Post on 18-Nov-2014
description
IN THE NAME OF GOD
Top 10 database attacks
MB Bahador
TOP 10 DATABASE ATTACKS
1. Excessive privileges2. Privilege abuse3. Unauthorized privilege elevation4. Platform vulnerabilities5. SQL injection6. Weak audit7. Denial of service8. Database protocol vulnerabilities9. Weak authentication10.Exposure of backup data
PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating systems may lead to unauthorized data access.
PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service.
PLATFORM VULNERABILITIES
Slammer worm on Windows machines running MS SQL Server
PLATFORM VULNERABILITIES
Aliases: SQL Slammer, W32.SQLExp.Worm
Released: January 25, 2003, at about 5:30 a.m. (GMT)
Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long
PLATFORM VULNERABILITIES
Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet
PLATFORM VULNERABILITIES
Infected between 75,000 and 160,000 systems
Disabled SQL Server databases on infected machines
Saturated world networks with traffic Disrupted Internet connectivity world-
wide
PLATFORM VULNERABILITIES
Disrupted financial institutions Airline delays and cancellations Affected many U.S. government
and commercial websites
PLATFORM VULNERABILITIES
13,000 Bank of America ATMs stopped working
Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working
Activated Cisco router bugs at Internet backbones
PLATFORM VULNERABILITIES
Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to
pseudo-random IP addresses, including broadcast and multicast addresses
Does not check whether target machines exist
PLATFORM VULNERABILITIES
PLATFORM VULNERABILITIES
PLATFORM VULNERABILITIES
PLATFORM VULNERABILITIES
PLATFORM VULNERABILITIES
PLATFORM VULNERABILITIES
Reconstructs session from buffer overflow Obtains (and verifies!) Windows API
function addresses Initializes pseudo-random number
generator and socket structures Continuously generates random IP
addresses and sends UDP data-grams of itself
Reconstruct session
Get Windows API addresses
Initialize PRNG and socketSend Packets
Buffer Overflow
PLATFORM VULNERABILITIES
The Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers.(create denial of service conditions)
PLATFORM VULNERABILITIES
Also known as Lovsan, Poza, Blaster. First detected on August 11, 2003 Exploits the most widespread Windows flaw ever A vulnerability in Distributed Component Object
Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol
PLATFORM VULNERABILITIES
Affects Windows 2000 and Windows XP Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop
making money and fix your software!!” Infected more than 100,000 computers in 24 hours
PLATFORM VULNERABILITIES
Detected in mid-July 2003 RPC protocol allow a program to run code on a
remote machine Incorrectly handles malformed messages on
RPC port 135, 139, 445, 593 Attackers send special message to remote
host Gain local privilege, run malicious code
PLATFORM VULNERABILITIES
Vulnerability Scorecard ReportPublished: March 2011
This study leverages data from the National Vulnerability Database (NVD), the industry standard source of security vulnerability data.
PLATFORM VULNERABILITIES
Consequence Server is compromised Direct access to database files Local access through admin roles Install backdoors
PLATFORM VULNERABILITIES
Mitigation Network ACLs: Simple FW to allow access only to required services Network IPS: Traditional detection of known
vulnerabilities IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.
REFERENCE eEye Digital Security.
http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data
Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Internet Storm Center. http://isc.incidents.org/analysis.html?id=180