Half a Million Microsoft-Powered Sites Hit With SQL Injection

Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript." "The automated attack takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. In other words, there's no patch that's going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input. The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC." Ignoring corporate spin-doctoring, there seems to be plenty of blame to go around.

Microsoft's Official View of the Situation

[eldavojohn (898314)]

Ignoring corporate spin-doctoring there seems to be plenty of blame to go around.

Well, here [informationweek.com]'s a quote directly from Bill Sisk of Microsoft (seems to be in line with this blogger):

Microsoft (NSDQ: MSFT) on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server. "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database." Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.

So if you want Microsoft's side of the story, they can't help it that people use bad coding practices.

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast. Stupid fast. Unfortunately for C, there are more stupid coders out there like me than genuis coders out there like ... Donald Knuth. So you will see Java rise in popularity without ever being able to live up to speed of C.

Wow, for flaim retardant reasons, take the above paragraph as my meager opinion.

Re:

[duplicate-nickname (87112)]

So, I suppose all of the LAMP sites out there vulnerable to SQL injection are the fault of Microsoft too?

http://www.google.com/search?hl=en&q=site%3Asecurityfocus.com+php+sql+injection [google.com]

Re:

[pembo13 (770295)]

No, they are the fault of Linux obviously. Isn't that the normal assertion?

Re:Microsoft's Official View of the Situation

[Dekortage (697532)]

Well, to quote from the Hackademix FAQ on this issue [hackademix.net]... "Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts. There's no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well. SQL injections, and therefore these infections, are caused by poor coding practices during web site development. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site."

Re:

[Allador (537449)]

Microsoft SQL Server is particularly vulnerable to SQL injection in a way that most other databases aren't. The problem is multiple statement execution just by inserting semicolons.

That is incorrect.

Most mainstream databases allow you to do this. Oracle and MySQL off the top of my head that I've personally done this on.

Some db adapter libraries (like one of the real simple ones in PHP for MySQL) dont let both statements get through and/or throw an error, and/or cant handle multiple result sets.

But keep in mind, an attack like this doesnt require both statements to be run in the same batch or in the same transaction, since there's no connection between the two and no result set from

Re:Microsoft's Official View of the Situation

[techno-vampire (666512)]

You make a tool/language/framework for developers, you better make it idiot proof

Why? It's not their responsibility to see to it that you can't write bad code for their program any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven. There's only so much MSFT can do to protect lusers against their own stupidity, and if badly trained developers write vulnerable code, it's their own damned fault. I'm no Microsoft fanboi, but even I only bash them when they deserve it.

Re:

[Nefarious Wheel (628136)]

any more than it's the responsibility of car manufacturers to build cars that can't crash no matter how they're driven

Ref. "Unsafe at any speed" (R.Nader) and contrasting opinion "Safe at any speed" (L.Niven). The latter story was deliberate satire. Flying your car into a Roc can be inconvenient.

Re:

[Cal Paterson (881180)]

Ref. "National Highway Traffic Safety Administration" [wikipedia.org].

I'm aware this is pretty tangential, but I found it interesting that the Corvair was eventually rated to be a pretty reasonable car by the government body that Nader's book created.

Re:

[0racle (667029)]

Do you post something similar when it's a PHP app on Apache being exploited with a SQL injection and the PHP authors say it's not their fault a whole bunch of their users are idiots?

Microsoft provides a platform, that platform has problems, but in this case the platform had nothing to do with what happened. This rests entirely on web developers who didn't bother to do things correctly.

Re:

[peragrin (659227)]

While I understand that why is it only MSFT IIS and MS SQL that's affected. If apache and MS SQL was being attacked and it has happened then i could fully understand it, but only MS IIS, MS SQL sites are affected. while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS? Maybe MSFT's history of poor coding and security practices lead to unsafe default options? security should always be over applied and then removed in layers.

Security like clothing works

Re:

[Allador (537449)]

why is it only MSFT IIS and MS SQL that's affected

Because the code they used is based on the MS-SQL particular dialect, with some MS-SQL specific conventions.

