Rooted 2011 nosql security

3,145 views

Published on

NoSQL Security presented on Rooted 2011

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,145
On SlideShare
0
From Embeds
0
Number of Embeds
491
Actions
Shares
0
Downloads
61
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Rooted 2011 nosql security

  1. 1. NoSQL Security José Ramón Palancomiércoles 16 de marzo de 2011
  2. 2. Agenda ✦ NoSQL Introduction ✦ NoSQL vs RDBMS ✦ NoSQL Arquitecture ✦ NoSQL Implementations ✦ Attack vectors ✦ Injections ✦ Key Bruteforce ✦ HTTP Protocol Based Attacks in listeners ✦ Cassandra security y Thrift security ✦ Denial of Service (connection pollution, evil queries)miércoles 16 de marzo de 2011
  3. 3. NOSQL Introductionmiércoles 16 de marzo de 2011
  4. 4. ¿What is NoSQL? ✦ In general, don’t need table scheme and don’t uses “join” ✦ NoSQL solutions don’t imeplement one or more ACID propertiesmiércoles 16 de marzo de 2011
  5. 5. CAP Theorem ✦ Properties: consistency, availability and partitions ✦ At least need 2 of them ✦ To scale partition is needed ✦ In general is preferer availability over consistencymiércoles 16 de marzo de 2011
  6. 6. NoSQL Arquitecture RDBMS NoSQL Client Client HTTP Server HTTP Server SQL REST, JSON, XML, ... Connector BBDD Connector BBDD ODBC, ADO, JDBC Binary, HTTP, ...miércoles 16 de marzo de 2011
  7. 7. NoSQL vs RDBMS ✦ RDBMS show poor performance and scalability in application which make a heavy use of data ✦ Cloud Computing (SaaS) ✦ Social Networks (SN) ✦ To make complex queries is not possible perform them with something diferent than RDBMSmiércoles 16 de marzo de 2011
  8. 8. Enviroments ✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, .. ✦ Facebook needs store 135 billions of messages each month ✦ Twitter stores 7 TB diarymiércoles 16 de marzo de 2011
  9. 9. Disadvantages NoSQL ✦ OLTP ✦ SQL ✦ Ad-Hoc queries ✦ Complex relationsmiércoles 16 de marzo de 2011
  10. 10. NoSQL Arquitectures ✦ Document store ✦ Graph ✦ Key-value store ✦ Multivalue ✦ Objets ✦ Tabularmiércoles 16 de marzo de 2011
  11. 11. Key-value store ✦ CouchDB: ✦ MongoDB ✦ Terrastore ✦ ThruDB ✦ OrientDB ✦ RavenDBmiércoles 16 de marzo de 2011
  12. 12. Graph ✦ Neo4J ✦ Sones ✦ InfoGrid ✦ HypergraphDB ✦ AllegroGraph ✦ BigDatamiércoles 16 de marzo de 2011
  13. 13. Key-value ✦ Redis ✦ Riak ✦ Tokio Cabinet ✦ MemcacheDB ✦ Membase ✦ Azuremiércoles 16 de marzo de 2011
  14. 14. Multivalue ✦ U2 ✦ OpenInsight ✦ OpenQMmiércoles 16 de marzo de 2011
  15. 15. Objets ✦ db4o ✦ Objetivity ✦ Versant ✦ NEOmiércoles 16 de marzo de 2011
  16. 16. MongoDB ✦ Protocol: Binary (BSON) ✦ API: several languages ✦ Query: JavaScript/JSON ✦ Language: C++miércoles 16 de marzo de 2011
  17. 17. • Schema-Free (JSON) Features CouchDB • Document Oriented, Not Relational • Highly Concurrent ✦ Protocol: REST • RESTful HTTP API ✦ API: JSON • JavaScript-Powered ✦ Map/Reduce Query: MapReduce (JS) ✦ • Language: Erlang N-Master Replication • Robust Storagemiércoles 16 de marzo de 2011
  18. 18. {"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is ^]. GET /rooted/ HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Date: Sat, 19 Feb 2011 05:20:28 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 188 Cache-Control: must-revalidate {"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq": 0,"compact_running":false,"disk_size": 4182,"instance_start_time":"1298092462502662","disk_format_version":5}miércoles 16 de marzo de 2011
  19. 19. {"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is ^]. GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Etag: "1-2512702fff02fe841adecde4a22c62b5" Date: Sat, 19 Feb 2011 05:20:47 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 155 Cache-Control: must-revalidate {"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a2 2c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999} Connection closed by foreign host.miércoles 16 de marzo de 2011
  20. 20. Redis ✦ Protocol: Plain Telnet ✦ API: Several Languages ✦ Query: Commands ✦ Language: C/C++miércoles 16 de marzo de 2011
