NoSQL Security José Ramón Palanco miércoles 16 de marzo de 2011
May 11, 2015
NoSQL Security
José Ramón Palanco
miércoles 16 de marzo de 2011
Agenda
✦ NoSQL Introduction✦ NoSQL vs RDBMS✦ NoSQL Arquitecture✦ NoSQL Implementations
✦ Attack vectors✦ Injections✦ Key Bruteforce✦ HTTP Protocol Based Attacks in listeners✦ Cassandra security y Thrift security✦ Denial of Service (connection pollution, evil queries)
miércoles 16 de marzo de 2011
NOSQLIntroduction
miércoles 16 de marzo de 2011
¿What is NoSQL?
✦ In general, don’t need table scheme and don’t uses “join”
✦ NoSQL solutions don’t imeplement one or more ACID properties
miércoles 16 de marzo de 2011
CAP Theorem
✦ Properties: consistency, availability and partitions
✦ At least need 2 of them
✦ To scale partition is needed
✦ In general is preferer availability over consistency
miércoles 16 de marzo de 2011
NoSQL ArquitectureRDBMS NoSQL
HTTP Server
Connector BBDD
Client
SQL
ODBC, ADO, JDBC
HTTP Server
Connector BBDD
Client
REST, JSON, XML, ...
Binary, HTTP, ...
miércoles 16 de marzo de 2011
NoSQL vs RDBMS✦ RDBMS show poor performance and
scalability in application which make a heavy use of data
✦ Cloud Computing (SaaS)
✦ Social Networks (SN)
✦ To make complex queries is not possible perform them with something diferent than RDBMS
miércoles 16 de marzo de 2011
Enviroments
✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, ..
✦ Facebook needs store 135 billions of messages each month
✦ Twitter stores 7 TB diary
miércoles 16 de marzo de 2011
Disadvantages NoSQL
✦ OLTP
✦ SQL
✦ Ad-Hoc queries
✦ Complex relations
miércoles 16 de marzo de 2011
NoSQL Arquitectures
✦ Document store
✦ Graph
✦ Key-value store
✦ Multivalue
✦ Objets
✦ Tabular
miércoles 16 de marzo de 2011
Key-value store
✦ CouchDB:
✦ MongoDB
✦ Terrastore
✦ ThruDB
✦ OrientDB
✦ RavenDB
miércoles 16 de marzo de 2011
Graph
✦ Neo4J
✦ Sones
✦ InfoGrid
✦ HypergraphDB
✦ AllegroGraph
✦ BigData
miércoles 16 de marzo de 2011
Key-value
✦ Redis
✦ Riak
✦ Tokio Cabinet
✦ MemcacheDB
✦ Membase
✦ Azure
miércoles 16 de marzo de 2011
Multivalue
✦ U2
✦ OpenInsight
✦ OpenQM
miércoles 16 de marzo de 2011
Objets
✦ db4o
✦ Versant
✦ Objetivity
✦ NEO
miércoles 16 de marzo de 2011
MongoDB
✦ Protocol: Binary (BSON)
✦ API: several languages
✦ Query: JavaScript/JSON
✦ Language: C++
miércoles 16 de marzo de 2011
Features• Schema-Free (JSON)
• Document Oriented, Not Relational
• Highly Concurrent
• RESTful HTTP API
• JavaScript-Powered Map/Reduce
• N-Master Replication
• Robust Storage
CouchDB
✦ Protocol: REST
✦ API: JSON
✦ Query: MapReduce (JS)
✦ Language: Erlang
miércoles 16 de marzo de 2011
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/ HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Date: Sat, 19 Feb 2011 05:20:28 GMTContent-Type: text/plain;charset=utf-8Content-Length: 188Cache-Control: must-revalidate
{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":0,"compact_running":false,"disk_size":4182,"instance_start_time":"1298092462502662","disk_format_version":5}
miércoles 16 de marzo de 2011
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Etag: "1-2512702fff02fe841adecde4a22c62b5"Date: Sat, 19 Feb 2011 05:20:47 GMTContent-Type: text/plain;charset=utf-8Content-Length: 155Cache-Control: must-revalidate
{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a22c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}Connection closed by foreign host.
