The database hacker's handbook: defending database servers by David Litchfield; Chris Anley; John Heasman

Author:David Litchfield; Chris Anley; John Heasman
Language: eng
Format: mobi
Tags: Database Management, Computer networks, Database security, Computers, Computer networks - Security measures, General, Computer security, Security, Security measures
ISBN: 9780764578014
Publisher: Wiley
Published: 2005-06-30T01:49:49.148000+00:00

Trojanning Sybase

The options for inserting backdoors into a database system of Sybase's complexity are numerous. Following are a few ideas; there are plenty of variations on these themes.

Grant a User sa or sso_role

If you grant users sa_role, they can effectively do everything.

You can see what roles are available to users by executing the following query:

select l.name Login, sr.name ServerRole from master..syslogins l

join master..sysloginroles lr on l.suid = lr.suid

join master..syssrvroles sr on sr.srid=lr.srid

Allow Direct Updates to System Tables, Grant Access to Selected System Tables

By default, users (even sa) are not permitted to directly modify system tables (such as syslogins), even if they would otherwise be able to. Many possibilities for subtle backdoors are opened up if you enable updates to system tables.

The statement to allow updates is

sp_configure 'allow updates to system tables', 1

This is a dynamic configuration setting and thus takes effect immediately; there is no need to restart the server.

The following query displays all explicit permissions (including upon col-umns) in the current database:

select u.name "user", u2.name grantor, o.name object, c.name column, v.name, p.protecttype

from sysprotects p

join sysusers u on p.uid = u.uid

join sysobjects o on p.id = o.id

join sysusers u2 on p.grantor = u2.uid

join master..spt_values v on p.action=v.number and v.type='T'

join syscolumns c on o.id = c.id

where (power(2, c.colid) & convert(int, p.columns)) > 0

and p.columns != 0 and p.columns != 1 and p.columns is not null

union

select u.name "user", u2.name grantor, o.name object, '*' column, v.name, p.protecttype

from sysprotects p

join sysusers u on p.uid = u.uid

join sysobjects o on p.id = o.id

join sysusers u2 on p.grantor = u2.uid

join master..spt_values v on p.action=v.number and v.type='T'

where p.columns=0x01

or p.columns=0x00

or p.columns is null

order by o.name

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.