The malware authors could have trivially used INFORMATION_SCHEMA views rather than sysobjects, and this would have been a generic attack that would have worked against most mainstream db servers.

while the flaw may not be MSFT's sole fault how could 500,00 people setup a server wrong including the DHS?

This has nothing, zero, to do with server setup or configuration. This is purely and soley, only has to do with web app developers allowing uncleansed commands to be sent from a web-browser to the underlyin

Re:

[dedazo (737510)]

As a coder, I don't agree with that. You make a tool/language/framework for developers

So stock Java protects me from things like "SELECT * FROM users WHERE Name = 'eldavojohn'; DELETE FROM orders", correct?

Wait, it doesn't. Neither does PHP or Python or Perl.

So I guess you can spin it as this somehow being Microsoft's fault, and Slashdot can post it again (and maybe again tomorrow FTW), deliberately confusing pages vs sites and using titillating article titles and editorial bylines about how corporate

Re:

[Lobster Quadrille (965591)]

Actually, PHP's mysql engine won't run that query- you cannot execute more than one query in a single mysql_query() call.

There are plenty of ways around it, but your query will fail.

Re:Microsoft's Official View of the Situation

[Sancho (17056)]

As others have posted, it's pretty easy to prevent multiple instruction SQL injection. That's a function of the database driver, which Microsoft controls.

It's much harder to prevent injection of additional parameters e.g. typing ' or '1'='1 into the text box--that's something that will be language and developer dependent. From my very brief scan of the details of this vulnerability, it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

This page supports my interpretation. [hackademix.net] I note, specifically:

Attackers carefully weighted the easiest spot, being a combination of

        * ASP classic, due to the poor coding standards among the average VBScripters who hardly known about prepared statements (even though they are supported)
        * ADO as the DB client layer, allowing stacked queries (multiple SQL statements together in a single string), which are not supported, for instance, by JDBC or by the mysql_query() PHP API
        * Microsoft SQL Server, because its Transact SQL supports a rich feature set including loops, metadata enumeration and Dynamic SQL (crucial for generalization), and because itâ(TM)s the most common ASP database back-end with such high-end features.

Apparently, if stacked queries weren't allowed, this wouldn't nearly so easy to exploit.

Re:

[dedazo (737510)]

it looks like it would have been prevented if Microsoft had disallowed multiple statements in the driver.

So what you are saying is that (and quoting the article you reference) Microsoft is at fault for providing these "high end features"? Even considering that it's not necessary to write sloppy VBScript code, and that it's ridiculously easy to use ADO to put together parameterized database commands, regardless of how many resultsets they are supposed to return?

And that the lack of that feature is actual

Re:

[Chokolad (35911)]

> * Of course, it's not really meaningful to talk about a language protecting you from SQL injections; it's the database library that decides whether to send SQL to the database or not. I'm talking about the most popular libraries here (e.g. Perl's DBI).

And this is differnt from Microsoft offerings how?

Re:

[Qzukk (229616)]

It\\'s broken, it\\\\\'s restrictive for normal users, and is a bad idea in the same way that forgiving developer for using bad html was, but it\'s there. never used it, but I know because of some bug that it was introducing in an unrelated application.

Magic quotes is the absolute coolest thing since sliced arrays, or my name isn\\'t Jeffery O\\\\\\\\\\\\\\\\'Donnel!

Re:Microsoft's Official View of the Situation

[Sigma 7 (266129)]

As a coder, I don't agree with that. You make a tool/language/framework for developers, you better make it idiot proof. Example: C is far from idiot proof (seg fault!) but it's fast.

A seg fault is a form of idiot proofing - it prevents rogue C-style pointers from ruining the system. The absence of seg fault means your program is overwriting various locations in memory, which potentially causes the system to crash.

If you need access to locations of memory normally protected by a seg-fault, your operating system normally provides a means to do so.

Right, but...

[Jeff Molby (906283)]

...it's weak idiot-proofing. Strong idiot-proofing makes it so the problem is never even encountered.