miércoles 16 de marzo de 2011
Redis
✦ Protocol: Plain Telnet
✦ API: Several Languages
✦ Query: Commands
✦ Language: C/C++
miércoles 16 de marzo de 2011
✦ Protocol: Binary (Thrift)
✦ API: Thrift
✦ Query: Column/ranges
✦ Languages: Java
Cassandra
miércoles 16 de marzo de 2011
Cassandra
✦ Column (tuple/triplet)
✦ Supercolumn (composed by columns)
✦ Column Family (contains supercolumns)
✦ Keyspace (stores column families)
miércoles 16 de marzo de 2011
Cassandra
<Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace>
storage-conf.xml
miércoles 16 de marzo de 2011
Attack vectors
miércoles 16 de marzo de 2011
Introduction
✦ Several database concepts
✦ Several implementations
✦ So attack vectors are very specifics and depends on each implementation
miércoles 16 de marzo de 2011
HTTP Based Attacks✦ ¿Who uses HTTP?
✦ CouchDB
✦ HBASE
✦ Riak
✦ ¿How to locate vulnerabilities?
✦ fuzzing: hzzp
miércoles 16 de marzo de 2011
Listeners explotation
✦ As they work on HTTP, it’s possible use cache proxies misconfigured to get access
$ telnet server.com 80Trying X.X.X.X...Connected to server.com.Escape character is '^]'GET /_all_dbsHost: 192.168.2.18
miércoles 16 de marzo de 2011
JSON Injection
db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )
db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )
In the same way that the SQL is escaped, when working with
CouchDB or MongoDB, we should do the same
miércoles 16 de marzo de 2011
Array InjectionMongoDB + PHP
✦ In PHP it is possible that a variable is an array by adding brackets
✦ If admin passwd ‘Not Equal’ anything, you can access
✦ Besides that of $ne, we can inject:
✦ $or, $exists, $nin, $in, $lt, ... (logics)
✦ &var[‘$regex’]=/privileged/i (regex)
<?$collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd']));
?>
/login.php?username=admin&passwd[$ne]=1
<?$collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1)));?>
miércoles 16 de marzo de 2011
View Injection
✦ CouchDB uses SpiderMonkey as scripting engine
✦ The views are loaded as js
$ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ...
miércoles 16 de marzo de 2011
View Injection
✦ There are predefined views and temporary
✦ To make MapReduce
✦ Get arbitrary data, change values to alter the execution flow
miércoles 16 de marzo de 2011
REST INJECTION
✦ Cross Database:
✦ /?db=_all_dbs
✦ /?db=myusers
<?$dbname = $_GET["db"];$doc_id = $_GET["d_id"];$resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id);?>
miércoles 16 de marzo de 2011
CouchDB info
✦ http://172.16.163.129:5984/_config
✦ http://172.16.163.129:5984/_all_dbs
✦ http://172.16.163.129:5984/_stats
✦ http://172.16.163.129:5984/_utils
miércoles 16 de marzo de 2011
CouchDB cmd exec.
miércoles 16 de marzo de 2011
GQL Injection
✦ You can reach GQL injection, but in a very controlled environment
✦ There is no negation operator "!"
✦ The set of GQL commands is very limited
miércoles 16 de marzo de 2011
Key Bruteforce
✦ As there are no schemes, we do not have to find out them
✦ The IDs are large, but not generated at random:
e479f720ff9a05fb2f441fef97000c87
e479f720ff9a05fb2f441fef97000b61
miércoles 16 de marzo de 2011
Cassandra Security
✦ If we change the name of a family, we can get items from other family
<? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL;
if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”;
$sliceRange = new cassandra_SliceRange(); $sliceRange->start = ""; $sliceRange->finish = ""; $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; $predicate->slice_range = $sliceRange;
$consistency_level = cassandra_ConsistencyLevel::ONE;
$keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level);
print_r($result); ...
?>
miércoles 16 de marzo de 2011
Denial of Service
✦ Connection polution
✦ Couchdb-> implementación interface = restfull
✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPU
miércoles 16 de marzo de 2011
Questions
miércoles 16 de marzo de 2011
Questions
miércoles 16 de marzo de 2011