Got database access? Own the network!
-
Upload
bernardo-damele-a-g -
Category
Technology
-
view
12.907 -
download
2
description
Transcript of Got database access? Own the network!
Got database access?Own the network!
Bernardo Damele Assumpção Guimarães
2AthCon 2010, Athens (Greece) June 3, 2010
Who I am
Bernardo Damele Assumpção Guimarães
�Penetration tester @ Portcullis Computer Security
�Proud father, avid spear-fisher, bad photographer
�Open source enthusiast
�sqlmap lead developer – http://sqlmap.sf.net
�keimpx developer – http://code.google.com/p/keimpx
�Database takeover UDF repository
3AthCon 2010, Athens (Greece) June 3, 2010
Introduction
�Database management systems are powerful applications
�Store and interact with data
�Interact with the file system and operating system
� When they can’t by design, you can force them to
� When they can’t due to limited user’s privileges, you can exploit them!
4AthCon 2010, Athens (Greece) June 3, 2010
Scenario
�You have got access to a DBMS
�Direct connection – provided account, weak passwords, brute-forcing credentials
�SQL injection – web application, stand-alone client, cash machine ☺, …
�What to do now other than enumerating data?
�Own the underlying operating system
�Why not even other servers within the network?
5AthCon 2010, Athens (Greece) June 3, 2010
Command execution – State of art
�Microsoft SQL Server�OPENROWSET can be abused to escalate privileges to DBA
�Token kidnapping to escalate privileges to SYSTEM
�Built-in xp_cmdshell to execute commands
�Oracle�If you find an injection in a function owned by SYS and with authid definer, you can run PL/SQL statements as SYS
�Many ways to execute commands –DBMS_EXPORT_EXTENSION package, abuse Java functions, etc.
6AthCon 2010, Athens (Greece) June 3, 2010
Command execution – State of art
�MySQL and PostgreSQL support user-defined functions: custom function that can be evaluated in SQL statements
�UDF can be created from shared libraries that are compiled binary files
�Dynamic-link library on Windows
�Shared object on Linux
�PostgreSQL supports also procedural languages
7AthCon 2010, Athens (Greece) June 3, 2010
Code snippet of sys_eval() UDF
sys_eval() executes a command and returns its stdout
8AthCon 2010, Athens (Greece) June 3, 2010
More than command execution
�Owning the database server is not only about OS command execution
�Out-of-band connection between the attacker host and the database server
�Database used as a stepping stone to establish this covert channel
�TCP: Shell, Meterpreter, VNC – http://metasploit.com
�UDP: DNS tunnel – http://heyoka.sourceforge.net
9AthCon 2010, Athens (Greece) June 3, 2010
Stealth out-of-band connection
�On the attacker host
�Forge a shellcode with msfpayload
�Encode it with msfencode
�Run msfcli with multi/handler exploit
�On the database server
�Create a UDF that executes a payload in-memory
�Execute the UDF providing the payload as a parameter
�Anti-forensics technique – hard to track in a post-exploitation forensics investigation
10AthCon 2010, Athens (Greece) June 3, 2010 10
User-defined function sys_bineval()
�Works in DEP/NX-enabled systems
�Supports alphanumeric-encoded payloads
�Protects the DBMS if the payload crashes
�Shellcode is executed in a SEH frame
�Does not always fork a new process
�Spawns a new thread
11AthCon 2010, Athens (Greece) June 3, 2010 11
sys_bineval() vs DEP/NX
�Memory area for shellcode is allocated +rwx
�On Windows: VirtualAlloc()
�On Unix: mmap()
code = (char *) VirtualAlloc(NULL,
4096,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
code = mmap(0, page_size, PROT_READ|
PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_ANONYMOUS, 0, 0);
12AthCon 2010, Athens (Greece) June 3, 2010 12
sys_bineval() and alphanum payloads
�Supports alphanumeric-encoded payloads
�Metasploit’s msfencode has alphanumeric encoders to
encode the payload
�Problem: It is not able to produce purealphanumeric payloads due to get_pc()
13AthCon 2010, Athens (Greece) June 3, 2010 13
sys_bineval() and alphanum payloads
�Solution:
�Use the BufferRegister option when encoding the
shellcode
�Put the payload address in EAX register before
executing it
./msfencode BufferRegister=EAX –e x86/alpha_mixed …
__asm
{
MOV EAX, [lpPayload]
CALL EAX
}
14AthCon 2010, Athens (Greece) June 3, 2010 14
sys_bineval() avoids DBMS crashes
�Spawn a new thread
�Wrap the payload in a SEH frame
WaitForSingleObject(CreateThread(NULL, 0,
ExecPayload, CodePointer,
0, &pID),
INFINITE);
__try {
__asm {
MOV EAX, [lpPayload]
CALL EAX
}
}
15AthCon 2010, Athens (Greece) June 3, 2010
Code snippet of sys_bineval() UDF
sys_bineval() executes an alphanumeric-encoded payload in-memory
16AthCon 2010, Athens (Greece) June 3, 2010
Am I really unprivileged?
�Your code, like any other within the DBMS process, runs with the privileges of the OS user running the DBMS
�Microsoft SQL Server can run as SYSTEM – Uncommon
�PostgreSQL and MySQL usually run as a unprivileged user
� MySQL on Windows runs as SYSTEM
�Regardless of the OS user running the DBMS, the attacker can escalate privileges
17AthCon 2010, Athens (Greece) June 3, 2010
I have got the power or… ways to get it!
�Some ways to escalate privileges
�Meterpreter has some built-in commands (getsystem) and scripts
� Including kitrap0d – Kernel flaw unpatched for ~17 years
�Abuse weak permissions on files, services, named pipes, LSASS design, etc.
�Memory corruption bugs
�“All Users” startup file trick
�Got luck? whoami is your friend!
18AthCon 2010, Athens (Greece) June 3, 2010
Want to execute fancier code on DBMS?
�sqlmap has a switch to inject your user-defined functions
�Write your own C/ASM code with the DBMS development libraries
�Compile as a shared object
�Fire up sqlmap with --udf-inject switch
�The tool will inject the UDFs you want and execute them onto the database server at your request
19AthCon 2010, Athens (Greece) June 3, 2010
Direct connection to the database
�From July 2006 to March 2010 sqlmap has been “yet another” SQL injection tool
�With some kick-ass features like BOF exploit via SQL injection, sys_bineval(), file system access, etc.
�All in all.. One-shot favorite script-kiddies tool™
�Now, it is the only free tool able to takeover database servers via either web applications or direct connection
20AthCon 2010, Athens (Greece) June 3, 2010
But… Wasn’t it meant to deal with data?
�When you get access to a DBMS, you have good chances to own the operating system
�Once you have access to the system you can escalate privileges – kernel flaws, weak permissions, etc.
�When you are a high-privileged OS user you can dump users’ password hashes and spray them across the network perimeter to easily own other machines –http://code.google.com/p/keimpx or SSHatter
�You can also pivot traffic through the compromised database server to the Corporate network or DMZ
21AthCon 2010, Athens (Greece) June 3, 2010
Questions?
http://bernardodamele.blogspot.com
http://sqlmap.sourceforge.net
Thanks for your attention!