SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Three Attack Vectors in SQL Server 2005


Three Attack Vectors in SQL Server 2005

Author
Message
derek.colley
derek.colley
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 603
Comments posted to this topic are about the item Three Attack Vectors in SQL Server 2005

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

Carlo Romagnano
Carlo Romagnano
SSCertifiable
SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)

Group: General Forum Members
Points: 7568 Visits: 3399
Good, very good article!
Thank you!
:-)

I run on tuttopodismo
Abrar Ahmad_
Abrar Ahmad_
SSC Eights!
SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)SSC Eights! (908 reputation)

Group: General Forum Members
Points: 908 Visits: 1305
Good work,

But if we can summarize/list the three attack vectors in bulleted form here?

Thank you

derek.colley
derek.colley
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 603
The article is a bit wordy...


1. Attempt access using DAC connection. (-m in the startup parameters). Works if BUILTIN\Administrators is a valid server login with the default sysadmin credentials and you are a member of it.

2. Attempt access by imitating the SQL service account group(s). If you have service account groups set up for e.g. application or Agent use, you can add yourself to these groups to hitch a ride into SQL Server then create yourself a new credential.

3. Lift n' shift the database .mdf files from one instance to another. Doing it this way means you'll lose much proprietary info such as logins, certificates etc. but if you're not using these features and are more concerned with data salvage, this will be your last option.

And finally, check the registry, web.config, text files on the server since often a password will be in plaintext. Particularly for modified CRM systems.

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

Hugo Kornelis
Hugo Kornelis
SSCoach
SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)

Group: General Forum Members
Points: 18957 Visits: 12426
derek.colley (3/7/2012)
3. Lift n' shift the database .mdf files from one instance to another. Doing it this way means you'll lose much proprietary info such as logins, certificates etc. but if you're not using these features and are more concerned with data salvage, this will be your last option.

For this third option, I'd like to add a word of warning. The deprecated sp_attach_single_file_db procedure, or its replacement, the FOR ATTACH_REBUILD_LOG option of the CREATE DATABASE statement, are mainly intended as a means of disaster recovery after losing a transaction log; they are not guaranteed to always work without data loss (especially if the database has not been shutdown cleanly).

Obviously, when you are locked out of a server and the alternative to FOR ATTACH_REBUILD_LOG is simply losing the entire database, it is a good option to consider.


Hugo Kornelis, SQL Server MVP
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis
RichB
RichB
Hall of Fame
Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)Hall of Fame (3K reputation)

Group: General Forum Members
Points: 3032 Visits: 1065
While most of the article is quite sensible, and occasionally useful, I am somewhat concerned towards the end where it suddenly veers into general hacking advice... Surely the American authorities treat this type of posting as terrorism, or some equally disappearable crime?

Unsure



Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)SSC Guru (218K reputation)

Group: General Forum Members
Points: 218231 Visits: 41995
I used to take exception to these types of articles. My thought was "Are you nuts? Why would you teach the world how to hack?"

After seeing what many people do with their systems, I'm actually glad to see these types of articles now because I no longer have to prove their systems are hackable. They can prove it themselves and take the proper corrective action.

The only problem now is that the same nearly careless attitude that caused their sloppy security to begin with will likely keep them from reading such articles. :-)

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
richardd
richardd
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3242 Visits: 648
You could also use single-user mode from the command-line, even if BUILTIN\Administrators is not in the sysadmin role:
http://dba.stackexchange.com/a/11302



derek.colley
derek.colley
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 603
@RichB - fair point, but there's a clear difference between a locksmith and a burglar - I definitely wear a white, not black, hat.

@Jeff Moden - Following on from above - it does prove that 2005 is hackable and I believe 2008/R2/2012 is immune from at least one of these approaches since BUILTIN\Administrators is not included as a default login at installation time. I had to implement these approaches when my employer took on a contract where the previous IT incumbent had left abruptly, not bothering to leave behind password lists, and the client didn't have these. In this case there was a legitimate reason for forced entry.

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

MiguelSQL
MiguelSQL
Say Hey Kid
Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)Say Hey Kid (686 reputation)

Group: General Forum Members
Points: 686 Visits: 1166
Hello,

Two things:
1- Restarting SQL in single mode (using the -m flag) will allow any person that is a member o the Windows Local Admin group to be automatically a SYSADMIN in SQL is valid for SQL2K5, SQL2K8 and SQL2K8R2 (haven't test it on 2008).

2- Is the above a security gap? I don't think so, it's just a back door. Hopefully you have monitoring in place that will alert you if someone stops and restart SQL, and auditing in place that will tell you who did such a thing.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search