Dupe?

[TubeSteak (669689)]

500 Thousand MS Web Servers Hacked
Posted by kdawson on Friday April 25, @11:48AM
from the scream-and-shout dept.
http://it.slashdot.org/it/08/04/25/1358234.shtml [slashdot.org]

Re:Dupe?

[calebt3 (1098475)]

At least this one is more accurate in saying 500,000 web pages and not servers.

Re:

[Cheapy (809643)]

/. has been quite good about dupes lately.

I think we can let it slide once and a while.

Seems familiar

[EvilGoodGuy (811015)]

Wasn't this exact item posted on Friday? http://it.slashdot.org/article.pl?sid=08/04/25/1358234 [slashdot.org]

Shameless Hibernate Plug

[eldavojohn (898314)]

You know, as an incompetent Java developer, I will take the time to explain why none of my web applications suffered from this.

I use Hibernate [hibernate.org]. I use it with Java, although I know it's now available for .NET.

A feature of Hibernate (aside from some efficient connection pooling and resource management like caching) is that you have to actually call a delete method to delete a row. Something like HibernateSession.delete(myObject); would have to be done. And while this might sound annoying or ruin some tools that are used to generate SQL statements, it protects me time and time again. Now, you can use HQL which is a bastardized version of SQL to generate similar things but, again, I think that you can't drop/delete in it (could be wrong, rarely use it).

Try passing part of an SQL string into an object property and then merge/save it into the HibernateSession. Doesn't do the SQL injection stuff the bad guys want it to. Of course, I still use regular expression common utilities to validate the input, but assuming you didn't do that ...

So why don't other people use Hibernate? Am I missing something about it that's bad?

Re:Shameless Hibernate Plug

[Cecil (37810)]

I can't speak about Hibernate specifically, but I can tell you what my first concern would be. Database frameworks usually tend to have trouble dealing with complex database designs, and if they can deal with them they are invariably much slower and less efficient than a SQL statement could be.

Some of these complexity and efficiency issues can be resolved by partial denormalization of the database design, but again, that introduces inefficiency.

Basically, the use of a high-level framework like that introduces significantly more difficulty into the already difficult problem of performance optimization. And for most people, performance is a more immediate and obvious problem that needs solving as opposed to security.

Another problem in my opinion is that there approximately a million and one different database abstraction layers like Hibernate out there. The lack of standardization makes it very difficult for any of them to gain any sort of critical mass of developers and documentation the way SQL has.

Re:

[njcoder (657816)]

I agree. Databases are complex for a reason. These tools seem to try and hide this complexity through abstraction. In doing so you lose access to some of the great features of the underlying database, which may be fine if you're using some crippled version of a database, but with more advanced databases you're locking yourself out of some great db features.

Re:Shameless ORM Bashing

[Foofoobar (318279)]

Yeah and ORM loads more data than you will need or use in comparison to a properly formed query moved to a separate db layer which has all the benefits of ORM with none of the bloat.

Re:

[Tim C (15259)]

Never mind Hibernate (which is great, but like all tools & frameworks only good as far as it goes and hardly faultless), just use PreparedStatemtents and the setXXX() methods and never worry about SQL injection again. This has been available since JDK1.2 ferchrisakes.

Seriously, the fact that in 2008 any site created by a "professional" web developer is vulnerable to SQL injection is little short of sickening.

Re:

[Blakey Rat (99501)]

The kind of people who write code susceptible to SQL Injection attacks don't read Slashdot, buddy. They don't go to programming classes, they don't read literature, they just do the absolute bare minimum to get by with their VB6 knowledge in the modern world.

Sorry, but that's the reality; anybody on Slashdot already knows what you're saying, and the type of people who code these bugs don't read Slashdot.

Re:

[Cyberax (705495)]

I'm sorry. But what is 'relation model' you're speaking about?

ORM is just another way to work with database. It doesn't magically transform relative database into object database.

