1. IN THE NAME OF GOD
Top 10 database attacks
MB Bahador

2. TOP 10 DATABASE ATTACKS
1. Excessive privileges
2. Privilege abuse
3. Unauthorized privilege elevation
4. Platform vulnerabilities
5. SQL injection
6. Weak audit
7. Denial of service
8. Database protocol vulnerabilities
9. Weak authentication
10.Exposure of backup data

3. PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating
systems may lead to unauthorized data
access.

4. PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating systems
(Windows 2000, UNIX, etc.) and additional services
installed on a database server may lead to
unauthorized access, data corruption, or denial of
service.

5. PLATFORM VULNERABILITIES
Slammer worm on Windows machines
running MS SQL Server

6. PLATFORM VULNERABILITIES
 Aliases: SQL Slammer,
W32.SQLExp.Worm
 Released: January 25, 2003, at
about 5:30 a.m. (GMT)
 Fastest worm in history
 Spread world-wide in under 10 minutes
 Doubled infections every 8.5 seconds
 376 bytes long

7. PLATFORM VULNERABILITIES
 Platform:Microsoft SQL Server 2000
 Vulnerability: Buffer overflow
 Patch available for 6 months
 Propagation: Single UDP packet

8. PLATFORM VULNERABILITIES
 Infected between 75,000 and 160,000
systems
 Disabled SQL Server databases on infected
machines
 Saturated world networks with traffic
 Disrupted Internet connectivity world-wide

9. PLATFORM VULNERABILITIES
 Disrupted financial institutions
 Airline delays and cancellations
 Affected many U.S. government and
commercial websites

10. PLATFORM VULNERABILITIES
 13,000 Bank of America ATMs stopped
working
 Continental Airlines flights were cancelled
and delayed; ticketing system was
inundated with traffic. Airport self-check-in
kiosks stopped working
 Activated Cisco router bugs at Internet
backbones

11. PLATFORM VULNERABILITIES
 Single UDP packet
 Targets port 1434 (Microsoft-SQL-Monitor)
 Causes buffer overflow
 Continuously sends itself via UDP packets to
pseudo-random IP addresses, including broadcast
and multicast addresses
 Does not check whether target machines exist

12. PLATFORM VULNERABILITIES

13. PLATFORM VULNERABILITIES

14. PLATFORM VULNERABILITIES

15. PLATFORM VULNERABILITIES

16. PLATFORM VULNERABILITIES

17. PLATFORM VULNERABILITIES
 Reconstructs session from buffer overflow
 Obtains (and verifies!) Windows API
function addresses
 Initializes pseudo-random number
generator and socket structures
 Continuously generates random IP
addresses and sends UDP data-grams of
itself

18. Reconstruct
session
Get
Windows
API
addresses
Initialize
PRNG and
socket
Send
Packets
Buffer
Overflow

19. PLATFORM VULNERABILITIES
The Blaster worm took advantage of a Windows
2000 vulnerability to take down target
servers.(create denial of service conditions)

20. PLATFORM VULNERABILITIES
 Also known as Lovsan, Poza, Blaster.
 First detected on August 11, 2003
 Exploits the most widespread Windows flaw ever
 A vulnerability in Distributed Component Object
Model (DCOM) that handles communication using
Remote Procedure Call (RPC) protocol

21. PLATFORM VULNERABILITIES
 Affects Windows 2000 and Windows XP
 Two messages in the code:
1. “I just want to say LOVE YOU SAN!””
2. “billy gates why do you make this possible? Stop
making money and fix your software!!”
 Infected more than 100,000 computers in 24 hours

22. PLATFORM VULNERABILITIES
 Detected in mid-July 2003
 RPC protocol allow a program to run code
on a remote machine
 Incorrectly handles malformed messages on
RPC port 135, 139, 445, 593
 Attackers send special message to remote
host
 Gain local privilege, run malicious code

23. PLATFORM VULNERABILITIES
Vulnerability Scorecard Report
Published: March 2011
This study leverages data from the National
Vulnerability Database (NVD), the industry
standard source of security vulnerability
data.

33. PLATFORM VULNERABILITIES
Consequence
 Server is compromised
 Direct access to database files
 Local access through admin roles
 Install backdoors

34. PLATFORM VULNERABILITIES
Mitigation
 Network ACLs: Simple FW to allow access only to
required services
 Network IPS: Traditional detection of known
vulnerabilities
IPS tools are a good way to identify and/or block attacks
designed to exploit known database platform vulnerabilities.

35. REFERENCE
 eEye Digital Security.
http://www.eeye.com/html/Research/Flash/sapphire.txt
 Cooperative Association for Internet Data Analysis
(CAIDA)
http://www.caida.org/outreach/papers/2003/sapphire/sapphi
re.html
 Internet Storm Center.
http://isc.incidents.org/analysis.html?id=180