|
|
标题: SQL Sapphire Worm Analysis
Marc Maiffret <[email protected]>
SQL Sapphire Worm Analysis
Release Date:
1/25/03
Severity:
High
Systems Affected:
Microsoft SQL Server 2000 pre SP 2
Description:
Late Friday, January 24, 2003 we became aware of a new SQL worm spreading
quickly across various networks around the world.
The worm is spreading using a buffer overflow to exploit a flaw in Microsoft
SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by
Next Generation Security Software Ltd. The buffer overflow exists because of
the way SQL improperly handles data sent to its Microsoft SQL Monitor port.
Attackers leveraging this vulnerability will be executing their code as
SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.
The worm works by generating pseudo-random IP addresses to try to infect
with its payload. The worm payload does not contain any additional
malicious content (in the form of backdoors etc.); however, because of the
nature of the worm and the speed at which it attempts to re-infect systems,
it can potentially create a denial-of-service attack against infected
networks.
We have been able to verify that multiple points of connectivity on the
Internet have been bogged down since 9pm Pacific Standard Time.
It should be noted that this worm is not the same as an earlier SQL worm
that used the SA/nopassword SQL vulnerability as its spread vector. This is
a new worm is more devastating as it is taking advantage of a
software-specific flaw rather than a configuration error. We have already
had many reports of smaller networks brought down due to the flood of data
from the Sapphire Worm trying to re-infect new systems.
Corrective Action
We recommend that people immediately firewall SQL service ports at all of
their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to
spread itself to a new system; however, it is safe practice to filter all
SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor
Once again this worm is taking advantage of a known vulnerability that has
had a patch available for many months. Microsoft has also released a recent
service pack for SQL (Service Pack 3) that includes a fix for this
vulnerability.
Standalone patch:
http://www.microsoft.com/technet ... =/technet/security/
bulletin/MS02-039.asp
SQL 2000 Service Pack 3:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
Previous SQL Service Pack versions are vulnerable.
Technical Description
The following is a quick run-down of what the worm's payload is doing after
infection:
1. Retrieves the address of GetProcAddress and Loadlibrary from the IAT in
sqlsort.dll. It snags the necessary library base addresses and function
entry points as needed.
2. Calls gettickcount, and uses returned count as a pseudo-random seed
3. Creates a UDP socket
4. Performs a simple pseudo random number generation formula using the
returned gettickcount value to generate an IP Address that will later be
used as the target.
5. Send worm payload in a SQL Server Resolution Service request to the
pseudo random target address, on port 1434 (UDP).
6. Return back to formula and continue generating new pseudo random
addresses. |
|
狗仔卡
发表于 2003-1-26 12:56:47
提升卡
置顶卡
变色卡
恢复卡