  21. 21. Cassandra ✦ Protocol: Binary (Thrift) ✦ API: Thrift ✦ Query: Column/ranges ✦ Languages: Javamiércoles 16 de marzo de 2011
  22. 22. Cassandra ✦ Column (tuple/triplet) ✦ Supercolumn (composed by columns) ✦ Column Family (contains supercolumns) ✦ Keyspace (stores column families)miércoles 16 de marzo de 2011
  23. 23. Cassandra <Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace> storage-conf.xmlmiércoles 16 de marzo de 2011
  24. 24. Attack vectorsmiércoles 16 de marzo de 2011
  25. 25. Introduction ✦ Several database concepts ✦ Several implementations ✦ So attack vectors are very specifics and depends on each implementationmiércoles 16 de marzo de 2011
  26. 26. HTTP Based Attacks ✦ ¿Who uses HTTP? ✦ CouchDB ✦ HBASE ✦ Riak ✦ ¿How to locate vulnerabilities? ✦ fuzzing: hzzpmiércoles 16 de marzo de 2011
  27. 27. Listeners explotation ✦ As they work on $ telnet server.com 80 HTTP, it’s Trying X.X.X.X... possible use cache Connected to server.com. proxies Escape character is ^] misconfigured to GET /_all_dbs get access Host: 192.168.2.18miércoles 16 de marzo de 2011
  28. 28. JSON Injection In the same way that the SQL is escaped, when working with CouchDB or MongoDB, we should do the same db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } ) db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )miércoles 16 de marzo de 2011
  29. 29. Array Injection <? $collection->find(array( MongoDB + PHP "username" => $_GET [username], "passwd" => $_GET ✦ In PHP it is possible that a variable is an array [passwd] by adding brackets )); ?> ✦ If admin passwd ‘Not Equal’ anything, you can access /login.php?username=admin&passwd[$ne]=1 ✦ Besides that of $ne, we can inject: <? ✦ $or, $exists, $nin, $in, $lt, ... (logics) $collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1) ✦ &var[‘$regex’]=/privileged/i (regex) )); ?>miércoles 16 de marzo de 2011
  30. 30. View Injection ✦ CouchDB uses SpiderMonkey as scripting engine ✦ The views are loaded as js $ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ...miércoles 16 de marzo de 2011
  31. 31. View Injection ✦ There are predefined views and temporary ✦ To make MapReduce ✦ Get arbitrary data, change values to alter the execution flowmiércoles 16 de marzo de 2011
  32. 32. REST INJECTION <? $dbname = $_GET["db"]; $doc_id = $_GET["d_id"]; $resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id); ?> ✦ Cross Database: ✦ /?db=_all_dbs ✦ /?db=myusersmiércoles 16 de marzo de 2011
  33. 33. CouchDB info ✦ http://172.16.163.129:5984/_config ✦ http://172.16.163.129:5984/_all_dbs ✦ http://172.16.163.129:5984/_stats ✦ http://172.16.163.129:5984/_utilsmiércoles 16 de marzo de 2011
  34. 34. CouchDB cmd exec.miércoles 16 de marzo de 2011
  35. 35. GQL Injection ✦ You can reach GQL injection, but in a very controlled environment ✦ There is no negation operator "!" ✦ The set of GQL commands is very limitedmiércoles 16 de marzo de 2011
  36. 36. Key Bruteforce ✦ As there are no schemes, we do not have to find out them ✦ The IDs are large, but not generated at random: e479f720ff9a05fb2f441fef97000c87 e479f720ff9a05fb2f441fef97000b61miércoles 16 de marzo de 2011
  37. 37. Cassandra Security <? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL; if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”; $sliceRange = new cassandra_SliceRange(); ✦ If we change the $sliceRange->start = ""; $sliceRange->finish = ""; name of a family, we $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; can get items from $predicate->slice_range = $sliceRange; $consistency_level = cassandra_ConsistencyLevel::ONE; other family $keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level); print_r($result); ... ?>miércoles 16 de marzo de 2011
  38. 38. Denial of Service ✦ Connection polution ✦ Couchdb-> implementación interface = restfull ✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPUmiércoles 16 de marzo de 2011
  39. 39. Questionsmiércoles 16 de marzo de 2011
  40. 40. Questionsmiércoles 16 de marzo de 2011

×