Login   |   Secure Purdue > News

Multiple reports of attempted and successful SQL injection attacks against campus web sites.

Multiple reports of attempted and successful SQL injection attacks against campus web sites.

STEAM-ADVISORY NO. 2008071801

PURDUE UNIVERSITY SECURITY TEAM CIRT

18 July 15:00 EST 2008

**** NOTICE ****

Due to the ongoing nature of these attacks, it is advised that STEAM members review any MSSQL database driven websites for SQL injection vulnerabilities as soon as possible and report any suspicious activity to abuse@purdue.edu

****************

==OVERVIEW==

STEAM-CIRT is notifying STEAM members to be aware of numerous attempted and successful SQL injection attacks against campus web sites. Members are encouraged to review all MSSQL database driven sites for vulnerabilities or permission issues which may facilitate injection of malicious SQL code. These attacks seem to be used to facilitate the compromise of hosts which visit the affected site. Campus IDP has been updated to block these attacks.

==SYSTEMS AFFECTED==

~ * MSSQL database driven websites

==DETAILS==

STEAM-CIRT has received and is investigating several reports regarding successful and attempted SQL injection attacks performed against campus websites. The observed attacks use SQL injection vulnerabilities and or database permissions issues to inject links to script references into database tables. Subsequently, when a user visits the affected site the injected links take the visitor to malicious sites which profile the machine and build an exploit based on OS, installed software, etc leading to potential compromise of the visitor's computer.

Initially, it appears as if this attack is being carried out in an automated fashion by the asprox or similar botnet, first reported in January of this year, using fast-flux DNS to make it impossible to IP blacklist specific attack sources.

The injected code has been observed as being obfuscated using a CAST statement as follows:

"DECLARE @S VARCHAR(4000);SET @S=CAST"

Campus IDP has been updated with relevant attack signatures in order to assist the mitigation of these attacks. Tens of attacks have been observed and blocked in the minutes after the rule went live.

==SOLUTIONS==

* review any database driven website code for SQL injection vulnerabilities

* review any web back end databases for incorrect permissions or anomalies

* restrict/filter user accessible fields to prevent SQL characters

==FURTHER INFORMATION AND RESOURCES==

ISC log "Mass exploits with SQL Injection"

http://isc.sans.org/diary.html?storyid=3823

OWASP page on SQL injection attacks

http://www.owasp.org/index.php/SQL_injection

http://www.owasp.org/index.php/Guide_to_SQL_Injection

* Microsoft/HP scrawlr SQL injection scanner http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

https://download.spidynamics.com/Products/scrawlr/

* Microsoft ASP source code SQL injection vulnerability scanning tool

http://support.microsoft.com/kb/954476

* NGGSquirrel SQL database weakness scanner http://www.ngssoftware.com/products/database-security/ngs-squirrel-sql.php

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:

~  itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:

~  http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam

Posted by Kitch Spicer on July 18, 2008, in Advisory Alerts.