data base attack
DESCRIPTION
TRANSCRIPT
![Page 1: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/1.jpg)
IN THE NAME OF GOD
Top 10 database attacks
MB Bahador
![Page 2: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/2.jpg)
TOP 10 DATABASE ATTACKS
1. Excessive privileges2. Privilege abuse3. Unauthorized privilege elevation4. Platform vulnerabilities5. SQL injection6. Weak audit7. Denial of service8. Database protocol vulnerabilities9. Weak authentication10.Exposure of backup data
![Page 3: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/3.jpg)
PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating systems may lead to unauthorized data access.
![Page 4: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/4.jpg)
PLATFORM VULNERABILITIES
Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service.
![Page 5: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/5.jpg)
PLATFORM VULNERABILITIES
Slammer worm on Windows machines running MS SQL Server
![Page 6: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/6.jpg)
PLATFORM VULNERABILITIES
Aliases: SQL Slammer, W32.SQLExp.Worm
Released: January 25, 2003, at about 5:30 a.m. (GMT)
Fastest worm in history Spread world-wide in under 10 minutes Doubled infections every 8.5 seconds 376 bytes long
![Page 7: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/7.jpg)
PLATFORM VULNERABILITIES
Platform: Microsoft SQL Server 2000 Vulnerability: Buffer overflow Patch available for 6 months Propagation: Single UDP packet
![Page 8: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/8.jpg)
PLATFORM VULNERABILITIES
Infected between 75,000 and 160,000 systems
Disabled SQL Server databases on infected machines
Saturated world networks with traffic Disrupted Internet connectivity world-
wide
![Page 9: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/9.jpg)
PLATFORM VULNERABILITIES
Disrupted financial institutions Airline delays and cancellations Affected many U.S. government
and commercial websites
![Page 10: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/10.jpg)
PLATFORM VULNERABILITIES
13,000 Bank of America ATMs stopped working
Continental Airlines flights were cancelled and delayed; ticketing system was inundated with traffic. Airport self-check-in kiosks stopped working
Activated Cisco router bugs at Internet backbones
![Page 11: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/11.jpg)
PLATFORM VULNERABILITIES
Single UDP packet Targets port 1434 (Microsoft-SQL-Monitor) Causes buffer overflow Continuously sends itself via UDP packets to
pseudo-random IP addresses, including broadcast and multicast addresses
Does not check whether target machines exist
![Page 12: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/12.jpg)
PLATFORM VULNERABILITIES
![Page 13: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/13.jpg)
PLATFORM VULNERABILITIES
![Page 14: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/14.jpg)
PLATFORM VULNERABILITIES
![Page 15: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/15.jpg)
PLATFORM VULNERABILITIES
![Page 16: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/16.jpg)
PLATFORM VULNERABILITIES
![Page 17: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/17.jpg)
PLATFORM VULNERABILITIES
Reconstructs session from buffer overflow Obtains (and verifies!) Windows API
function addresses Initializes pseudo-random number
generator and socket structures Continuously generates random IP
addresses and sends UDP data-grams of itself
![Page 18: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/18.jpg)
Reconstruct session
Get Windows API addresses
Initialize PRNG and socketSend Packets
Buffer Overflow
![Page 19: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/19.jpg)
PLATFORM VULNERABILITIES
The Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers.(create denial of service conditions)
![Page 20: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/20.jpg)
PLATFORM VULNERABILITIES
Also known as Lovsan, Poza, Blaster. First detected on August 11, 2003 Exploits the most widespread Windows flaw ever A vulnerability in Distributed Component Object
Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol
![Page 21: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/21.jpg)
PLATFORM VULNERABILITIES
Affects Windows 2000 and Windows XP Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop
making money and fix your software!!” Infected more than 100,000 computers in 24 hours
![Page 22: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/22.jpg)
PLATFORM VULNERABILITIES
Detected in mid-July 2003 RPC protocol allow a program to run code on a
remote machine Incorrectly handles malformed messages on
RPC port 135, 139, 445, 593 Attackers send special message to remote
host Gain local privilege, run malicious code
![Page 23: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/23.jpg)
PLATFORM VULNERABILITIES
Vulnerability Scorecard ReportPublished: March 2011
This study leverages data from the National Vulnerability Database (NVD), the industry standard source of security vulnerability data.
![Page 24: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/24.jpg)
![Page 25: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/25.jpg)
![Page 26: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/26.jpg)
![Page 27: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/27.jpg)
![Page 28: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/28.jpg)
![Page 29: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/29.jpg)
![Page 30: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/30.jpg)
![Page 31: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/31.jpg)
![Page 32: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/32.jpg)
![Page 33: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/33.jpg)
PLATFORM VULNERABILITIES
Consequence Server is compromised Direct access to database files Local access through admin roles Install backdoors
![Page 34: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/34.jpg)
PLATFORM VULNERABILITIES
Mitigation Network ACLs: Simple FW to allow access only to required services Network IPS: Traditional detection of known
vulnerabilities IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.
![Page 35: Data Base Attack](https://reader033.vdocuments.us/reader033/viewer/2022061120/546c386daf795962298b4f38/html5/thumbnails/35.jpg)
REFERENCE eEye Digital Security.
http://www.eeye.com/html/Research/Flash/sapphire.txt Cooperative Association for Internet Data
Analysis (CAIDA) http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Internet Storm Center. http://isc.incidents.org/analysis.html?id=180