Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

Summary: There's been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft's IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. For those of you who aren't familiar with SQL Injection attacks, it's a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site.

SHARE:

There's been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft's IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. 

For those of you who aren't familiar with SQL Injection attacks, it's a pretty well known web application attack vector that exists in high volume on dynamic applications, say for instance, on your banking site.  SQL Injection allows an attacker to subvert the logic of the currently running SQL query in order to interact with data more interesting to the attacker, bypass authentication/authorization, or run arbitrary commands on the operating system of the database server.  Here's an example of the attack:

1.) Imagine a web application, such as a banking application, that has a login page.  When logging in, the application will take the username and password that you supply and query a database table of users that it knows about.  Basically, if your username and password match entries within the database, then you'll be authenticated.  

2.) When a query is created dynamically, and uses user-supplied input (the username and password), without sanitizing them or running them through a parameterized query class, then SQL Injection is possible. 

3.) The code might look something like the follows (this will be roughly Java like, but you can extend it to your language):

String query = new String("select * from USERS_TBL where username='" + request.getParameter("username") + "' and password = '" + request.getParameter("password") + "';");

// create the connection and statement, details left out as they are unimportant

Connection con = new Connection(...);  Statement stmt = new Statement(...);

stmt.executeQuery(query);

4.) Now, if you look in that code, you'll notice that the query is constructed with dynamic parameters (username and password) that are pulled in from the request object (basically pulling them out of the query string from a request) and put between a set of single quotes.

5.) If I inject something the application doesn't expect, for instance ' or 1=1--, the application will execute the SQL code as is:

select * from USERS_TBL where username = '' or 1=1-- and password = '';

Basically, I've forced the query into a conditional statement that will always be true.  The username will be blank, or 1=1 (which is true of course), and since this is an or statement with an always true value, this statement will always be true... well guess what?  Now I've logged into the application as an authenticated user.

6.) SQL Injection is much more dangerous than this in fact, as I can typically pull out all information from all tables (including social security numbers, account numbers, etc.), and in some cases, like in Microsoft SQL server, I may be able to execute arbitrary commands (xp_cmdshell). This might also be used to insert data into relevant tables (like it appears to have been used here), where an attacker might insert data that would later get rendered in the context of the victims browser. Imagine deploying a browser based attack vector in conjunction with SQL Injection. Infect 100s of thousands of sites, infect millions of users.

Obviously this is really bad.  Would you be suprised if I told you it was pretty common place to discover these types of flaws in a web application assessment?  In any case, back to the matter at hand which is this wide-scale compromise (estimated at over a half-million sites) of Microsoft IIS servers.  Sunnet Beskerming, a blogger that I read often, commented on this story as follows:

Although there has been a new IIS vulnerability disclosed in recent weeks, the attacks are only making use of poor site and database maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to try and download / run malware that then targets a number of commonly used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the security picture for a site and it is a problem that is still not being properly addressed by many sites, including a lot that should know better.

In one simple set of attacks, previously trustworthy sites can now no longer be considered trustworthy and it is another blow to services that tout their ability to mark a site as being 'Hacker Safe' or otherwise safe for visiting (like SiteAdvisor).

Bill Sisk of Microsoft has also commented on the issue:

There have been conflicting public reports describing a recent rash of web server attacks. I want to bring some clarification about the reports and point you to the IIS blog for additional information.

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306). 

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.  Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here: http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

It sounds like, at least from reading several sources such as Dancho Danchev and Ronald van den Heetkamp's blogs, that this is a SQL Injection attack that actually inserts a malicious JavaScript payload that will then be rendered into victim's browsers.  Victim's who then view the subsequent pages will be hit with Cross-site scripting like attacks that try to force them to download malware, etc.  It could just as easily (probably should've been) incorporated with something like the latest QuickTime flaw(s) or some of the URI abuse research that I've been involved with. Now you can hit millions of users with attack vectors.

