Got database access? Own the network!

Got database access? Own the network! Bernardo Damele Assumpção Guimarães

Who I am Bernardo Damele Assumpção Guimarães Penetration tester @ Portcullis Computer Security Proud father, avid spear-fisher, bad photographer Open source enthusiast sqlmap lead developer – http://sqlmap.sf.net keimpx developer – http://code.google.com/p/keimpx Database takeover UDF repository AthCon 2010, Athens (Greece) June 3, 2010 2

Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! AthCon 2010, Athens (Greece) June 3, 2010 3

Scenario You have got access to a DBMS Direct connection – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the network? AthCon 2010, Athens (Greece) June 3, 2010 4

Command execution – State of art Microsoft SQL Server OPENROWSET can be abused to escalate privileges to DBA Token kidnapping to escalate privileges to SYSTEM Built-in xp_cmdshell to execute commands Oracle If you find an injection in a function owned by SYS and with authid definer, you can run PL/SQL statements as SYS Many ways to execute commands – DBMS_EXPORT_EXTENSION package, abuse Java functions, etc. AthCon 2010, Athens (Greece) June 3, 2010 5

Command execution – State of art MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages AthCon 2010, Athens (Greece) June 3, 2010 6

Code snippet of sys_eval() UDF sys_eval() executes a command and returns its stdout AthCon 2010, Athens (Greece) June 3, 2010 7

More than command execution Owning the database server is not only about OS command execution Out-of-band connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel TCP: Shell, Meterpreter, VNC – http://metasploit.com UDP: DNS tunnel – http://heyoka.sourceforge.net AthCon 2010, Athens (Greece) June 3, 2010 8

Stealth out-of-band connection On the attacker host Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database server Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter Anti-forensics technique – hard to track in a post- exploitation forensics investigation AthCon 2010, Athens (Greece) June 3, 2010 9

User-defined function sys_bineval() Works in DEP/NX-enabled systems Supports alphanumeric-encoded payloads Protects the DBMS if the payload crashes Shellcode is executed in a SEH frame Does not always fork a new process Spawns a new thread AthCon 2010, Athens (Greece) June 3, 2010 10

sys_bineval() vs DEP/NX Memory area for shellcode is allocated +rwx On Windows: VirtualAlloc() code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); On Unix: mmap() code = mmap(0, page_size, PROT_READ| PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0); AthCon 2010, Athens (Greece) June 3, 2010 11

sys_bineval() and alphanum payloads Supports alphanumeric-encoded payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() AthCon 2010, Athens (Greece) June 3, 2010 12

sys_bineval() and alphanum payloads Solution: Use the BufferRegister option when encoding the shellcode ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register before executing it __asm { MOV EAX, [lpPayload] CALL EAX } AthCon 2010, Athens (Greece) June 3, 2010 13

sys_bineval() avoids DBMS crashes Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } AthCon 2010, Athens (Greece) June 3, 2010 14

Code snippet of sys_bineval() UDF sys_bineval() executes an alphanumeric-encoded payload in-memory AthCon 2010, Athens (Greece) June 3, 2010 15

Am I really unprivileged? Your code, like any other within the DBMS process, runs with the privileges of the OS user running the DBMS Microsoft SQL Server can run as SYSTEM – Uncommon PostgreSQL and MySQL usually run as a unprivileged user MySQL on Windows runs as SYSTEM Regardless of the OS user running the DBMS, the attacker can escalate privileges AthCon 2010, Athens (Greece) June 3, 2010 16

I have got the power or… ways to get it! Some ways to escalate privileges Meterpreter has some built-in commands (getsystem) and scripts Including kitrap0d – Kernel flaw unpatched for ~17 years Abuse weak permissions on files, services, named pipes, LSASS design, etc. Memory corruption bugs “All Users” startup file trick Got luck? whoami is your friend! AthCon 2010, Athens (Greece) June 3, 2010 17

Want to execute fancier code on DBMS? sqlmap has a switch to inject your user-defined functions Write your own C/ASM code with the DBMS development libraries Compile as a shared object Fire up sqlmap with --udf-inject switch The tool will inject the UDFs you want and execute them onto the database server at your request AthCon 2010, Athens (Greece) June 3, 2010 18

Direct connection to the database From July 2006 to March 2010 sqlmap has been “yet another” SQL injection tool With some kick-ass features like BOF exploit via SQL injection, sys_bineval(), file system access, etc. All in all.. One-shot favorite script-kiddies tool™ Now, it is the only free tool able to takeover database servers via either web applications or direct connection AthCon 2010, Athens (Greece) June 3, 2010 19

But… Wasn’t it meant to deal with data? When you get access to a DBMS, you have good chances to own the operating system Once you have access to the system you can escalate privileges – kernel flaws, weak permissions, etc. When you are a high-privileged OS user you can dump users’ password hashes and spray them across the network perimeter to easily own other machines – http://code.google.com/p/keimpx or SSHatter You can also pivot traffic through the compromised database server to the Corporate network or DMZ AthCon 2010, Athens (Greece) June 3, 2010 20

Questions? bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Thanks for your attention! AthCon 2010, Athens (Greece) June 3, 2010 21

http://bernardodamele.blogspot.com	2969
http://www.bernardodamele.blogspot.com	159
http://feeds2.feedburner.com	92
http://translate.googleusercontent.com	12
http://bernardodamele.blogspot.co.uk	6
http://bernardodamele.blogspot.in	6
http://bernardodamele.blogspot.com.au	6
http://feeds.feedburner.com	5
http://bernardodamele.blogspot.de	4
http://bernardodamele.blogspot.fr	4
http://bernardodamele.blogspot.ca	3
http://bernardodamele.blogspot.it	3
http://bernardodamele.blogspot.com.es	3
http://www.follow2.com	2
http://webcache.googleusercontent.com	2
http://bernardodamele.blogspot.mx	1
http://static.slidesharecdn.com	1
http://bernardodamele.blogspot.se	1
http://blog.0x3f.net	1
http://bernardodamele.blogspot.pt	1
http://bernardodamele.blogsopt.com	1

Got database access? Own the network!

by Bernardo Damele A. G. on Jun 28, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

21 Embeds 3,282

Statistics

Got database access? Own the network! — Presentation Transcript