May 29, 2023
The version of an MSSQL database is a valuable piece of information for cyber attackers. With the version details in hand, they can attempt to find and exploit any of the version’s known vulnerabilities. As part of our research at Pentera Labs, we attempted to obtain the version of the widely-used MSSQL (Microsoft SQL Server) database.
In this blog post, we show how we detected the version with the TDS protocol, without having to authenticate. To read a more in-depth explanation of the steps we took, you can read the entire research paper here.
The Tabular Data Stream (TDS) protocol is an application layer protocol for communicating with databases – from authentication all the way to querying. By using TDS, researchers can obtain a database’s version. To do so, they can use the “Pre-Login” sequence, which includes sending data to the server and getting a reply with the version information.
The Pre-Login packet consists of tokens. These tokens provide information about the database. The Version token contains the information we need. Its type is 0x00.
The Version Token’s data is made of 6 bytes:
The first four bytes of the Version Token provide the database version.
Here’s an example of the data sent back from the server. The six bytes with the version information are highlighted:
A simple code is enough to extract the version from these four bytes:
The result we received is the database’s version. In this case: 15.0.2000.0
The ability to detect the database’s version with the TDS protocol relies on the database’s port being open and accessible. Therefore, mitigation involves restricting access to the port. This can be done with firewalls, iptables and host-based firewalls. To learn more about mitigation strategies and for a detailed explanation of how we leveraged the TDS protocol, read the complete paper.
Ivanti Ground Zero On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting its Ivanti Connect Secure and Ivanti Policy Secure products in supported versions (9.x and 22.x). Successful exploitation can result in authentication bypass and command injection, leading to unauthenticated remote code execution and lateral movement inside the victim’s network. Then on […]
WebLogic is a popular enterprise middleware tool that orchestrates the interaction between backend systems and frontend clients. This makes it a valuable tool for attackers, who can exploit it to access and influence a wide range of organizational applications. In this blog post, we explore how to install a persistent backdoor on WebLogic Server. We […]
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. On […]