dbencrypt
DESCRIPTION
TRANSCRIPT
Forensic Analysis of a Database AttackJosh ShaulOffice of the [email protected]
Practical Oracle Security
By AppSecInc team leaders: Josh Shaul and Aaron Ingram.
Syngress Publishing Oct 2007
2 www.appsecinc.com2
This Session’s Agenda
Introduction Landscape Database Vulnerabilities Are The New Front-Lines
Attacking Where the Data Resides Planning an Attack Attacking Database Vulnerabilities
Available Best Practices and Resources Database Forensics Securing Your Databases Resources for Further Advice and Research
3 www.appsecinc.com3
Old Data Processing EnvironmentWinchester IMS Array
Glass House HalonReleaseSwitch
CICS Controller
BIG IRON
HyperchannelHalon
4 www.appsecinc.com4
StoredData
New Data Processing Requirement
Increasingly Focused Attacks Directly on applications (75%!) Including insiders (80+%!) As perimeter crumbles
Demand for Pervasive Access By anyone To any application Increasingly direct
Compliance Requirements Info ultimately in Db apps:
Privacy / confidentiality Integrity
Compliance must be: Repeatable Demonstrable
5 www.appsecinc.com5
Databases Are Under Attack
February 2005 to April 2008 Total Affected Customers: 226,784,583
Literally hundreds of incidents Victims include financial institutions, government
agencies, retailers, healthcare providers, universities, manufacturing, consulting and audit firms, ….
Incidents reported almost every day Last week alone, 8 incident affected nearly 1M
records
http://www.privacyrights.org/ar/ChronDataBreaches.htm
Database Vulnerabilities
8 www.appsecinc.com8
Established Vulnerability Categories
Most commonly known to apply to OS’s and NOS’s
Operating Systems & Network Operating Systems(Microsoft Windows, Unix, and Linux)
Misconfigurations & Resource Privilege
Management
Denial of Services & Buffer Overflows
Default & Weak Passwords
9 www.appsecinc.com9
Categories Also Apply to Databases!
Oracle MicrosoftSQL
Server
Sybase
Misconfigurations & Resource Privilege
Management
Denial of Services & Buffer Overflows
Default & Weak Passwords
MySQLIBM DB2
Databases are a separate attack vector!
10 www.appsecinc.com10
Database Vulnerabilities:Default & Weak Passwords
Databases have their own user accounts and passwords
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
11 www.appsecinc.com11
Database VulnerabilitiesDefault and Weak Passwords
Oracle Defaults (hundreds of them)- User Account: internal / Password: oracle
- User Account: system / Password: manager
- User Account: sys / Password: change_on_install
- User Account: dbsnmp / Password: dbsnmp
MySQL Defaults- User Account: root / Password: null
- User Account: admin / Password: admin
- User Account: myusername / Password: mypassword
Sybase Defaults- User Account: SA / Password: null
Microsoft SQL Server Defaults- User Account: SA / Password: null
12 www.appsecinc.com12
Database VulnerabilitiesDefault and Weak Passwords
It is important that you have all of the proper safeguards against password crackers because:
- Not all databases have Account Lockout- Database Login activity is seldom monitored- Scripts and Tools for exploiting weak
identification control mechanisms and default passwords are widely available
13 www.appsecinc.com13
Database Vulnerabilities:Denial of Services (DoS) & Buffer Overflows
Databases have their own DoS’s & Buffer Overflows
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
Denial of Services & Buffer Overflows
14 www.appsecinc.com14
Denial of ServicesDatabases Have Their Own DoS Attacks
Result in the database crashing or failing to respond to connect requests or SQL Queries.
Significant Database Denial of Services:
Oracle8i: NSPTCN data offset DoS
Oracle9i: SNMP DoS
Microsoft SQL Server: Resolution Service DoS
IBM DB2: Date/Varchar DoS
15 www.appsecinc.com15
Buffer OverflowsDatabases Have Their Own Buffer Overflows
Result in an unauthorized user causing the application to perform an action the application was not intended to perform.
Can allow arbitrary commands to be executed No matter how strongly you’ve set passwords and other
authentication features.
