Re: Microsoft SQL Server Stored procedures [sp_MSSetServerPropert iesn and sp_MSsetalertinfo] (#NISR03092002A)

From: David Litchfield (david@NGSSOFTWARE.COM)
Date: 09/04/02 

Date:         Wed, 4 Sep 2002 22:44:34 +0100
From: David Litchfield <david@NGSSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Karsten Højgaard KHojgaard@DK.SNT.COM wrote:

>> [..] It does not allow an > attacker to compromise the server or data but
may be used in conjunction > with another attack. For example an attacker
may not >want SQL Server to > restart on server reboot if they set a shell
listening on TCP port 1433.

>There's easier ways to access the port than actually halting the process.

>An application can normally listen to either a specific interface, or all
interfaces (the normal approach). A little known fact is that a process that
binds to a specific >ip silently overrides processes listening on all ips
and the same port(s).

>This can be tested by getting netcat for windows at
http://www.atstake.com/research/tools/#network_utilities, and instructing it
to listen on your public ip, e.g. on >port 80, while you run IIS or PWS.

>Not that IIS is still running, and not returning errors, while actual
connects to the machine's public ip are in fact handled by netcat.

As far as IIS is correct this is true. You can bind netcat over the port.
But if you've ever tried to bind netcat to 1433 when SQL Server is bound to
it you'll see it fails.

C:\sqlstuff>netstat -an

Active Connections

  Proto Local Address Foreign Address State
  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
..
..

As can be seen SQL Server is not bound to a specific IP address - however:

C:\sqlstuff>nc -l -p 1433
Can't grab 0.0.0.0:1433 with bind

also

C:\sqlstuff>nc -l -p 1433 -s 10.1.1.37
Can't grab 10.1.1.37:1433 with bind

Under HKLM\System\CurrentControlSet\Services\Tcpip\parameters I have a key
Reserved ports whose value is 1433-1434 1352-1352. This could be something
to do with it failing with SQL Server. I haven't examined this behaviour too
deeply though so don't quote me on that ;)

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.nextgenss.com/

p.s. In the original advisory I incorrectly said drop execute for the fix -
of course it should be revoke execute.

Relevant Pages

  • Re: SQL Server multiple instance problem
    ... All instances of SQL Server will bind to all IP addresses at service ... Other instances will randomly bind to an available port. ... > that the 2nd instance can be connected from a remote location over the ...
    (microsoft.public.sqlserver.setup)
  • Re: SQL Event Error Bind Failed on TCP port 1433
    ... a default installation of SBS2003 does not install SQL Server at ... and has nothing listening on port 1433. ... To get multiple instances of SQL Server trying to bind to port 1433 is not ...
    (microsoft.public.windows.server.sbs)
  • [NT] Microsoft SQL Server 2000 Unauthenticated System Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft's database server SQL Server 2000 exhibits two buffer-overrun ... clients connecting to TCP port 1433 or both. ... This message is a single byte packet, ...
    (Securiteam)
  • Re: Is there any way to prevent hacker trying to guess sa password?
    ... and port 1433 will not be open. ... If someone can crash SQL Server by connecting to port 1433, ... You don't need multiple security experts. ...
    (microsoft.public.sqlserver.security)
  • Re: Accessing sql server
    ... port, select All ports, in Remote port, select Fixed port and input 1433 ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | I have now checked and I can access the sql server when creating an ODBC ...
    (microsoft.public.windows.server.sbs)