Being an old-school network engineering flunky, with a heavy dose of network security discipline, it somehow never ceases to amaze me that people just don’t seem learn from their mistakes — or other people’s mistakes, as the case may be.
Almost five (5) years ago, the SQL Slammer worm should have made people realize that having these types of critical infrastructure resources accessible from the The Internet is just a really, really bad idea.
But apparently people just don’t seem to learn from the past.
Very recently, we have seen thousands of webpages which have been compromised via (suspected) SQL Injection attack, which in turn lead to web threats which put hundreds of thousands of potential Internet users at risk of being compromised.
The end-game here is that these unwitting users could be victimized via identity theft, credit card credential theft, or worse.
Today, we learn about a tool floating around in the “underground” called sqlmap:
sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.
This is very bad news for a lot of websites who continue to allow their back-end SQL systems to be exposed to The Internet.
This is just a bad, bad practice and should be discouraged at every opportunity.
Ryan Naraine wrote back in mid-November 2007 on ZDNet’s “Zero Day” Blog that:
A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.
Litchfield, co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.
You do the math — it all adds up to some really bad numbers in my book.
If organizations do not do more to protect their back-end systems, they will be compromised, and their brand name and business may suffer as a result.
Did I mention this is bad?
Clarification added (11:35 PST, 18 Jan. 2008): It appears that this SQL Injection tool accomplishes it’s work by finding and exploiting SQL Injection flaws on public-facing webpages which might contain, for instance, CGI forms — so that the SQL database server itself does not have to be directly, publicly accessible.
While this, of course, doesn’t negate the fact that SQL database servers still should not be publicly accessible, this puts additional focus on the need to ensure that public-facing webpages are properly & securely implemented.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research