Anatomy of a Database Attack - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Anatomy of a Database Attack

Description:

EXECUTE the cursor under higher privileges. Where does this occur. In your home-grown PL/SQL ... Check exceptions and close the CURSORS. EXCEPTION WHEN OTHERS THEN ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 35
Provided by: erictsg
Category:

less

Transcript and Presenter's Notes

Title: Anatomy of a Database Attack


1
Most Recent Advances A Review of DC BlackHat
2007
Aaron NewmanCTO/Founder Application Security,
Inc.
2
Agenda
  • Overview of BlackHat 2007
  • Cursor Snarfing
  • Cursor Injection
  • Local Binary Exploits
  • Database Network Protocols
  • Resources, Conclusion, and Wrap Up

3
Overview of BlackHat 2007
4
Presentations on Hacking Oracle
  • Three independent researchers
  • Presenting details on new vulnerabilities
  • Presenting new classes, or methods, or attacks
  • Each presentation entirely different focus
  • PL/SQL attacks
  • Network Protocol attacks
  • Binary level attacks
  • Outstanding vulnerabilities
  • All three listed security vulnerabilities
  • Waiting for security fixes from Oracle
  • Unknown when to expect specific fixes

5
Cursor Snarfing
6
How does it work?
  • Using the DBMS_SQL package
  • You PARSE a SQL statement
  • BIND variable
  • EXECUTE the cursor
  • FETCH_ROWS
  • Then CLOSE the cursor
  • A CURSORS has a HANDLE
  • Handles work until cursor or session is closed

7
How to exploit?
  • Find a function or stored procedure
  • That is using DBMS_SQL
  • Cause an exception to occur
  • Which leaves the cursor dangling
  • Rebind your new value to the CURSOR
  • EXECUTE the cursor under higher privileges
  • Where does this occur
  • In your home-grown PL/SQL
  • In the built-in SQL from Oracle

8
Solutions
  • Check your own code
  • Anytime you use DBMS_SQL
  • Check exceptions and close the CURSORS
  • EXCEPTION WHEN OTHERS THEN
  • IF DBMS_SQL.IS_OPEN(CURSOR) THEN
  • DBMS_SQL.CLOSE_CURSOR(CURSOR)
  • END IF
  • Risk Level
  • Medium

9
DemoWhite-paper
10
Cursor Injection
11
How does it work?
  • Leverages PL/SQL Injection vulnerabilities
  • Allows you to inject arbitrary SQL
  • Into a PL/SQL Injection vulnerability
  • Escalates Medium or Low Risk vulnerabilities
  • Makes them High Risk or Critical

12
Understanding PL/SQL Vulnerabilities
  • Problem with dynamic SQL
  • EXECUTE IMMEDIATE
  • DBMS_SQL
  • Danger allowing the user to pass parameters that
    are used in the parsed SQL statement

13
Dynamic SQL Example
  • CREATE PROCEDURE BAD_CODING_EXAMPLE (
    NEW_PASSWORD VARCHAR2 ) AS
  • TEST VARCHAR2
  • BEGIN
  • -- DO SOME WORK HERE
  • EXECUTE IMMEDIATE 'UPDATE ' TABLE_NAME '
    SET ' COLUMN_NAME ' ''' NEW_PASSWORD
    ''' WHERE USERNAME '''
    CURRENT_USER_NAME '''
  • END BAD_CODING_EXAMPLE

14
Valid input
  • Input
  • EXEC BAD_CODING_EXAMPLE( testabc )
  • SQL Created
  • UPDATE APPLICATION_USERS SET PASSWORD testabc
    WHERE USERNAME aaron

15
Hacker input
  • Input
  • EXEC BAD_CODING_EXAMPLE( testabc, ADMIN1,
    FULL_NAMETEST )
  • SQL Created
  • UPDATE APPLICATION_USERS SET PASSWORD
    testabc, ADMIN1, FULL_NAMETEST WHERE
    USERNAME aaron

