Rooted 2011 nosql security

NoSQL Security
José Ramón Palanco

miércoles 16 de marzo de 2011

Agenda
✦ NoSQL Introduction
✦ NoSQL vs RDBMS
✦ NoSQL Arquitecture
✦ NoSQL Implementations
✦ Attack vectors
✦ Injections
✦ Key Bruteforce
✦ HTTP Protocol Based Attacks in listeners
✦ Cassandra security y Thrift security
✦ Denial of Service (connection pollution, evil queries)


NOSQL
Introduction


¿What is NoSQL?

✦ In general, don’t need table
scheme and don’t uses
“join”

✦ NoSQL solutions don’t
imeplement one or more
ACID properties


CAP Theorem
✦ Properties: consistency,
availability and partitions

✦ At least need 2 of them

✦ To scale partition is needed

✦ In general is preferer availability
over consistency


NoSQL Arquitecture
RDBMS NoSQL
Client Client

HTTP Server HTTP Server

SQL REST, JSON, XML, ...

Connector BBDD Connector BBDD

ODBC, ADO, JDBC Binary, HTTP, ...


NoSQL vs RDBMS
✦ RDBMS show poor performance and
scalability in application which make a heavy
use of data
✦ Cloud Computing (SaaS)
✦ Social Networks (SN)
✦ To make complex queries is not possible
perform them with something diferent than
RDBMS


Enviroments

✦ In lot of enviroments is need to distribute
writes in clusters, MapReduce, ..
✦ Facebook needs store 135 billions of
messages each month
✦ Twitter stores 7 TB diary


Disadvantages NoSQL

✦ OLTP
✦ SQL
✦ Ad-Hoc queries
✦ Complex relations


NoSQL Arquitectures
✦ Document store
✦ Graph
✦ Key-value store
✦ Multivalue
✦ Objets
✦ Tabular


Key-value store
✦ CouchDB:

✦ MongoDB

✦ Terrastore

✦ ThruDB

✦ OrientDB

✦ RavenDB


Graph
✦ Neo4J

✦ Sones

✦ InfoGrid

✦ HypergraphDB

✦ AllegroGraph

✦ BigData


Key-value
✦ Redis

✦ Riak

✦ Tokio Cabinet

✦ MemcacheDB

✦ Membase

✦ Azure


Multivalue

✦ U2
✦ OpenInsight
✦ OpenQM


Objets
✦ db4o ✦ Objetivity

✦ Versant ✦ NEO


MongoDB

✦ Protocol: Binary (BSON)

✦ API: several languages

✦ Query: JavaScript/JSON

✦ Language: C++


• Schema-Free (JSON)
Features
CouchDB
• Document Oriented,
Not Relational

• Highly Concurrent
✦ Protocol: REST
• RESTful HTTP API

✦ API: JSON
• JavaScript-Powered

✦ Map/Reduce
Query: MapReduce (JS)

✦ • Language: Erlang
N-Master Replication

• Robust Storage


{"couchdb":"Welcome","version":"0.11.0"}
$ telnet 172.16.163.129 5984
Trying 172.16.163.129...
Connected to 172.16.163.129.
Escape character is '^]'.
GET /rooted/ HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Server: CouchDB/0.11.0 (Erlang OTP/R14B)
Date: Sat, 19 Feb 2011 05:20:28 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 188
Cache-Control: must-revalidate

{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":
0,"compact_running":false,"disk_size":
4182,"instance_start_time":"1298092462502662","disk_format_version":5}


{"couchdb":"Welcome","version":"0.11.0"}
$ telnet 172.16.163.129 5984
Trying 172.16.163.129...
Connected to 172.16.163.129.
Escape character is '^]'.
GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Server: CouchDB/0.11.0 (Erlang OTP/R14B)
Etag: "1-2512702fff02fe841adecde4a22c62b5"
Date: Sat, 19 Feb 2011 05:20:47 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 155
Cache-Control: must-revalidate

{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a2
2c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}
Connection closed by foreign host.


