SQLsnake Code Analysis

Analysis by George Bakos & Guofei Jiang

Institute for Security Technology Studies, Dartmouth College

Full analysis with actual code can be found on Incidents.org:

http://www.incidents.org/diary/diary.php?id=157

I didn’t come up with the name sqlsnake; someone kind enough to provide a complete archive for analysis tagged it. Sounds good enough for now, unless someone wants to take credit for authoring this thing.

The beauty(?) of this thing is that it is, again, an age old vulnerability coupled with some wonderful “features” built into the product. MS SQL Server ships with an extensible feature architecture known as extended “stored procedures”, or esp. From an advisory posted in 2001 by Application Security

http://www.appsecinc.com/resources/alerts/mssql/02-0000.html :

Microsoft SQL Server provides the ability to call functions in DLLs outside of the database. These functions, called extended stored procedures, greatly expand the functionality of Microsoft SQL Server. They can be used to access the operating system or the network. Several hundred are shipped with Microsoft SQL Server and custom developed extended stored procedures can be added to the database by the administrator.

This worm takes advantage of the xp_cmdshell esp by building an ActiveX Object containing the commands to be run via xp_cmdshell, and then passes them to the non-password protected default “sa” SQL Server Administration account. SQL Server, prior to SQL Server 2000, by default allowed Multi-mode authentication. A user could authenticate to the sql server using their Windows credentials or their SQL Server account. Unfortunately, as has been beaten into the dirt over and over again, the default sa account cannot be disabled, and is passwordless at installation.

Here are the list files enclosed in this worm:

drivers/services.exe — Foundstone’s fscan.exe (UPX packed)

clemail.exe

pwdump2.exe

run.js

samdump.dll

sqldir.js

sqlexec.js

sqlinstall.bat

sqlprocess.js

timer.dll

… snip…

The following two registry keys are set to ensure startup at boot time:

“HKLMSystemCurrentControlSetServicesNetDDEImagePath”

“%COMSPEC% /c start netdde && sqlprocess init”, “REG_EXPAND_SZ”);

“HKLMSystemCurrentControlSetServicesNetDDEStart”

2, “REG_DWORD”);

An additional registry key may be set to ensure SQL connectivity via Win32 Winsock:

“HKLMsoftwaremicrosoftmssqlserverclientconnecttodsquery”

“dbmssocn”

clemail.exe is included in the package to deliver the body of accumulated

information (send.txt) to an account in Singapore : ixltd@postone.com




Share this