Dupe Dance

[jd (1658)]

Yay! We get a re-run of one of the more non-story events of recent times. The problem was spotted very quickly by IIS admins, as was noted before, and it's half a millon pages, not half a million sites. Well, unless all sites have one page and I've only been thinking they used hypertext links to more of their own content. It's unclear what percent of those sites were IIS, what were Apache (an easy server to misconfigure), and what were other web servers. Blaming it on IIS is easy, and there probably is some truth to the allegation that IIS has flaws when it comes to SQL support, but this time they almost (I said almost) have justification in crying foul when Microsoft gets blamed.

What I don't get, though, is not only does this dupe the earlier story, it dupes ALL OF THE ERRORS as well. Sheesh!

Had a problem once..

[thewils (463314)]

...with a user wanting to inject images from other websites into my pages.
I solved it quite nicely by translating any opening bracket to "ampersand-gt-;" (you know what I mean) and any urls were totally ignored after that.

It's a well known bug in IIS.

[dameron (307970)]

A buffer overflow in the dupcheck module leads to privilege elevation.

You can spot if pretty easily if you reload a backup from 4/25 and your web page keeps spamming out the same offensive links.

How does Apache avoid this?

[hellfire (86129)]

I'm not knowledgeable to answer this, but I know there has to be a good "in your face, Microsoft" reason why this doesn't hit servers like Apache? They point the finger at the websites and say "UR DOIN IT RONG!" and blame them. And yet, apache users don't have to worry about this. Why? That's the argument I want to have.

Re:

[graveyhead (210996)]

No such "in your face" reason exists. It's not Apache that matters here (or IIS I'm guessing), it's the database and interacting with it via some server side language.

So when someone appends a string to a query directly from a CGI variable (in an URL, after a questionmark - those are CGI vars ... blah.cgi?bar=baz) this can be used as an attack vector regardless of the platform. This error is super easy to make in PHP for example:

mysql_query('SELECT * FROM mytable WHERE foo = " . $_REQUEST['foo']);

What's hap

Re:

[Sancho (17056)]

That's close.

http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 [hackademix.net] has a decent explanation of why this is primarily hitting IIS. SQL injection is common to many platforms, but Microsoft's database driver has some features that made it particularly easy to generalize the exploit. Specifically, prior knowledge of the table layout was apparently unnecessary to create the exploit, meaning that it was easy to hit a large number of websites in a short period of time.

Re:

[mingot (665080)]

Not really because apache is just as susceptible to this as any other web server.

Re:

[jd (1658)]

People have done SQL Injection attacks on Apache servers and probably most other servers. It seems as though this flaw is made easier on a misconfigured server, but you can misconfigure any software that uses a configuration file. It's easiest when the configuration isn't validated correctly, or when it's impossible to determine all invalid cases, or when a case may be invalid only under certan circumstances. All of these are bound to crop up on something like Apache.

Besides, there must be bugs elsewhere,

Re:

[Foofoobar (318279)]

Simple answer. mysql_real_escape_string [shiflett.org]. Instead of sanitizing data through the language which will miss byte encoded strings, alot of applications have switched to using MySQLs native mysql_real_escape_string which will catch these. Java sanitizes byte code strings as well I believe.

So it may be partially C# or just that Microsoft web devs are inherently 'dumber'.

Re:

[Joe U (443617)]

Because the automated injection script was written for asp/asp.net and Apache rarely uses asp or asp.net.

Please scan your news sites for past and future php scripts if it makes you feel any better.

Coldfusion Anyone?

[oni (41625)]

Has anyone ever heard of a SQL injection vulnerability in a Coldfusion app? I know some smartass is going to say, "that's because nobody uses it" but that's not true. If there are a million ASP apps out there and 500,000 SQL injection vulnerabilities, then there have to be at least 100,000 coldfusion sites. Show me the 50,000 coldfusion SQL injections. Or show me 10,000, or 5,000 or even just 1.