Significant Database Buffer Overflows:- Oracle9i: TZ_OFFSET buffer overflow- Microsoft: pwdencrypt buffer overflow / Resolution Stack
Overflow- Sybase: xp_freedll buffer overflow
16 www.appsecinc.com16
Misconfigurations & Resource Privilege Management Issues
Misconfigurations can make a database vulnerable
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
Denial of Services & Buffer Overflows
Misconfigurations & Resource Privilege
Management
17 www.appsecinc.com17
Misconfigurations & Resource PrivilegesMisconfigurations Can Make a Database Vulnerable
Oracle• External Procedure Service• Default HTTP Applications• Privilege to Execute UTL_FILE
Microsoft SQL Server• Standard SQL Server Authentication Allowed• Permissions granted on xp_cmdshell
Sybase• Permission granted on xp_cmdshell
IBM DB2• CREATE_NOT_FENCED privilege granted (allows logins to create
SPs)
MySQL• Permissions on User Table (mysql.user)
18 www.appsecinc.com18
Database Vulnerabilities Wrap-up
Oracle Microsoft SQL
Server
Sybase
Misconfigurations & Resource Privilege
Management
Denial of Services & Buffer Overflows
Default & Weak Passwords
MySQLIBM DB2
19 www.appsecinc.com19
Emerging Database Threats for 2008
Sophisticated attacks that exploit un-patched vulnerabilities Cyber espionage efforts by well resourced organizations looking to
extract large amounts of data Insider attacks Insider mistakes Advanced identity theft via database rootkits Increasingly sophisticated social engineering leading to full-blown
database disclosures Weak or non-existent audit controls Powerful self-propagating attacks distributed via “infection kits” on
legitimate websites
Database Attack Illustrations
21 www.appsecinc.com21
Planning an Attack
Create a Map What does the network look like?
Reconnoiter Collect information about the layout of the target What looks intere$ting?
Probe, Progress, Plot What can we do? Build the springboard for further activity Plan the strike
Retreat and Re-attack
22 www.appsecinc.com22
Directly Attacking a DatabaseMicrosoft SQL Server (Resolution Stack Overflow)
Attack Target: Microsoft SQL Server
Privilege Level: Network Connection to Target
Outcome: Administrative Control of Host Operating System
Vulnerabilities Exploited: Buffer Overflows
23 www.appsecinc.com23
Discover the Database
24 www.appsecinc.com24
Discover the Database
25 www.appsecinc.com25
Attack Scenario Recap (Map & Recon)
26 www.appsecinc.com26
Attack Scenario Recap
Now What? Start Probing and Exploring the Possibilities
Exploit Code is Available Over the Web Microsoft SQL Server Resolution Stack Overflow Payload = Create a remote control shell
Will only work if they did not patch with Service Pack 3… but we’ll see…
27 www.appsecinc.com27
Start Netcat
ListenListenPort to Port to
Listen OnListen On
28 www.appsecinc.com28
Execute Compiled Exploit Code
29 www.appsecinc.com29
Execute Compiled Exploit Code
Target Machine IPTarget Machine IP
30 www.appsecinc.com30
Execute Compiled Exploit Code
Intruder Machine IPIntruder Machine IP
31 www.appsecinc.com31
Execute Compiled Exploit Code
Port NumberPort Number
32 www.appsecinc.com32
Execute Compiled Exploit Code
Service Pack Service Pack IndicatorIndicator
33 www.appsecinc.com33
Execute Compiled Exploit Code
34 www.appsecinc.com34
Attack Scenario Recap
35 www.appsecinc.com35
Directly Attacking a Database RecapMicrosoft SQL Server (Resolution Stack Overflow)
Outcome: Complete Administrative Control of Host Operating System
Vulnerabilities Exploited: Buffer Overflows
How did we do it? Freely Available Exploit Code! Microsoft SQL Server Remote Stack Overflow
36 www.appsecinc.com36
Directly Attacking A DatabaseOracle (DB18 Exploit)
Attack Target: All Oracle Databases
Privilege Level: Anyone with a Login Examples: SCOTT / TIGER or Guest Account
Outcome: Complete Administrative Control!
