers in your environment. I’ve provided a link below and strongly recommend DBAs take a look if they are not already familiar.

References

Permalink | Email the Author | No Comments

Tags: , , ,

Presenting at OWASP AppSec Conference

| Monday, August 16th, 2010

Antti Rantasaari and I will be delivering our presentation “Escalating Privileges through Database Trusts” at the National OWASP AppSec conference in Irvine, CA on September 10th. We are very excited to have the opportunity to share some the of the common application and database implementation weaknesses we see in the real world. During the presentation we’ll show how those weaknesses can be combined to gain unauthorized access to high value data. The presentation will cover:

- Three core issues that contribute to weak application and database configurations
- Three common attack and escalation scenarios used during penetration tests
- Five fixes to help stop the bleeding

- Time for questions and answers

For those who are interested come see us at AppSec. You can register online at the AppSec website.

See you there!

Permalink | Email the Author | No Comments

Tags: , ,

Windows Tools in BackTrack

| Wednesday, July 21st, 2010

For those of you who aren’t in the loop, BackTrack is a Live Linux distribution that ships with a large number of open source tools that can be used to assess the security of networks, systems, and applications. At this point, most IT professionals and 14 year old computer geeks are at least generally familiar with it. Despite BackTrack’s popularity, I find that very few people are aware that it actually comes with quite a few Windows tools. Most of them are pretty handy and can be easily executed using Wine.

Tools have been included for password cracking, tunneling, remote management and a number of other tasks. Some of the tools that you may already be familiar with include fgdump.exe, psexec.exe, plink.exe, and hijetter. It’s nice to have a few common tools out of the box, but for more ambitious users I definitely recommend installing your favorite Windows tools if they aren’t included.

Below is a quick example of how the Windows tool fgdump.exe can be executed with Wine in BackTrack4:


wine /pentest/windows-binaries/passwd-attack/fgdump.exe -h 192.168.1.101 -u user -p password

If for some reason you don’t already have a copy of Backtrack, go to www.backtrack-linux.or and download it. The creators of the distribution have made an ISO and VMware image available on their site that can be downloaded via FTP or torrent. And it is FREE so you have no excuse.

Resource Links

Permalink | Email the Author | No Comments

Tags: , ,

« Older Entries