I have some experience with coldfusion and it is my opinion that a SQL injection vulnerability is pretty diffi

Re:

[S'harien (779928)]

ColdFusion is most certainly vulnerable to SQL injection if you are not religiously using the CFQUERYPARAM tag inside your queries. Of course the database being queried needs to support multiple SQL statements in a single query (MySQL does, Access does not, can't speak for any others). http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html [adobe.com]

Re:

[CodeBuster (516420)]

I have some experience with coldfusion

coldfusion is dead or dying. You are the first person that I have heard mention it in years. If people are going to choose a proprietary solution for their web application server needs then they generally choose IIS with ASP.NET; otherwise the choice is probably PHP on Apache or Ruby on Rails.

So maybe everyone should switch to a safer language, eh?

The problem here is not the language it is the use of that language in ways that are specifically warned against as being dangerous. The power to create complex applications brings with it the possibility of self-des

Re:

[kiddygrinder (605598)]

nice idea, but i think the problem is more people doing things on the cheap instead of getting a real web dev so i don't think telling people to spend a large chunk of cash on coldfusion is going to fix it.

Quicky Question

[udippel (562132)]

From what I understand from just flippering through the summary,
The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC
the infection requires that a local user on that database box browses the net, and hits a malicious site?

I really wonder, if users on database-running PC are supposed to browse the net, for pr0n, or what?

Am I correct that my fictitious boxen are free from danger, if I have n

Re:

[cervo (626632)]

I think you misunderstand the article. The attack injects javascript code into the text fields of the database. The attack is done by someone exploiting SQL injection on the website. Nothing to do with a web surfing account on the database computer. The attack inserts Javascript into every text field. If it was a message forum, this might be the from fields of an e-mail, the message text of posts, the subject fields of posts, etc.... Regular users using the forum are suddenly exposed to the javascript.

little-bobby-tables-strikes-again dept

[cyberstealth1024 (860459)]

from the little-bobby-tables-strikes-again dept.

Awesome xkcd reference! http://xkcd.com/327/ [xkcd.com]

This is NOT an IIS problem

[ShaunC (203807)]

The exploit in question has nothing to do with IIS, period, whatsoever. It's being targeted at servers that run IIS because those are the ones most likely to have SQL Server as their database back-end. Plenty of companies have deployed a Linux/Apache/PHP stack that talks to a SQL Server backend via FreeTDS [freetds.org], for example, and some of them will be getting hit by this, despite not running a single instance of IIS.

The query being used is exploiting features in Microsoft SQL Server, combined with a couple of external factors. Developers who have failed to check and sanitize user input, and DBAs who have not properly secured their databases. In order for your website to be owned through this attack:

1. You must be running Microsoft SQL Server as your database platform
2. Your web application must be vulnerable to SQL injection
3. The SQL Server user that your web application authenticates as must have SELECT and UPDATE access to the sysobjects table

Notice that nowhere in that list is IIS mentioned. In addition, plenty of shops meet the first criterion above, without meeting either of the other two. Unfortunately it's all too common that web applications are configured to use the "sa" account, or some functionally-equivalent clone thereof.

If your web application can query dbo.sysobjects and get anything other than "Server: Msg 229, Level 14, State 5, Line 1" in response, it's time to hire an additional DBA. If your web application allows random queries to be passed into SQL Server in the first place, it's time to hire an additional developer. In either case, make "security" a bullet-point on the job posting.

This is typical for a dupe

[panaceaa (205396)]

Actually, most dupes on Slashdot are a couple days apart like this one. After that they fail to be news and tend not to get reposted.

The extreme cases are actually measured in the years or hours. There's multiple cases of an article being duped 2-3 years later, especially when they're industry studies on how people use technology or occasionally about scientific discoveries. For the latter, it's often that a university announces they've done something and then publishes the results, which results in two

Re:

[ForumTroll (900233)]

Bad programmers write bad code despite the language. I don't want to use a language that places a ridiculous number of restrictions on me merely because someone somewhere might find a way to fuck up. Furthermore, validating input is a library problem not a language problem, and practically every language has libraries for escaping input. Nobody is to blame but the developers of the project being exploited.