Vulnerabilities Exploited: Bug in the Oracle Login Protocol
37 www.appsecinc.com37
Directly Attacking A DatabaseOracle (DB18 Exploit)
Check Out the Following Website: http://www.adp-gmbh.ch/blog/2006/01/24.php
What’s on this website? Perl scripts that can be used to do all of the following: Proxy a connection Create an account Escalate the privileges of that account to DBA
38 www.appsecinc.com38
Directly Attacking A DatabaseOracle (DB18 Exploit)
Proxy a Connection Setup the Proxy
http://www.adp-gmbh.ch/perl/proxy.html#package
39 www.appsecinc.com39
Directly Attacking A DatabaseOracle (DB18 Exploit)
Proxy a Connection Edit the local tnsnames.ora file on the client
http://www.adp-gmbh.ch/blog/2006/01/24.php Update to point communications to the port where the proxy is going to
live on (1234)
Before
After
40 www.appsecinc.com40
Directly Attacking A DatabaseOracle (DB18 Exploit)
Proxy_do_sql.pl “globi” is the database server being attacked Creates a listening socket on port 1234 within the
localhost
Replacing the ALTER USER with the malicious SQL
Accepts the packet and searches in it for the string its looking to replace:
ALTER SESSION SET NLS_LANGUAGE=”
41 www.appsecinc.com41
Attacking A Database (DB18 Exploit)
42 www.appsecinc.com42
Directly Attacking A DatabaseOracle (DB18 Exploit)
So Far… Verified who are the DBA’s (Database
Administrators) within the database
What Now? Start the proxy that we built using the
Perl Script on our client machine Create a new account: evil_user
43 www.appsecinc.com43
Attacking A Database (DB18 Exploit)
44 www.appsecinc.com44
Directly Attacking A DatabaseOracle (DB18 Exploit)
So Far… Proxy is waiting for any login to execute
creating the “evil_user” account
What Now? Login with account “scott” and password “tiger”
45 www.appsecinc.com45
Attacking A Database (DB18 Exploit)
46 www.appsecinc.com46
Attacking A Database (DB18 Exploit)
47 www.appsecinc.com47
Directly Attacking A DatabaseOracle (DB18 Exploit)
So Far… We created the “evil_user” account
What’s next? Setup the proxy again so that it will
establish “evil_user” as a DBA (Database Administrator)
48 www.appsecinc.com48
Attacking A Database (DB18 Exploit)
49 www.appsecinc.com49
Attacking A Database (DB18 Exploit)
50 www.appsecinc.com50
Attacking A Database (DB18 Exploit)
51 www.appsecinc.com51
Attacking A Database (DB18 Exploit)
52 www.appsecinc.com52
Directly Attacking A Database RecapOracle (DB18 Exploit)
Outcome: Complete Administrative Control!
Vulnerabilities Exploited: Bug in the Oracle Login Protocol
How did we do it? Freely Available Exploit Code! Just lookup Oracle DB18 Exploit
53 www.appsecinc.com53
Attacking Databases Over the InternetExploiting Search Engines (Google)
Attack Target: Oracle
Privilege Level: Anyone with Access to the Web and a Search Engine
Outcome: Complete Administrative Control
Vulnerabilities Exploited: Misconfigurations & Resource Privilege Management
54 www.appsecinc.com54
How is Google used for attacks?
First thing an attacker needs is information Where to attack What a site is vulnerable to
Google is a large repository of information Every web page in your application Every domain on the Internet
Google provides an attacker: Ability to search for attack points on the Internet Ability to search for an attack point in a specific website Ability to look for specific URLs or files
55 www.appsecinc.com55
Example – looking for iSQL*Plus
Oracle HTTP Servers Execute queries on database using an HTTP form Accessed using the URL /isqlplus By default runs on any Oracle HTTP server installed with:
Oracle Applications Server Oracle Database Server
Search can be performed on Google looking for Oracle HTTP servers Using the “allinurl” advanced search feature
56 www.appsecinc.com56
Using Google Advanced Search
57 www.appsecinc.com57
Results of Google Advanced Search
58 www.appsecinc.com58
Yahoo! Advanced Search Works Too…..
59 www.appsecinc.com59
Default username/password
60 www.appsecinc.com60
Attacker is in the database
61 www.appsecinc.com61
Attacker can execute any query
http://www.pentest.co.uk/sql/check_users.sql
62 www.appsecinc.com62
Attacking Databases Over the Internet RecapExploiting Search Engines (Google)
Outcome: First step towards administrative control!
Vulnerabilities Exploited: Misconfigurations & Resource Privilege Management
How did we do it? “Googled” for “isql” and took advantage of poor
security practices!
Available Best Practices and Resources
64 www.appsecinc.com
What To Look For If You Suspect An Attack
Attacks typically require multiple tries Look for evidence of trial or error
Normalize all you data Find what is typical and then eliminate that Look through what is not typical Typically find clusters of errors reflecting an attack
Narrow down time period attack most likely occurred Focus in on event around that time/date Look at events from multiple source to piece together what might have happened
Determine most likely source of the attack Hacker using a password attack or buffer overflow Customer using privilege escalation Employee using special access
Do not rule out any attack vector out
65 www.appsecinc.com
Forensics Basics
If you discover an attack, take a baseline of your system Preserve the evidence Secure the audit trail
Clearly, this is easier with auditing enabled—with no auditing, your recourse in the event of an attack is somewhat constrained
Examine systems for active and “sleeping” files Attacks come in all flavors—they can come in, test a few things or
they can steal whole databases. Or—they can just put an exe file in the database and wait. Look for everything. Everywhere. Use tools and automation to simplify this process when possible—it’s a
big task and can be daunting.
