Data Base Attack

IN THE NAME OF GOD

Top 10 database attacks

MB Bahador

TOP 10 DATABASE ATTACKS

1. Excessive privileges2. Privilege abuse3. Unauthorized privilege elevation4. Platform vulnerabilities5. SQL injection6. Weak audit7. Denial of service8. Database protocol vulnerabilities9. Weak authentication10.Exposure of backup data

PLATFORM VULNERABILITIES

Vulnerabilities in underlying operating systems may lead to unauthorized data access.


Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service.


Slammer worm on Windows machines running MS SQL Server


Aliases: SQL Slammer, W32.SQLExp.Worm

Released: January 25, 2003, at about 5:30 a.m. (GMT)

Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long


Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet


Infected between 75,000 and 160,000 systems

Disabled SQL Server databases on infected machines

Saturated world networks with traffic Disrupted Internet connectivity world-

wide


Disrupted financial institutions Airline delays and cancellations Affected many U.S. government

and commercial websites


13,000 Bank of America ATMs stopped working

Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working

Activated Cisco router bugs at Internet backbones


Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to

pseudo-random IP addresses, including broadcast and multicast addresses

Does not check whether target machines exist


Reconstructs session from buffer overflow Obtains (and verifies!) Windows API

function addresses Initializes pseudo-random number

generator and socket structures Continuously generates random IP

addresses and sends UDP data-grams of itself

Reconstruct session

Get Windows API addresses

Initialize PRNG and socketSend Packets

Buffer Overflow


The Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers.(create denial of service conditions)


Also known as Lovsan, Poza, Blaster. First detected on August 11, 2003 Exploits the most widespread Windows flaw ever A vulnerability in Distributed Component Object

Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol


Affects Windows 2000 and Windows XP Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop

making money and fix your software!!” Infected more than 100,000 computers in 24 hours


Detected in mid-July 2003 RPC protocol allow a program to run code on a

remote machine Incorrectly handles malformed messages on

RPC port 135, 139, 445, 593 Attackers send special message to remote

host Gain local privilege, run malicious code


Vulnerability Scorecard ReportPublished: March 2011

This study leverages data from the National Vulnerability Database (NVD), the industry standard source of security vulnerability data.


Consequence Server is compromised Direct access to database files Local access through admin roles Install backdoors


Mitigation Network ACLs: Simple FW to allow access only to required services Network IPS: Traditional detection of known

vulnerabilities IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.

REFERENCE eEye Digital Security.

http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data

Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html

Internet Storm Center. http://isc.incidents.org/analysis.html?id=180

http://isc.incidents.org/analysis.html?id=180

http://isc.incidents.org/analysis.html?id=180

Data Base Attack

Education

Transcript of Data Base Attack