About | Buy | News | Products | Rants | Search | Security
Home » Resources » Sargon

Sargon Speaks

The greatest ruler who ever lived, writing exclusively for Radsoft. Write to Sargon at sargon@radsoft.net.

Wednesday 29 January 2003 - SQL-Slammer II

Late break: David Litchfield of NGSSoftware claims the worm uses code he originally wrote. Following is the Bugtraq post, typos and other errors left intact.

  Re: David Litchfield talks about the SQL Worm in the Washington Post
Date: Wed, 29 Jan 2003 17:57:26 -0000
From: 'David Litchfield' <david@ngssoftware.com>
  To: <bugtraq@securityfocus.com>

> Perhaps David can put together a longer message for Bugtraq and
> Full-Disclosure on his changing views of publishing proof-of-concept
> code for security vulnerabilities.

On analysis of the code of the Slammer worm it is apparent that my code was used as its template.

It uses the same addresses as my code in terms of the import address entries for GetProcAddress() and LoadLibraryA() in sqlsort.dll, it uses the same address in the .data section of sqlsort.dll and uses the same address with which to overwrite the saved return address on the stack. Further the worm code uses the same short jump and has 8 NOPs in the same place as my code. That's where the similarity ends, though. My code spawns a remote shell - the worm contains none of this.

It also becomes apparent that whoever authored the worm knew how to write buffer overflow exploits and would have been capable of doing this without using my shellcode as a template. Having access to my code probably saved them around 20 or so minutes - but they still would have been able to do it without mine.

[Some have suggested that the worm used (a person known as) lion's code as a template - in fact lion's code is an exact cut and paste of my code - so any suggestions that lion or the Chinese group he belongs to are responsible are probably erroneous. Also the suggestion that because there were 8 NOPs in the worm code this 'proved' it was a hacker known as nop (of the same Chiense group) and this was his/her signature is also very wide of the mark - the presence of the NOPs is simply as a result of my code.]

Some will ask why did I ever release sample exploit code.

The main reason is an educational one. I presented a paper and talk on this particular problem at the Blackhat Security Briefings (www.blackhat.com) in August of 2002. People who attend such conferences go with the expectation that they will get 'up to the minute' and pertinent lectures. I feel that, as one of the regular speakers at Blackhat, I should deliver the best speech I can with as much information, to ensure that both the attendees and the organizers get what they want. As part of my talk I published my shellcode that demonstrated that this was a critical issue and should be patched at all costs.

Now with that said, and in the light that someone has taken my code and put portions of it to nefarious purposes, I have to question the benefit of publishing sample code. How much 'good' was acheived by publishing the code and how much 'bad' came out of it. Normally the good, by far, outweighs the bad - but there are infrequent cases like we have all just experienced, where perhaps the bad outweighs the good. Looking for the silver lining in the dark cloud of slammer, though, we know now that there are considerably more patched SQL Servers than there were before the weekend - and this is a good thing.

[It would be good to see how many people patched this problem before and the reason they did so - to see the break down of those who patched just because there was one, those who patched because it was annouced as critical and those who patched because of my paper. And those that did not patch - did they know a patch needed to be applied, did they hear about the patch and not understand the gravity of the problem. If were ever to solve the 'patching' problem we really need data on this stuff.]

But then what about the future? We often forget that our actions online can have very real consequences in real life - the next big worm could take out enough critical machines that people are killed. A massive failure of the emergency services computers such as 911/999 could result in someone's death - and I don't want to feel that I've contributed to that.

With this in mind I am questioning the benefits of publishing proof of concept code. I am due to present a paper on the remotely exploitable buffer overrun in the Microsoft Locator service at Blackhat this February but should I then also publish the code used to demonstrate the problem? Should I even be discussing the problem in a public arena?

Some will argue that full disclosure is a good thing. Others will abhor it. There is no one correct answer - it must be a personal decision and for the moment I am undecided.

David Litchfield
NGSSoftware Ltd

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.