Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Got database access? Own the network!


Published on

The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.

These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.

Published in: Technology
  • Be the first to comment

Got database access? Own the network!

  1. 1. Got database access? Own the network! Bernardo Damele Assumpção Guimarães
  2. 2. Who I am Bernardo Damele Assumpção Guimarães Penetration tester @ Portcullis Computer Security Proud father, avid spear-fisher, bad photographer Open source enthusiast sqlmap lead developer – keimpx developer – Database takeover UDF repository AthCon 2010, Athens (Greece) June 3, 2010 2
  3. 3. Introduction Database management systems are powerful applications Store and interact with data Interact with the file system and operating system When they can’t by design, you can force them to When they can’t due to limited user’s privileges, you can exploit them! AthCon 2010, Athens (Greece) June 3, 2010 3
  4. 4. Scenario You have got access to a DBMS Direct connection – provided account, weak passwords, brute-forcing credentials SQL injection – web application, stand-alone client, cash machine ☺, … What to do now other than enumerating data? Own the underlying operating system Why not even other servers within the network? AthCon 2010, Athens (Greece) June 3, 2010 4
  5. 5. Command execution – State of art Microsoft SQL Server OPENROWSET can be abused to escalate privileges to DBA Token kidnapping to escalate privileges to SYSTEM Built-in xp_cmdshell to execute commands Oracle If you find an injection in a function owned by SYS and with authid definer, you can run PL/SQL statements as SYS Many ways to execute commands – DBMS_EXPORT_EXTENSION package, abuse Java functions, etc. AthCon 2010, Athens (Greece) June 3, 2010 5
  6. 6. Command execution – State of art MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements UDF can be created from shared libraries that are compiled binary files Dynamic-link library on Windows Shared object on Linux PostgreSQL supports also procedural languages AthCon 2010, Athens (Greece) June 3, 2010 6
  7. 7. Code snippet of sys_eval() UDF sys_eval() executes a command and returns its stdout AthCon 2010, Athens (Greece) June 3, 2010 7
  8. 8. More than command execution Owning the database server is not only about OS command execution Out-of-band connection between the attacker host and the database server Database used as a stepping stone to establish this covert channel TCP: Shell, Meterpreter, VNC – UDP: DNS tunnel – AthCon 2010, Athens (Greece) June 3, 2010 8
  9. 9. Stealth out-of-band connection On the attacker host Forge a shellcode with msfpayload Encode it with msfencode Run msfcli with multi/handler exploit On the database server Create a UDF that executes a payload in-memory Execute the UDF providing the payload as a parameter Anti-forensics technique – hard to track in a post- exploitation forensics investigation AthCon 2010, Athens (Greece) June 3, 2010 9
  10. 10. User-defined function sys_bineval() Works in DEP/NX-enabled systems Supports alphanumeric-encoded payloads Protects the DBMS if the payload crashes Shellcode is executed in a SEH frame Does not always fork a new process Spawns a new thread AthCon 2010, Athens (Greece) June 3, 2010 10
  11. 11. sys_bineval() vs DEP/NX Memory area for shellcode is allocated +rwx On Windows: VirtualAlloc() code = (char *) VirtualAlloc(NULL, 4096, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); On Unix: mmap() code = mmap(0, page_size, PROT_READ| PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, 0, 0); AthCon 2010, Athens (Greece) June 3, 2010 11
  12. 12. sys_bineval() and alphanum payloads Supports alphanumeric-encoded payloads Metasploit’s msfencode has alphanumeric encoders to encode the payload Problem: It is not able to produce pure alphanumeric payloads due to get_pc() AthCon 2010, Athens (Greece) June 3, 2010 12
  13. 13. sys_bineval() and alphanum payloads Solution: Use the BufferRegister option when encoding the shellcode ./msfencode BufferRegister=EAX –e x86/alpha_mixed … Put the payload address in EAX register before executing it __asm { MOV EAX, [lpPayload] CALL EAX } AthCon 2010, Athens (Greece) June 3, 2010 13
  14. 14. sys_bineval() avoids DBMS crashes Spawn a new thread WaitForSingleObject(CreateThread(NULL, 0, ExecPayload, CodePointer, 0, &pID), INFINITE); Wrap the payload in a SEH frame __try { __asm { MOV EAX, [lpPayload] CALL EAX } } AthCon 2010, Athens (Greece) June 3, 2010 14
  15. 15. Code snippet of sys_bineval() UDF sys_bineval() executes an alphanumeric-encoded payload in-memory AthCon 2010, Athens (Greece) June 3, 2010 15
  16. 16. Am I really unprivileged? Your code, like any other within the DBMS process, runs with the privileges of the OS user running the DBMS Microsoft SQL Server can run as SYSTEM – Uncommon PostgreSQL and MySQL usually run as a unprivileged user MySQL on Windows runs as SYSTEM Regardless of the OS user running the DBMS, the attacker can escalate privileges AthCon 2010, Athens (Greece) June 3, 2010 16
  17. 17. I have got the power or… ways to get it! Some ways to escalate privileges Meterpreter has some built-in commands (getsystem) and scripts Including kitrap0d – Kernel flaw unpatched for ~17 years Abuse weak permissions on files, services, named pipes, LSASS design, etc. Memory corruption bugs “All Users” startup file trick Got luck? whoami is your friend! AthCon 2010, Athens (Greece) June 3, 2010 17
  18. 18. Want to execute fancier code on DBMS? sqlmap has a switch to inject your user-defined functions Write your own C/ASM code with the DBMS development libraries Compile as a shared object Fire up sqlmap with --udf-inject switch The tool will inject the UDFs you want and execute them onto the database server at your request AthCon 2010, Athens (Greece) June 3, 2010 18
  19. 19. Direct connection to the database From July 2006 to March 2010 sqlmap has been “yet another” SQL injection tool With some kick-ass features like BOF exploit via SQL injection, sys_bineval(), file system access, etc. All in all.. One-shot favorite script-kiddies tool™ Now, it is the only free tool able to takeover database servers via either web applications or direct connection AthCon 2010, Athens (Greece) June 3, 2010 19
  20. 20. But… Wasn’t it meant to deal with data? When you get access to a DBMS, you have good chances to own the operating system Once you have access to the system you can escalate privileges – kernel flaws, weak permissions, etc. When you are a high-privileged OS user you can dump users’ password hashes and spray them across the network perimeter to easily own other machines – or SSHatter You can also pivot traffic through the compromised database server to the Corporate network or DMZ AthCon 2010, Athens (Greece) June 3, 2010 20
  21. 21. Questions? Thanks for your attention! AthCon 2010, Athens (Greece) June 3, 2010 21