SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Three Attack Vectors in SQL Server 2005


Three Attack Vectors in SQL Server 2005

Author
Message
derek.colley
derek.colley
Hall of Fame
Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)

Group: General Forum Members
Points: 3970 Visits: 603
Comments posted to this topic are about the item Three Attack Vectors in SQL Server 2005

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

Carlo Romagnano
Carlo Romagnano
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10884 Visits: 3476
Good, very good article!
Thank you!
:-)
Abrar Ahmad_
Abrar Ahmad_
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1712 Visits: 1325
Good work,

But if we can summarize/list the three attack vectors in bulleted form here?

Thank you

derek.colley
derek.colley
Hall of Fame
Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)

Group: General Forum Members
Points: 3970 Visits: 603
The article is a bit wordy...


1. Attempt access using DAC connection. (-m in the startup parameters). Works if BUILTIN\Administrators is a valid server login with the default sysadmin credentials and you are a member of it.

2. Attempt access by imitating the SQL service account group(s). If you have service account groups set up for e.g. application or Agent use, you can add yourself to these groups to hitch a ride into SQL Server then create yourself a new credential.

3. Lift n' shift the database .mdf files from one instance to another. Doing it this way means you'll lose much proprietary info such as logins, certificates etc. but if you're not using these features and are more concerned with data salvage, this will be your last option.

And finally, check the registry, web.config, text files on the server since often a password will be in plaintext. Particularly for modified CRM systems.

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

Hugo Kornelis
Hugo Kornelis
One Orange Chip
One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)One Orange Chip (29K reputation)

Group: General Forum Members
Points: 29592 Visits: 12831
derek.colley (3/7/2012)
3. Lift n' shift the database .mdf files from one instance to another. Doing it this way means you'll lose much proprietary info such as logins, certificates etc. but if you're not using these features and are more concerned with data salvage, this will be your last option.

For this third option, I'd like to add a word of warning. The deprecated sp_attach_single_file_db procedure, or its replacement, the FOR ATTACH_REBUILD_LOG option of the CREATE DATABASE statement, are mainly intended as a means of disaster recovery after losing a transaction log; they are not guaranteed to always work without data loss (especially if the database has not been shutdown cleanly).

Obviously, when you are locked out of a server and the alternative to FOR ATTACH_REBUILD_LOG is simply losing the entire database, it is a good option to consider.


Hugo Kornelis, SQL Server MVP
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis
RichB
RichB
SSCertifiable
SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)SSCertifiable (5.1K reputation)

Group: General Forum Members
Points: 5060 Visits: 1085
While most of the article is quite sensible, and occasionally useful, I am somewhat concerned towards the end where it suddenly veers into general hacking advice... Surely the American authorities treat this type of posting as terrorism, or some equally disappearable crime?

Unsure



Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)SSC Guru (424K reputation)

Group: General Forum Members
Points: 424053 Visits: 43407
I used to take exception to these types of articles. My thought was "Are you nuts? Why would you teach the world how to hack?"

After seeing what many people do with their systems, I'm actually glad to see these types of articles now because I no longer have to prove their systems are hackable. They can prove it themselves and take the proper corrective action.

The only problem now is that the same nearly careless attitude that caused their sloppy security to begin with will likely keep them from reading such articles. :-)

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
richardd
richardd
Hall of Fame
Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)

Group: General Forum Members
Points: 3354 Visits: 648
You could also use single-user mode from the command-line, even if BUILTIN\Administrators is not in the sysadmin role:
http://dba.stackexchange.com/a/11302



derek.colley
derek.colley
Hall of Fame
Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)Hall of Fame (4K reputation)

Group: General Forum Members
Points: 3970 Visits: 603
@RichB - fair point, but there's a clear difference between a locksmith and a burglar - I definitely wear a white, not black, hat.

@Jeff Moden - Following on from above - it does prove that 2005 is hackable and I believe 2008/R2/2012 is immune from at least one of these approaches since BUILTIN\Administrators is not included as a default login at installation time. I had to implement these approaches when my employer took on a contract where the previous IT incumbent had left abruptly, not bothering to leave behind password lists, and the client didn't have these. In this case there was a legitimate reason for forced entry.

---

Note to developers:
CAST(SUBSTRING(CAST(FLOOR(NULLIF(ISNULL(COALESCE(1,NULL),NULL),NULL)) AS CHAR(1)),1,1) AS INT) == 1
So why complicate your code AND MAKE MY JOB HARDER??!Crazy

Want to get the best help? Click here http://www.sqlservercentral.com/articles/Best+Practices/61537/ (Jeff Moden)
My blog: http://uksqldba.blogspot.com
Visit http://www.DerekColley.co.uk to find out more about me.

MiguelSQL
MiguelSQL
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1309 Visits: 1187
Hello,

Two things:
1- Restarting SQL in single mode (using the -m flag) will allow any person that is a member o the Windows Local Admin group to be automatically a SYSADMIN in SQL is valid for SQL2K5, SQL2K8 and SQL2K8R2 (haven't test it on 2008).

2- Is the above a security gap? I don't think so, it's just a back door. Hopefully you have monitoring in place that will alert you if someone stops and restart SQL, and auditing in place that will tell you who did such a thing.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search