What is scarriest about this attack is that it appears that the group doing the attacking has found a few very reliable attack vectors for SQL Injection... honestly, it's likely even more damage could've been done, such as scouring the information out of all of these databases, deleting the databases all together, etc.

Interesting stuff... really shows how serious web application flaws are these days.  Good thing we have that strong PCI certification process recommending we have all of our applications go through at a minimum a black box security review... oh wait, that's right, they suggested web application firewalls.  Well, at least web application firewalls are decent at preventing SQL Injections, right?  Umm... well, don't you think that some of the following sites use a WAF and all that's available to them:

  • The UK government web pages
  • United Nations web pages
  • The Department of Homeland Security
  • etc.

Maybe it's because the attackers encode the attack funky-like (from Ronald van den Heetkamp's blog):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007 600610072006300680061007200280032003500350029002 C00400043002000760061007200630068006100720028003 20035003500290020004400450043004C004100520045002 0005400610062006C0065005F0043007500720073006F007 200200043005500520053004F005200200046004F0052002 000730065006C00650063007400200061002E006E0061006 D0065002C0062002E006E0061006D0065002000660072006 F006D0020007300790073006F0062006A006500630074007 300200061002C0073007900730063006F006C0075006D006 E00730020006200200077006800650072006500200061002 E00690064003D0062002E0069006400200061006E0064002 00061002E00780074007900700065003D002700750027002 00061006E0064002000280062002E0078007400790070006 5003D003900390020006F007200200062002E00780074007 900700065003D003300350020006...

Decoded: DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b...

So end result is, looks like another case of bad programming for now, on the side of developers of the vulnerable applications, not Microsoft.  More to come when I hear more.

-Nate

Topics: Software Development, Browser, Data Centers, Data Management, Enterprise Software, Security, Servers, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

136 comments
Log in or register to join the discussion
  • Ah yes, the technology me-too's

    making the most basic of errors.

    On a less dangerous level, if you look at the HTML & CSS source of web sites, the most appallingly written ones are most often on IIS.

    This is what happens. If you trust your technology to people who can't even be bothered to learn more than one operating system, don't expect them to perform any wonders on anything else they touch.
    fr0thy2
    • Nice. I've got to hand it to you. You have an amazing talent...

      ...for faulting Microsoft no matter what.
      ye
      • Which you reflect

        For your strident defenses of all things Microsoft. *shrug*
        zkiwi
        • I defend against FUD. Which at the time is focused on...

          ...Microsoft. For a while, back in the 90's and early 2000 it was Apple. Now it's in vogue to bash MS and praise Apple. Once bashing MS falls out of vogue I'll be defending someone else.
          ye
          • Really?

            I find that very hard to believe. In fact I don't believe you.
            zkiwi
          • You make the erroneous assumption I care what you think.

            In reality I don't care if you believe me or not. You've demonstrated a complete irrationality towards anything Microsoft so why would this be any different?
            ye
          • Perhaps...

            You should consider your own rationality in light of your defense to the last punctuation mark of Microsoft.
            zkiwi
          • @zkiwi: ???

            What exactly are you trying to say?
            ye
          • There's plenty of FUD against Linux and Apple

            so you are not really against FUD otherwise you'd defend them against the Windows trolls/zealots as well. You should just admit you are biased. To be anti-FUD means defend all FUD'ed against. MS is the biggest purveroy of FUD along with its numerous Windows trolls in Zdnet.

            No-one likes FUD as it colours the judgement of those who don't realise its FUD. Windows trolls breed other trolls so it gets into a huge downward spiral. Unfortunately because Windows users are so many and so many of them know nothing else, they try to discredit other OS's from a standpoint of ignorance built up on the FUD spewed out by Windows trolls.

            Pretending to anti-FUD when you show a distinct bias gets up people noses as happens when people lie. Maybe you are just being niave.
            deaf_e_kate
          • I can't address [i]all[/i] FUD. I concentrate on the largest.