16
How to exploit?
  • Find a function or stored procedure
  • That is vulnerable to PL/SQL Injection
  • Review any of the latest CPUs
  • Use anonymous PL/SQL blocks
  • Declare CURSOR and PARSE a SQL statement
  • Use the CURSOR handle in the PL/SQL Injection
  • CURSOR runs under elevated privileges

17
Hacker input
  • Input
  • EXEC BAD_CODING_EXAMPLE( testabc
    CHR(DBMS_SQL.EXECUTE(4)) )
  • SQL Created
  • UPDATE APPLICATION_USERS SET PASSWORD testabc
    CHR(DBMS_SQL.EXECUTE(4)) WHERE USERNAME
    aaron

18
Why?
  • Argument between researchers and Oracle
  • Over severity of vulnerabilities
  • Oracle classifies vulnerabilities as low risk
  • Researchers say they should be high risk
  • Researcher finds way to prove Oracle wrong
  • Need for CREATE FUNCTION privilege
  • Not anymore
  • You just need CREATE SESSION

19
Examples
  • Check your own code!
  • SDO_DROP_USER_BEFORE
  • DDL Trigger when a table is dropped
  • Yet unnamed vulnerable procedures being fixed
  • Risk Level
  • High if you have PL/SQL injection

20
DemoWhite-paper
21
Local Binary Exploits
22
How does it work?
  • Debugging the Oracle Process
  • Looking for vulnerabilities
  • Inside the Oracle process
  • Scan for named pipes and other handles
  • That are not granted appropriate permissions
  • Non-privileged user on the operating system
  • Gains control over the Oracle process

23
How to exploit?
  • Attach to the operating system
  • Using Remote Desktop
  • Using Citrix
  • Using Terminal Server
  • Or directly through the console
  • Relies on valid access or discovering a
    non-privileged account
  • How to exploit
  • Find the security hole on your own database
    server
  • Write an exploit
  • Run it on the target database

24
Zero-day exploits
  • Means that you are given zero days to fix the
    problem
  • No fix available
  • Oracle might be working on a fix
  • Need to find work arounds to mitigate the risk
  • Restricting access to components
  • Disabling components
  • Firewalling the database from everything
  • Another quoted example of unnameable
    vulnerabilities
  • That are in the process of being fixed
  • Purchase the Ultimate 0day Exploits Pack
  • Risk Level
  • Medium to Low

25
DemoWhite paper
26
Database Network Protocols
27
How does it work?
  • Sniffing the Oracle traffic
  • Looking for vulnerabilities
  • At the network traffic level
  • Attacks from reverse engineering proprietary
    protocol
  • History of database drivers
  • Almost always high level risk

28
How to exploit?
  • Find a proxy client
  • Redirect Oracle client drivers to local proxy
  • Local proxy replaces desired details
  • Local Proxy then forwards to Oracle Server
  • How to exploit
  • Tamper with message structure
  • Change the expected field size
  • Change the expected order of messages

29
Why?
  • Multiple companies have learned SQLNet
  • Required knowledge to provide an IDS/IPS for
    Oracle
  • In the course of researching SQLNet
  • Simple to manipulate fields to cause side
    effects
  • Very old code in the network drivers
  • Backwards compatibility

30
Examples
  • By watching Oracle authentication protocol
    packets
  • You can determine the difference between
  • An invalid username and an invalid password
  • Even subtle differences can be leveraged
  • Time to respond
  • Type of response
  • Another quoted example of unnameable
    vulnerabilities
  • That are in the process of being fixed
  • Risk Level
  • High

31
DemoProxy ALTER_SESSION
32
Resources, Conclusion, and Questions
33
How Do You Address These Vulnerabilities?
  • Stay Patched
  • Stay on top of all the security alerts and
    bulletins
  • Defense in Depth
  • Multiple Levels of Security
  • Regularly perform audits and penetration tests on
    your database
  • Encryption of data-in-motion / data-at-rest /
    data-in-use
  • Monitor database activity log files
  • Implement database intrusion detection and
    auditing
  • Especially if you cant stay patched!

34
Questions?
  • Thank you
  • Questions on
  • Vulnerabilities
  • Locking down the database
  • anewman_at_appsecinc.com
Write a Comment
User Comments (0)
About PowerShow.com