Redis

✦ Protocol: Plain Telnet

✦ API: Several Languages

✦ Query: Commands

✦ Language: C/C++


Cassandra

✦ Protocol: Binary (Thrift)

✦ API: Thrift

✦ Query: Column/ranges

✦ Languages: Java


Cassandra

✦ Column (tuple/triplet)
✦ Supercolumn (composed by columns)
✦ Column Family (contains supercolumns)
✦ Keyspace (stores column families)


Cassandra

<Keyspace Name="BloggyAppy">

<ColumnFamily CompareWith="BytesType" Name="Authors"/>
<ColumnFamily CompareWith="BytesType" Name="BlogEntries"/>
<ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/>
<ColumnFamily CompareWith="TimeUUIDType" Name="Comments"
CompareSubcolumnsWith="BytesType" ColumnType="Super"/>
</Keyspace>

storage-conf.xml

Attack vectors


Introduction

✦ Several database concepts

✦ Several implementations

✦ So attack vectors are very
speciﬁcs and depends on
each implementation


HTTP Based Attacks
✦ ¿Who uses HTTP?

✦ CouchDB

✦ HBASE

✦ Riak

✦ ¿How to locate
vulnerabilities?

✦ fuzzing: hzzp


Listeners explotation
✦ As they work on $ telnet server.com 80
HTTP, it’s Trying X.X.X.X...
possible use cache Connected to server.com.
proxies Escape character is '^]'
misconﬁgured to GET /_all_dbs
get access Host: 192.168.2.18


JSON Injection
In the same way that the SQL is
escaped, when working with
CouchDB or MongoDB, we should
do the same

db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )

db.foo.find( { $or : [ { a : 1 } , { b : 2 },
{ c : /.*/ } ] } )


Array Injection
<?
$collection->find(array(
MongoDB + PHP "username" => $_GET
['username'],
"passwd" => $_GET
✦ In PHP it is possible that a variable is an array ['passwd']
by adding brackets ));

?>
✦ If admin passwd ‘Not Equal’ anything, you
can access
/login.php?username=admin&passwd[$ne]=1
✦ Besides that of $ne, we can inject:
<?
✦ $or, $exists, $nin, $in, $lt, ... (logics) $collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
✦ &var[‘$regex’]=/privileged/i (regex) ));
?>


View Injection
✦ CouchDB uses SpiderMonkey as scripting engine
✦ The views are loaded as js

$ ldd /usr/lib/couchdb/bin/couchjs

libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000)

libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000)
...


View Injection

✦ There are predeﬁned views
and temporary
✦ To make MapReduce
✦ Get arbitrary data,
change values to alter the
execution ﬂow


REST INJECTION
<?
$dbname = $_GET["db"];
$doc_id = $_GET["d_id"];
$resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id);
?>
✦ Cross Database:
✦ /?db=_all_dbs
✦ /?db=myusers


CouchDB info

✦ http://172.16.163.129:5984/_conﬁg
✦ http://172.16.163.129:5984/_all_dbs
✦ http://172.16.163.129:5984/_stats
✦ http://172.16.163.129:5984/_utils


CouchDB cmd exec.


GQL Injection

✦ You can reach GQL injection, but in a very
controlled environment
✦ There is no negation operator "!"
✦ The set of GQL commands is very limited


Key Bruteforce
✦ As there are no schemes, we do not
have to ﬁnd out them

✦ The IDs are large, but not
generated at random:

e479f720ff9a05fb2f441fef97000c87

e479f720ff9a05fb2f441fef97000b61


Cassandra Security
<?
...
$columnParent = new cassandra_ColumnParent();
$columnParent->super_column = NULL;

if(isset($_GET[‘CF’]))
$columnParent->column_family = $_GET[‘CF’].“_myfam”;

$sliceRange = new cassandra_SliceRange();
✦ If we change the $sliceRange->start = "";
$sliceRange->finish = "";

name of a family, we $predicate = new cassandra_SlicePredicate();
list() = $predicate->column_names;

can get items from $predicate->slice_range = $sliceRange;

$consistency_level = cassandra_ConsistencyLevel::ONE;
other family $keyUserId = 1;
$result = $client->get_slice($keyspace, $keyUserId,
$columnParent, $predicate, $consistency_level);

print_r($result);
...

?>


Denial of Service
✦ Connection polution

✦ Couchdb-> implementación
interface = restfull

✦ With GQL, it is possible to perform a
DoS creating queries which make an
intensive use of CPU and will be
disconnected or be billed for that
extra CPU


Questions


Rooted 2011 nosql security

Recommended

Recommended

More Related Content

Similar to Rooted 2011 nosql security

Similar to Rooted 2011 nosql security (20)

Recently uploaded

Recently uploaded (20)

Rooted 2011 nosql security