Friday, December 25, 2009
Trojanning Sybase
Trojanning Sybase
The options for inserting backdoors into a database
system of Sybase's complexity are numerous. Following are a few ideas;
there are plenty of variations on these themes.
Grant a User sa or sso_role
If you grant users sa_role, they can effectively do everything.
You can see what roles are available to users by executing the following query:
select l.name Login, sr.name ServerRole from master..syslogins l
join master..sysloginroles lr on l.suid = lr.suid
join master..syssrvroles sr on sr.srid=lr.srid
Allow Direct Updates to System Tables, Grant Access to Selected System Tables
By default, users (even sa) are not permitted to
directly modify system tables (such as syslogins), even if they would
otherwise be able to. Many possibilities for subtle backdoors are
opened up if you enable updates to system tables.
The statement to allow updates is
sp_configure 'allow updates to system tables', 1
This is a dynamic configuration setting and thus takes effect immediately; there is no need to restart the server.
The following query displays all explicit permissions (including upon col-umns) in the current database:
select u.name "user", u2.name grantor, o.name object, c.name column, v.name, p.protecttype
from sysprotects p
join sysusers u on p.uid = u.uid
join sysobjects o on p.id = o.id
join sysusers u2 on p.grantor = u2.uid
join master..spt_values v on p.action=v.number and v.type='T'
join syscolumns c on o.id = c.id
where (power(2, c.colid) & convert(int, p.columns)) > 0
and p.columns != 0 and p.columns != 1 and p.columns is not null
union
select u.name "user", u2.name grantor, o.name object, '*' column, v.name, p.protecttype
from sysprotects p
join sysusers u on p.uid = u.uid
join sysobjects o on p.id = o.id
join sysusers u2 on p.grantor = u2.uid
join master..spt_values v on p.action=v.number and v.type='T'
where p.columns=0x01
or p.columns=0x00
or p.columns is null
order by o.name
No comments:
Post a Comment