Rules for MSSQL and shellcodes

Discussion in 'LnS English Forum' started by jgama, May 4, 2004.

Thread Status:
Not open for further replies.
  1. jgama

    jgama Registered Member

    Joined:
    May 4, 2004
    Posts:
    34
    Hello,

    I noticed that MSSQL listens to port 1434 even when TCP/IP is not enabled. I made a rule to block external access to ports 1434 and 1433. I also made a rule to block shellcodes by blocking access to cmd.exe. However, I am not sure if those rules are correct(probably not!), I would appreciate some help. Thank you!

    Peace,
    Joseph
     

    Attached Files:

  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi jgama,

    what you try to achieve isn't possible for many reasons :

    - cmd.exe must be an internet capable executable for the rule to apply, and if it was, you rule blocks _everything_ when it is loaded. Actually, since cmd.exe is not network capable, the rule would never be triggered.
    EDIT : you can as a workaround to force the add anyway of cmd.exe to the application filtering, but it is useless as the following details explain

    - then, "Shellcode" are something more general and don't rely in particular on cmd.exe. A shellcode is a piece of executable code injected into a running processes via a buffer overflow. In this way, the shellcode is injected into running processes such as your MS SQL server, RPC Locator, etc...
    Those Shellcode then may or may not use cmd.exe to accomplish different purposes, but it's already too late.


    If you want to be protected from windows vulnerabilities, first disable uneeded services, then close as many ports as possible with Look'n'Stop, and if you are running servers and that you must let opened several ports, don't forget to apply Windows Update patchs (do it even if you are not running server in fact).

    Hope this help :)

    regards,

    gkweb.
     
  3. jgama

    jgama Registered Member

    Joined:
    May 4, 2004
    Posts:
    34
    Thank you gkweb! :)
     
Thread Status:
Not open for further replies.