?

Log in

No account? Create an account

Worms, oh yeah....

« previous entry | next entry »
Apr. 25th, 2007 | 10:24 am

Came across this post this morning:

http://www.futhark.ch/index.php?action=comment&category=mysql&id=150

The Title is "Are you prepared for the attack of the MySQL worm?"

With all of the real security issues that exist on the Internet I dislike seeing people dream this stuff up.

The author mentions have a piece of SQL inject itself into an event (which you don't need, this could be done with a stored procedure and a sleep() call), and a Federated table.

Let us talk about why this is a non issue:

  • Databases do not live on the Internet. They live behind firewalls where access is strictly controlled. Databases are not mail servers, web servers, or finger servers. People do not allow others to access their databases directly.

  • Databases do not know about other databases. Sure, you could scan for other databases, but email worms work in large part because of the information they get from local addressbooks. The internet is pretty big... local VPN's are frequently large as well.

  • No one sane lets users run arbitrary SQL on a database. Applications execute SQL. Its not that you click on a message in your email and it suddenly your database executes SQL. Could you dream something like that up? Sure, but pin pointing a DBA with just this sort of access from their local computer? Someone would need to type arbitrary SQL into the database in the first place. If you have someone like this working for you, then you have a different concern to address.

    One other question you should ask, why hasn't this happened before?

    Postgres has their DBI based federation, SQL Server has its own ODBC federated, and Oracle has its database link technology. Federating connections is nothing new. Using UDFs, which most vendors have, can be used to create more interesting problems.

    Worry about cross scripting attacks, spend time making sure you lock down the ports you make available to the world... teach people to use good passwords and to not click on executables in their email!

    I am more concerned about blue tooth viruses infecting the cars around me :)
  • Link | Leave a comment | Share

    Comments {9}

    Lumiere

    (no subject)

    from: lumiere
    date: Apr. 25th, 2007 06:20 pm (UTC)
    Link

    Databases do not live on the Internet.
    Databases do not know about other databases.

    Remember SQL Slammer? Next!

    No one sane lets users run arbitrary SQL on a database.

    The bug/task tracking database used internally at a certain local software company allows users to author their own SQL queries. Does that make them insane?

    Reply | Thread

    Brian "Krow" Aker

    (no subject)

    from: krow
    date: Apr. 25th, 2007 07:18 pm (UTC)
    Link

    Slammer had MSDE and home PC's, we are talking Linux servers which are far fewer in number (and default have firewalls and no remote passwords even if the firewall was gone). Slammer was an arbitrary executioner.

    Are they letting their users insert/update any day? Create their own Stored Procedures?
    Then yes they are. One user can just accidently drop all of the data.

    Reply | Parent | Thread

    Lumiere

    (no subject)

    from: lumiere
    date: Apr. 26th, 2007 02:49 pm (UTC)
    Link

    Slammer did have MSDE to propagate through, but still hurt supposedly firewalled organizations, though that may have been through multi-homed computers ferrying it inside the firewall rather than hitting them directly from the public internet. And yes, there are very few multi-homed MySql machines to do that ferrying.

    I suspect, but do not recall, that they do put some limits on what SQL text may be entered. I'm not sure how effective those limits actually are...

    Reply | Parent | Thread

    Brian "Krow" Aker

    (no subject)

    from: krow
    date: Apr. 26th, 2007 03:41 pm (UTC)
    Link

    Multi-homed is rare... but understand, MySQL doesn't come with a default password, or even an account, that allows access from the outside world.

    Events? Even if the user pushed an event into the event table it wouldn't be seen unless a restart of the database or a flush event was called. So the spread rate is very slow...

    Its all very unlikely.

    Reply | Parent | Thread

    Lumiere

    (no subject)

    from: lumiere
    date: Apr. 26th, 2007 10:32 pm (UTC)
    Link

    Not if you think about laptops that connect, separately, to the public net and the firewalled 'net. If such a laptop gets infected on the public net, it can then--potentially--infect the firewalled net. Of course, other security measures--some of which Cisco and MS have made some public agreements about--can be used to avoid that.

    Or you can firewall the databases off from the general corporate network too...

    Reply | Parent | Thread

    awfief

    (no subject)

    from: awfief
    date: Apr. 25th, 2007 07:07 pm (UTC)
    Link

    Brian, you live in a wonderful utopian world.

    With all of the real security issues that exist on the Internet I dislike seeing people dream this stuff up.
    Well, better that we dream it up and deal with it than someone malicious does.

    People do not allow others to access their databases directly.
    In the REAL world, people leave their databases open, because they want the convenience of root@%. Or because they don't know any better.

    People SHOULD NOT allow others to access their database directly.

    People also SHOULD NOT download attachments they're not expecting from people they don't know.

    Did you read the part of the article where he says, Just do a port scan over a small portion of the Internet and realize how many MySQL servers there are that answer

    Databases do not know about other databases.
    Well, yes. However, reading Beat's post, he specifically says against random host addresses (or maybe with a more clever pattern than random selection). It has to guess administrative accounts (user name and password) with brute force attacks,

    It may not be as effective a worm as the e-mail ones we've seen, but it's a worm.

    No one sane lets users run arbitrary SQL on a database.
    True, but this is making a federated table with administrative accounts. So we're not talking about users, we're talking about administrative attacks.

    And Beat himself says it's not the biggest problem in the world, just a possibility. Given that there is an entire security track at the conference devoted to telling people about firewalls, ACLs, XSS and SQL Injection, and not one on the MySQL worm, I think we're OK and there is a proper sense of perspective on this.

    Reply | Thread

    Brian "Krow" Aker

    (no subject)

    from: krow
    date: Apr. 25th, 2007 07:23 pm (UTC)
    Link

    Hi!

    My utopia is a near police state where people are asked to be paranoid on a daily basis about grandmothers carrying knitting needles on airplanes.

    By default MySQL has not installed remote password. If a user creates a user, without a firewall, with remote access, and an easy password... I would like to believe that few people walk out in traffic.

    Making a federated account and doing probing is worse then looking for needles in hay stacks.

    I think its cute, but I also think, and told Beat, that it is security theater. We have real issues to work through, bringing up this stuff.... it can be worded in far better ways.

    Reply | Parent | Thread

    awfief

    (no subject)

    from: awfief
    date: Apr. 25th, 2007 08:38 pm (UTC)
    Link

    As a knitter, I object to your stereotype of knitters as all grandmothers.

    I would like to believe that few people walk out in traffic.
    I know you've been to Boston. People walk out into traffic all the time. :)

    *nod* I hear you about the security theater.

    Reply | Parent | Thread

    Brian "Krow" Aker

    (no subject)

    from: krow
    date: Apr. 26th, 2007 05:46 am (UTC)
    Link

    Hi!

    I am worried about them searching grandmother knitters.

    Who knows if the rest of you knitters are terrorists or not :)

    Reply | Parent | Thread