Automated SQL Injection Attacks

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 23, 2008
Notification Version: 1.2
   
Name: Automated SQL Injection Attacks
Public disclosure/
In the wild date:		 April 22, 2008
Description:

Over the past few months, IBM X-Force has seen an escalation of SQL injection and other web-related attacks.  In the past few weeks, these attacks have culminated into  automated SQL injection attacks that, in some cases, have systematically defaced websites.

As of July 24, IBM MSS has continued to monitor escalating attack attempts. Although most exploitation had been focused on ASP (primarily fueled by the Asprox botnet and Chinese sources), recent exploitation has turned to attacks specific to ColdFusion from sources that appear to be mostly Russian.

On Aug. 12, IBM MSS has picked up evidence of a new target database, MySQL.

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 27.040
Proventia Desktop
Proventia Server IPS (Windows)		 2050
Propagation Techniques ISS Protection Available

remote exploit
(server compromise attempts)

remote exploit
(host infection attempts from an
infected or malicious server)

SQL_Injection*

HTML_VML_Heap_Overflow
Upx_Packed_Executable

Jun 12, 2007

Jan 10, 2007
Mar 14, 2005

* Some web applications are coded to use SQL injection in database transactions.  Before enabling blocking for this attack, please see KBA 4748 for tuning suggestions.

Detailed Description
Business Impact: Public defacement, confidential data leakage, and database server compromise can result from these attacks.  Client systems can also be targeted, and complete compromise of these client systems is also possible.
Affected Products: SQL injection can affect commercial and homegrown applications and the databases behind them.  These particular attacks have targeted and compromised LAMP (Linux Apache MySQL PHP) systems, Windows IIS ASP SQL systems, and phpBB installations.  Some of these attacks have involved IFRAMEs with JavaScript while others are outright SQL injection attacks.
Technical Description (SQL Injection): Multiple products that use data in SQL queries are vulnerable to SQL injection. Attackers can use SQL injection techniques to exploit Web sites and applications that implement SQL queries without first removing potentially harmful characters. Using SQL injection, attackers can create and modify tables, and possibly gain complete control over the database, host computer, and network of trusted computers.
Remediation:

In addition to enabling the IPS signatures listed in ISS Coverage section, customers should ensure that:

  • Browsers and plug-ins have the lastest patches and updates
  • Access to superuser or root accounts is restricted on Linux, Apache, MySQL, PHP and similar servers
  • Reusable password access to remote servers is prohibited
  • Access to ssh should be through strong authentication mechanisms such as the “authorized_keys” authentication
  • Direct remote access to the root account should be completely prohibited outside of tightly controlled applications and keys

Additionally, it is also recommended to remove "ghost" accounts (expired accounts or accounts where individuals are no longer present who own them) and to scan web applications for vulnerabilities using a specialized web application assessment product like Rational AppScan.

References
XFDB: http://xforce.iss.net/xforce/xfdb/8783
FrequencyX: http://blogs.iss.net/archive/SecondOrderXSS.html
http://blogs.iss.net/archive/MassAttackMarch.html

Revision History
1.0 Initial publication.
1.1 Added detail about recent (as of July 24th) exploitation and removed some older references.
1.2 Added note about MySQL targets that MSS picked up on Aug 12.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.