Injection vulnerabilities: command injection and SQL injection

Transcription

1 Injection vulnerabilities: command injection and SQL injection Questões de Segurança em Engenharia de Software (QSES) Departamento de Ciência de Computadores Faculdade de Ciências da Universidade do Porto Eduardo R. B. Marques,

2 Injection Vulnerability class CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component Short name: Injection Description The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted [ ] [ ] all injection problems share one thing in common [ ] the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. 2

3 Two examples from last class SQL injection CWE-89 int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... OS command injection CWE-78 user = input(); String[] cmdline = { "/bin/sh", "-c", "finger " + user }; Process p = Runtime.getRuntime().exec(cmdLine); 3 SQL injection and OS command injection are the top two entries in the CWE/SANS Top 25 Most Dangerous Software Errors

4 CWE TOP #1 and #2 - SQL and Command injection #4 - Cross-site scripting frequently uses some form of injection #3 - Buffer overflows involve more issues than plain input handling, hence are not technically considered forms of injection (even if they require malicious input to be injected ) 4

5 Injection vulnerabilities Ingredients improper input validation / trust boundary violations (last class) malicious input, when parsed or interpreted, alters execution of the program. relies on and/or results on a blurred distinction between code and data Let s take a closer look at two types of injection: Command injection SQL injection 5

6 OS command injection

7 OS commands why and how OS commands are often handy, e.g.: as a shortcut for more verbose/complex code (shell commands can be quite expressive) to invoke third-party software / OS utilities (gluing functionality) Example ways to execute OS commands: Traditional system call in C, Python, Perl, or equivalent support in other languages, e.g., Runtime.exec() in Java (as in the example) Within SQL in some database engines (!!!): xp_cmdshell in SQL Server exec directive in "server-side includes" 7

8 Input-based vulnerability Input determines the executed commands. Special meta-characters are interpreted by the system shell. Suppose you have system( mybeautifulcommand $input ) Now consider $input = somearg; rm -fr * The executed commands are mybeautifulcommand somearg rm -fr * 8

9 Environment-based vulnerabilities Environment determines what commands are executed. Suppose you have system( mybeautifulcommand $input ) This assumes mybeautifulcommand is in the PATH of the running program If attacker can affect the PATH, a malicious mybeautifulcommand may be executed instead. How? Suppose commands are executed in association with a certain user badguy. Malicious environment settings can be loaded by the shell from badguy s environment configuration (.profile,.bashrc, etc) Variations The path for dynamically-linked code can also be controlled by environment variables, e.g. LD_PRELOAD and LD_LIBRARY_PATH in Unix IFS separator variable changes the interpretation of file names! 9

10 Shellshock A family of security bugs starting with CVE aka ShellShock Base vulnerability: The UNIX bash shell unintentionally executed commands that were concatenated to the end of function definitions stored in environment variables (!!). Example export X= () { }; maliciouscommand runanything # does not need to access X!! and maliciouscommand would run! Example exploits HTTP request headers converted to environment variables to CGI programs in many platforms! So Check more info here and here. 10

11 Mitigations #1 Avoid OS command execution! The safest thing to do! But not always practical! #2 Input validation Whitelisting strategy - for instance only allow command strings to be executed as long as they do not contain any special shell characters Meta-character escaping for sanitisation Measures are prone to loopholes: scripting languages and system shell flavours can be very creative/heterogeneous in terms of command execution variants #3 Environment-based vulnerabilities Only use commands with full path specified or explicitly control PATH setting / other dangerous variables #4 Taint mode execution in Perl, PHP, Python keep track of tainted (unsecure) data and disallow their use in security-sensitive spots; let s see how it works next with a simple example Useful for mitigating command injection and other purposes. It employs taint analysis, a subject we will go back to. 11

12 Mitigation by input validation DVWA Have a look at the source code for command injection: low.php : input is used directly to execute command Exploit easy : ; cat /etc/passwd or && cat / etc/passwd medium.php: blacklisting of ; and &&, removed from input Still easy: cat /etc/passwd high.php: blacklisting of more characters impossible.php: whitelist strategy, validates that input is strictly an IP address, reject all other input 12

13 Example mitigations Perl s taint mode #! /opt/local/bin/perl $username = $ARGV[0]; system("finger $username"); -T switch #! /opt/local/bin/perl -T $username = $ARGV[0]; system("finger $username"); Input-based command injection through command-line argument. Environment-based command injection also possible. PATH may be arbitrarily set. This will force us to transform the program. Let s run it and see how! Small Perl program (similar to the Java example) Malicious use: unsafe.pl someusername; arbitrarycommand -T switch activates taint mode which tries to keep track of tainted (unsecure) data and their use in security-sensitive spots 13

14 Example mitigations Perl s taint mode (2) #! /opt/local/bin/perl -T $username = $ARGV[0]; system("finger $username"); Insecure $ENV{PATH} #! /opt/local/bin/perl -T $ENV{PATH} = /usr/bin ; $username = $ARGV[0]; system("finger $username"); Set PATH to a safe value. Insecure dependency in system 14 #! /opt/local/bin/perl -T $ENV{PATH}='/usr/bin'; $username = $ARGV[0]; if ($username =~ /^([\w\_]+)$/ ) { system("finger $1"); } else { print "Invalid argument: '". $username. "'\n"; } Regular expression match assumed to yield untainted data. The reasoning is to force program to perform input validation. Regular expression can still potentially be inadequate.