            And right now that's Microsoft/Vista. It used to be Apple/Macintosh. That's not the case today. Today Apple can do no wrong and Microsoft can do no right.
            ye
          • In other words...

            the only FUD he cares about is FUD directed at Microsoft. The decade of FUD being thrown from the Microsoft camp at anything else just isn't worth his time. Uh huh... Ye is your typical Microsoft evangalist. He always has stories about defending Apple or some other company in the past, but you never actually hear any of that. All you ever hear is his defense of Microsoft. Some people on these talkbacks will defend companies when they are being attacked unfairly and will hold those same companies accountable when they screw up. Sorry ye, but you just don't seem like one of those. On the rare occasion that anything that could be perceived as holding Microsoft accountable comes out of your mouth it is always surrounded by explanations on why it's not really Microsoft's fault. You're starting to sound as bad as that troll Loverock.
            jasonp@...
          • @jasonp: Do you read what is written? Or are you...

            ...unable to comprehend what you're reading. From my post a few lines up:

            "I defend against FUD. Which at the time is focused on Microsoft. For a while, back in the 90's and early 2000 it was Apple."

            The post should be easy for you to find because the beginning part of that quote happens to be the subject line.

            And if I'm such a MS apologist why is it that I'm posting this from a Linux system?

            [i]"All you ever hear is his defense of Microsoft."[/i]

            What part of:

            "Now it's in vogue to bash MS and praise Apple. Once bashing MS falls out of vogue I'll be defending someone else."

            Is giving you such a difficult time?
            ye
          • @Ye - Reading comprehension?

            Maybe you missed the line in my post that said "He always has stories about defending Apple or some other company in the past, but you never actually hear any of that." See, it's easy for you to say "Hey, back in the 90s I was all over defending Apple." What isn't easy is for anyone to believe that when all we hear coming out of your mouth now is defense of Microsoft under any circumstance. Yes, we hear what you are saying. No, we don't believe it. Is that simple enough?
            jasonp@...
          • Don't Worry

            On my blog, I try to get rid of all FUD... it's pointless.
            nmcfeters
          • @jasonp: Not sure why you're having such a difficult time with...

            ...the concept. It's really easy I didn't think it needed explaining. [b]Today[/b] it is in vogue to bash Microsoft. Thus I can understand why one would get the impression I solely defend them. However in the past, when it was in vogue to bash Apple, I defended them. You're welcome to search the Internet for my defenses if you don't believe me.

            As for currently defending other operating systems I have done so numerous times in these forums. For example:

            http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=47067&messageID=874838&start=0

            While hardly the "defense" you see from me of Windows that level isn't warranted given the basic premise of the blog wasn't to attack Linux like many posts in these forums do.

            But when you get sheer stupidity such as this:

            http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=47061&messageID=874656&start=0

            I'll step in. And, conveniently after I gave some troubleshooting advice the OP has disappeared.
            ye
          • @Nate

            Because Nate knows all.

            Or because MS is going to buy Zdnet?
            fr0thy2
          • Let's get it straight fr0thy2

            I don't work for ZDNet in the classic sense. I get paid actually very little to blog. I do it because I enjoy it. I'm a full time employee as a computer security advisor for Ernst & Young's Advanced Security Center. I make my money there, not here. If we get bought by Microsoft, I won't care, cause I won't see a single dime of it.

            Get facts, or get out.
            nmcfeters
          • Let's get it straight Nate

            You're as aggressive as me ;-)

            =============================================================
            People who only know MS are drug users. It is normal to them.
            fr0thy2
          • re: Let's get it straight Nate

            @ Fr0thy2.5

            You're not aggressive, you're irrational and incensed.
            rtk
          • @rtk

            Somebody who only knows one platform is a lesser programmer. Particularly if that platform in Noddysoft.

            If that's irrational and incensed then so be it ;-)

            BTW : My original point about the junk "presentation layer" holds true on the web for all to see. If a project cannot even get that (the easy bit) done professionally, there's little hope for the actual coding.
            fr0thy2