Stay vigilant One thing that has been an increasing trend in recently revealed
attacks—they come back. Sophisticated hackers often test, drill and mine systems for months.
66 www.appsecinc.com
Database Forensics
The database can provide valuable forensic evidence in case of a suspected breach Identify before and after data values Recover deleted data Examine structural and data changes Prove if indeed there was a breach
Determine the scope of the damage / loss
Capabilities are significantly augmented with a 3rd party database activity monitoring system Native database auditing can be a big help too
67 www.appsecinc.com
Oracle Forensic Data Sources Within $ORACLE_HOME/admin/<SID>
pdump/alert_<SID>.log cdump/<SID>core.log – raw stack dumps resulting form
buffer overflow attacks Look for malicious payload in this file Groupings of attacks
udump/<SID>_s001_4382.trc – user trace file might contain user errors
Within $ORACLE_HOME/network/log Listener.log file contains connections to the listener service Agntsvrc.log, etc… contains logs on components of database
Files may be anywhere on the system Sqlnet.log files – show network traffic from the client SQL*Net trace files – cli_3736.trc
68 www.appsecinc.com
MS SQL Forensic Data Sources
Active Database Data Sessions, Users, Requests, Memory Contents
Transaction Logs \Program Files\Microsoft SQL Server\MSSQL\Data\*.ldf
View changes and who made them (DDL and DML statements)
SQL Server Error Logs \Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG
Logins, Logouts and Failed Logins (includes source IP) Database Starting and Stopping
SQL Server Trace Files (if present) \Program Files\Microsoft SQL Server\MSSQL\LOG\*.trc
Detailed listing of SQL Statements
69 www.appsecinc.com69
How Do You Secure Databases?
Apply the vulnerability management lifecycle...
Prioritize based on vulnerability, threat, and asset classification data
Document security plan
Eliminate high-priority vulnerabilities
Establish controls Demonstrate progress
Inventory assets Identify vulnerabilities Develop baseline
Monitor known vulnerabilities Watch unpatched systems Alert other suspicious activity
70 www.appsecinc.com70
How Do You Address These Vulnerabilities?
Start with a Secure Configuration Stay Patched
Stay on top of all the security alerts and bulletins Defense in Depth / Multiple Levels of Security
Regularly scan your databases for vulnerabilities Fix the problems reported!
Implement database activity monitoring… …and database intrusion detection
Especially if you can’t stay patched!
Encryption of data-in-motion / data-at-rest
71 www.appsecinc.com71
Best Practices Provided by Database Vendors & Notable Third Parties
Oracle Oracle9i Security Checklistotn.oracle.com/deploy/security/oracle9i/index.html Oracle Project Lockdownwww.oracle.com/technology/pub/articles/project_lockdown/index.html Oracle Security Checklistwww.oracle.com/technology/deploy/security/pdf/
twp_security_checklist_db_database.pdf
SANS Institute (SysAdmin, Audit, Network, Security) Oracle Database Checklistwww.sans.org/score/checklists/Oracle_Database_Checklist.doc
Microsoft 10 Steps to Secure SQL Server
www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
SQLSecurity.com SQLSecurity Checklistwww.SQLSecurity.com
72 www.appsecinc.com72
Database Security Info from AppSecInc
White Papers http://www.appsecinc.com/techdocs/whitepapers/research.shtml
Database Activity Monitoring Search Engines Used to Attack Databases Introduction to Database and Application Worms Hunting Flaws in Microsoft SQL Server
Presentations http://www.appsecinc.com/techdocs/presentations.shtml
Protecting Databases Hack-Proofing MySQL, IBM DB2, Oracle9iAS Writing Secure Code in Oracle
Security alerts www.appsecinc.com/resources/mailinglist.html
73 www.appsecinc.com73
Thank You
Questions? Vulnerabilities?
Locking down the database?
Email our security experts at:[email protected]
Practical Oracle Security
By AppSecInc team leaders: Josh Shaul and Aaron Ingram.
Syngress Publishing Oct 2007