15 SQL injection (SQLi)

16 SQLi Context SQL (Structured Query Language): the standard for interfacing with databases. most common SQL code normally defined and executed by arbitrary programs, in conjunction with some API (e.g. JDBC for Java). SQL injection happens when programs supply inputs to the SQL code that alter their intended functionality maliciously. Discussion: typical SQLi patterns probes for SQL injection points mitigation strategies 16

17 Tales of Bobby tables Exploits of a mom SQLi attacks are common and cause serious damage SQL injection hall of shame The History of SQL Injection, the Hack That Will Never Go Away Some people just try to be funny (?) about it (inspired by XKCD) Did Little Bobby Tables migrate to Sweden? ; DROP TABLE "COMPANIES";-- LTD 17

18 SQLi motivation int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... id parameter, used for building the query, is a front door for arbitrary command execution possible leading to Data tampering - modifying the database Information disclosure - disclosing unauthorised data, e.g. the even the entire database schema Denial of Service - by issuing a time-consuming query 18

19 SQLi flavours int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... Piggy-backed queries (sequences) id = 1234 ; DELETE FROM USERS UNION queries 19 id = 1234 UNION SELECT PASSWORD FROM USERS WHERE ID=1234 Tautologies id = 1234 OR 1=1 Further reading: "A Classification of SQL Injection Attacks and Countermeasures, Halfond et al., ISSSE 06 Available on QSES web page

20 SQLi probes malformed SQL int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... Use malformed SQL id = 1234 FOLLOWED_BY_INVALID_SQL Server may yield back detailed error messages providing positive indication that SQLi is possible 20

21 SQLi probes Blind SQL injection int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... Blind SQL injection works by issuing false / true statements and comparing the responses id = 1234 AND 1=2 : server may report no data, but we may not be aware if the query was rejected / malformed id = 1234 AND 1=1 : if output is different then SQLi should be possible 21

22 Blind SQLi - DVWA example yields Looks like a vulnerable answer SQLi may be possible, how can we be sure? Perhaps input was sanitised instead? 22

23 Blind SQLi - DVWA example (2) yields Different answer! SQLi point identified! 23

24 SQLi probes time-based blind SQL injection int id = input(); String query = "SELECT NAME FROM USERS WHERE ID=" + id Statement conn = db.createstatement(); ResultSet rs = conn.executequery(query); //... Time-based SQL injection works by issuing functions that may cause a delay in the query if a delay is noticeable, SQLi should be possible E.g. SLEEP function for MySQL - info here at sqlinjection.net for different databases DVWA demo: you may use 1 AND SLEEP(5)-- x 24

25 SQLi and stored procedures CREATE OR REPLACE PROCEDURE proddescr(vname IN VARCHAR2, vresult OUT VARCHAR2) AS vsql VARCHAR2(4000); BEGIN vsql := 'SELECT description FROM products WHERE name=''' vname ''''; EXECUTE IMMEDIATE vsql INTO vresult; END; Example taken from sqlinjection.net : we can play with the vname parameter Stored procedures are not necessarily safer to use and prone to SQLi Even without SQLi some built-in stored procedures can be inherently dangerous, like the xp_cmdshell we mentioned for OS command injection 25

26 SQLi mitigation General principles (as always) Fail safely Run with least privilege Secure programming Input sanitisation by escaping input arguments Parameterised queries But how do I spot sensitive spots? using static analysis tools like FindBugs (FindSecBugs plugin in particular) using pen-testing tools like sqlmap.org brief demo at the end, more on this in future classes 26

27 Input sanitisation DVWA example vulnerabilities/sqli_blind/source/medium.php $id = mysql_real_escape_string($id, ) $getid = SELECT first_name, last_name FROM users WHERE user_id = $id;" Helpful, but prone to loopholes 27

28 Parameterised queries PHP (example from DVWA) vulnerabilities/sqli/source/impossible.php $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) ); $data->bindparam( ':id', $id, PDO::PARAM_INT ); $data->execute(); Java String sql = "SELECT ID, NAME, PASSWORD, ROLE, CREATED FROM USERS WHERE LOGIN =?"; PreparedStatement stmt = db.preparestatement(sql); stmt.setstring(1, login); The safest programming pattern Prepare (compile) statement with placeholders for argument Bind input parameters and indicate their types programatically after preparing statement 28 Note: it won t be helpful if input affects query construction in other ways beside strict query arguments, e.g. consider SELECT * FROM + tablename + WHERE ID=?

29 29 Static analysis example FindSecBugs (for Java)

30 Static analysis example awap > > > > File: /Users/edrdo/qses/tools/dvwa/DVWA/vulnerabilities/sqli_blind/ source/high.php < < < < > Information: - Number of Lines of Code: 33 - It is a include file: no - Included files: none - Defined user function: none - Number of Vulnerabilities detected: 1 - Real Vulnerabilities: 1 - False positives: 0 = = = = Vulnerability n.: 1 = = = = Vulnerable code: 5: $id = $_COOKIE[ 'id' ]; 8: $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 9: $result = mysqli_query($globals[" mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors 30

31 31 Static analysis example RIPS

32 Pen-testing tool sqlmap python./sqlmap.py \ -u " GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/n] N sqlmap identified the following injection point(s) with a total of 211 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) Payload: id=2' OR NOT 1576=1576#&Submit=Submit Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=2' AND (SELECT 2030 FROM(SELECT COUNT(*),CONCAT(0x716b707671,(SELECT (ELT(2030=2030,1))),0x71767a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- avqj&submit=submit 32