Microsoft SQL Injection Security Advisory

Microsoft has released a security advisory in response to the rapid increase in SQL injection attacks that have happened lately. This advisory was released to assist Web site administrators in identifying SQL injection issues within their Web application code, and to provide temporary solutions to mitigate SQL injection attacks against the server. The full advisory can be found at http://www.microsoft.com/technet/security/advisory/954462.mspx

It’s good to see Microsoft release such an advisory with explicit details on how to mitigate current issues and avoid SQL injection in the future. We have seen too many applications vulnerable to SQL injection, no matter if they’re ASP, PHP, Perl, Ruby or anything else. If you’re an ASP developer be sure to read this advisory and implement the listed strategies when coding, if you haven’t already.

CA ARCserve DoS, Multiple CMS Vulns

Computer Associates ARCserve Backup 12.0.5454.0 and earlier can be Denial of Serviced by sending a specially crafted packet to port 41523. For more specific information please see CVE-2008-1979.

Several Content Management Systems are vulnerable to Remote File Inclusion (RFI) and SQL injection. As Adam said in a previous post, it appears that application developers are still not embracing the proper coding procedures that allow for these exploits to be developed. If you are an admin of a CMS please make sure that your application is tested regulary for any injection vulnerabilities.

SQL Worms Continue to Raise Their Ugly Heads

For the last few weeks I have been watching old versions of SQL attacks, worms and probes continue to circulate around the Internet. For a year or so now, I have continued to be fascinated by the life span of old attacks and worms. I have written a couple of articles about how our HoneyPoints continue to capture both NIMDA and Code Red worm traffic.

The thing about these SQL worms is that their traffic is so large, even today. According to popular sources like ATLAS, they represent nearly 70% of all malicious traffic on the Internet today. 70% is a large number, especially for vulnerabilities that date back to 2002. Here we are more than 5 years later and these threats are still propagating!

Port UDP/1434 is still the most commonly threatened port according to ATLAS, which I find hard to believe. Our HoneyPoint experience shows that ports 25 and 80 are the most frequently attacked, unless you add in the myriad of Windows RPC noise you get on the Windows SMB and RPC ports. Maybe ATLAS does not include spam or PHP probes in their attack statistics?

While I am unsure of the frequency of global 1434 attacks, it is very true that the traffic is still around. Our HoneyPoints often detect Slammer worm activity and illicit SQL probes from the Internet. These probes originate from all around the world and no particular region seems to emerge as the most common, though we should study these frequency statistics more deeply when time allows.

But what of targets? How many SQL server instances are still exposed to the raw Internet? Our assessment technicians say they almost never run into one in corporate environments today. I suppose that they still exist in more than a few cable modem or other systems without proper firewalls, but certainly the availability of SQL services to the raw Internet has to have dwindled to almost none. If that is true, then why all the scanning activity?

I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common bot-net infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank “sa” passwords and other age old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive.

In either case, significant efforts should be made to reduce or eliminate these older vulnerabilities and to remove them from our current threats that we face today. So long as we have this noisy attack traffic from the past circulating, it makes it even harder for us to focus on emerging threats and risks that affect our Internet facing systems today. It is simply one more set of alerts, log entries and intrusion deception emails to sort through…

SQL Worm, MBR Rootkit

There is a SQL “worm” spreading through the internet taking advantage of sites vulnerable to SQL injection attacks. The attack injects javascript in to all fields in the database that attempts to exploit browser flaws on clients that visit the infected website.  Web developers should be aware of the increasing attacks using input validation errors as their attack vector.

We have received word of a working MBR rootkit that works on modern systems. Not a new concept, but one that hasn’t had attention for several years. Windows Vista allows users to edit the MBR from userland.  A MBR rootkit has been discovered in the wild at the end of 2007. Keep an eye on this for more information coming in the future.