Finding DOS Attacks

SQL-UDP

The Slammer worm made use of this SQL-UDP bug. The NGS advisory on it can be found at www.nextgenss.com/advisories/ mssql -udp.txt .

In the course of a consultancy engagement for a client, NGS was asked by the client to look at the different protocols supported by SQL Server, because they formed a point of concern for the client. Specifically, the client had seen UDP traffic flying around the network and was aware of the possibility of forged UDP packets. The client was concerned about the security implications of this strange UDP-based protocol and wanted to clearly establish whether he should block this traffic within the networks or not. The team began to examine the protocol.

Based on information published by Chip Andrews relating to his splendid tool sqlping , the team was aware that by sending a single-byte UDP packet containing the byte 0x02 , the targeted SQL Server would respond with details of the protocols that would be used to connect to the various instances of SQL Server running on the host.

The obvious place to start was, therefore, looking at what other leading bytes in the packet did ( 0x00 , 0x01 , 0x03 , and so on). The team instrumented various instances of SQL Server with FileMon , RegMon , debuggers , and so forth and started making requests .

David noticed (via RegMon ) that when the first byte of the UDP packet was 0x04 , SQL Server attempted to open a registry key of the form:

 HKLM\Software\Microsoft\Microsoft SQL S erver\<contents_of_packet>\MSSQLServer\CurrentVersion 

The next thing to do was clearly to append a large number of bytes to the packet. Sure enough, SQL Server fell over with a vanilla stack overflow.

At this point it was pretty clear that the client should really think about blocking UDP 1434 throughout the network. The team continued , the investigation thus far having taken about five minutes.

Several other leading bytes exhibited interesting behaviors. 0x08 triggered a heap overflow when the lead byte was followed by a long string, colon , and then a number. 0x0a caused the SQL Server to reply with a packet containing the single byte 0x0a ”therefore, you could easily set up a network utilization denial of service by forging the source address of one SQL Server and sending a packet with a 0x0a in it to another SQL Server.



The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net