Tuesday, December 12, 2006

You have a pointer on your blog to an SQL Injection attack that returns a CMD prompt. I thought SQL Injection allowed adding records to SQL databases?

Good observation. Actually both descriptions of SQL Injections are correct and both can be dangerous. SQL Injection just means that someone gained un-authorized access to send data to your SQL server. The impact being a victim of an SQL Injection attack are usually one of at least the following three things:
As you mentioned, writing invalid data to the database. This can be a HUGE problem if you are using your database for commercial purposes. This may allow a user to fool you into thinking that you need to write them a check. It can fool you into shipping product that you think is paid for to whatever location the attackers wants you to ship. An attacker can just change the ship to addresses fooling your system into shipping paid-for-goods to the wrong location.. Essentially anything in the database can be manipulated to the attackers advantage.
In the demo on my blog, it shows data injected into a database that takes advantage of a vulnerability. The payload they use to exploit the vulnerability returns in a command prompt to the attacker from the system which contains your SQL server. In this case it’s “Game Over”, they have full access to you system.
Another possible use of SQL Injection is for an attacker to take advantage of vulnerabilities on your SQL server and send a crafted packet that will crash your server essentially causing a directed denial of service attack. Then of course if you read my CS-MARS book you know you MAY get the ransom letter saying if you pay a certain amount of money the DoS attacks will stop.

To mitigate SQL injection there are a few things you can do.
Ensure that your database applications are written to enforce rules that ensure data cannot be injected into a single database structure without validating the input against other structures.
Keep your OS and SQL server software up to date by applying current security and software patches. I know some folks are threatened by this because they like to test before they apply patches - see the next step which will protect you while you are doing tests and certifying patches.
Install a good Host Intrusion Prevention system. This will protect you from buffer overflows and code executed off of the stack. If you have this in place, you are protected pretty well against CMD access until you have a chance to verify and install emergency updates and security hot fixes..
Install IPS which has sigs to prevent attacks against know vulnerabilities. Also keep your signatures files up to date at all times!!!

Just and word of warning. I don’t like being a FUD monger, but if you get to the point where you are in a ransom situation, it can be very costly not just in terms of the money being extorted. The criminal can also hurt the integrity of your company which may be far worse then the immediate monetary loss. TAKE STEPS TO PROTECT YOURSELF!!!

No comments:

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure