3 Years in the making…

Posted on August 31, 2010 by ChrisJohnRiley| 4 Comments

Back on the 21st August 2007 I was sitting at home in Austria writing my first ever blog post. It wasn’t well thought out (I’m sure most things I write aren’t), but it signified a big turning point that has changed my life in so many different ways.

So many things happened 3 years ago, most of which readers to this blog won’t really be interested in. I quit my job as a SysAdmin in Germany. I moved to Austria. I started to REALLY learn German (finally)…. oh, and I went to India for 6 weeks.

The one thing I really remember from that time though, was getting back into things that I’d long forgotten. I spent a lot of time as a kid programming from books (just copying BASIC code from magazines and playing with it mostly). I also spent a lot of time early on in my career really playing with technology, seeing what it could do and how to make things do other more interesting things. Somewhere along the road though, I lost that drive and started to just accept things as they were. I guess using Microsoft technology for too long will force that realization on you. Wow, how depressing…

So what really turned me around and made me love technology again. I attended my first Hacker con…. and yes, it was a REAL hacker con, and not a security conference. I spent a glorious week in a field near Berlin at the Chaos Computer Camp. It was without a doubt the best thing I’ve ever done. Scary as hell… very little German language skill, no friends in the “community”, and no idea where I was going to sleep even (that was sorted by the every friendly Nick “Hackers on a Plane” Farr however…. and for that I’m forever thankful). Even though I came back thinking negative about everything (I realized how little I really knew), I picked myself back up and started on this journey into security.

A little more than 3 years and 267 blog posts on (3 or 4 of which might actually be categorized as “reasonable”), and I still feel like I don’t know anything… but at least I know why now. There’s just too much for 1 person to learn. Security is just such a big field, that you need to pick and choose your targets. Yeah, I’m still not good at that, as can be seen at how much the blog contents twists and turns between topics depending on my mood and interest at the time. Still, people seem to like it. At least the blog stats for the last few years are encouraging.

It still mystifies me somewhat that people come here to read things I write. I’m not the most experienced writer, and sometimes I look back on things I’ve written and feel an overwhelming urge to just click the “Move to Trash” icon. Still, things can only get better… after all, the way I write, they couldn’t get much worse could they :D

So what was this post all about? Well, nothing really. I just didn’t want to let another anniversary slip past without telling that story… oh and next year is the return of the Chaos Computer Camp (it runs on a 4 year cycle). Lets hope I come back feeling more positive this time eh ;)

So here’s to another 3 years. Lets hope I can keep up the pace…

→ 4 Comments

Posted in General Life

Tagged , , ,

HTTP Strict Transport Security

Posted on August 27, 2010 by ChrisJohnRiley| Leave a comment

If you’re a sad geek like me you’ve probably already heard of HSTS (HTTP Strict Transport Security). HSTS is designed to solve an issue where you access a web server using HTTP and are automatically redirected to the HTTPS equivalent (usually through a 301 or 302 response and a new location header).

To most this seems like a perfectly acceptable solution, until you start thinking about the Man in the Middle issues of this kind of redirection. Most users don’t type https://mybank.com after all. They just type mybank.com and expect the browser and server to sort it out themselves…. and to be honest, they should. Users shouldn’t need to understand security to BE secure. It’s something that the server architects, web designers, and programmers of the world need to get together to solve.

So, the first step in securing this hole is finally beginning to be implemented. HSTS is still a way off yet (it’s just been implemented into the Firefox 4 nightly builds, and appears to be supported in Chromium), but it’s already looking promising.

HTTP Strict Transport Security works by allowing servers to return an additional header along with their 301 or 302 redirection. This Strict-Transport-Security: header allows the server to set a max-age (and optionally an includeSubDomains parameter) which is read by a compatible browser (currently limited).

Strict-Transport-Security Header

The browser will then remember the setting and next time it’s asked to connect to the server (even if it’s entered as an http:// address) the browser will request the https:// version.

Type http:// get https://

A couple of issues:

  • An initial HTTP request still needs to be made (opening for MitM)
  • Sub-domains need to be included to ensure everything is secured (addition of the includeSubDomains parameter)
  • How is Private browsing (i.e porn mode) handled? I see 2 possibilities here:
    • HSTS info is deleted along with everything else (reduced security)
    • HSTS info is retained (secure, but breaks privacy)

I’m looking forward to HSTS being implemented across a broader range of browsers, although this is going to take a long time (IE6 has only just started to die after all). Still, anything we can do to solve part of the problem is worthwhile doing.

UPDATE: I looked briefly into the private browsing situation (at least with Firefox 4 nightly) and as I thought, it forgets the HSTS settings. Preferring privacy and protection of your visited sites over the security offered by HSTS. I guess this makes sense… Still, it renders HSTS mute for many of us who run in private browsing mode all the time (for privacy reasons!). I’d like to see an option to retain these. Maybe in the next nightly?

Links:

  • Firefox 4: HTTP Strict Transport Security (force HTTPS) –> LINK
  • Firefox nightly builds (with HSTS support) –> LINK
  • HSTS Draft –> LINK
  • Chromium Strict Transport Security –> LINK

Test Sites (sites supporting HSTS):

  • www.paypal.com
  • www.ssllabs.com
  • www.defcon.org
  • www.elanex.biz
  • jottit.com
  • sunshinepress.org
  • www.noisebridge.net

→ Leave a comment

Posted in Security, Technology

Tagged , , , ,

Deutsche Post | Security Cup

Posted on August 27, 2010 by ChrisJohnRiley| Leave a comment

A friend of mine (thanks Wim) posted this on Twitter. Normally if Deutsche Post  announce the release of a new service, it’s nothing to write home about. Certainly when it comes to security. However Deutsche Post have come up with an interesting competition in the build-up to the release of their E-Postbrief service.

Working with some well-respected members of the Security Community, they’ve come up with the Security Cup, and are offering some nice prizes for people/teams who find vulnerabilities in their web application or infrastructure.

As you can imagine the scope is limited, no client-side attacks for example, but with the prizes on offer (Major bugs are awarded with EUR 5,000,  normal bugs are awarded with EUR 1,000) it looks like it’ll draw a crowd.

If you want to find out more information, head over to the Deutsche post Security Cup web-page and sign-up (via email). The sign-up phase runs through September, so there’s plenty of time!

→ Leave a comment

Posted in Penetration Test, Security

Tagged , , , , ,

Eurotrash’s 1st Birthday

Posted on August 25, 2010 by ChrisJohnRiley| Leave a comment

Well who would thunk it…almost a year after the creation of Eurotrash and we’re still going strong! It’s been a wild and interesting ride, filled with great guests and good discussions. Not to mention the funny accents!

Almost a year ago, I sat down at BruCON with Dale, Craig and Wim to talk about maybe possibly starting a European podcast. As with many things it started off as an innocnet comment on twitter, which soon snowballed into an idea, and from there into a real podcast.

Listening back to the first episodes it’s easy to see we weren’t seasoned professionals. The ummms and errrrs have hopefully lessened a bit over time, but we’re still working to make things better behind the scenes. I always love looking back at things I’ve written, coded, or said in years past. It reminds me that even though you think you’re standing stillm you’re really not. Things can only get better from here… face it, they couldn’t get much worse :D

We’ve had so many great guests on the podcast in the last year it’s hard to remember them all. I’d like to thank everybody that’s been on the podcast as a guest, but most of all I’d like to thank Wim, Craig, and Dale for taking this unmolded idea and really making it into something we can be proud of. I’d also like to thank Xavier for being so generous with his time (sorting the website, hosting and being there when we needed him) and DualCore…. for just being excellent, and giving us a song when nobody had even heard of us.

If you’ve not had the joy of hearing us head over to iTunes or take a look at the Eurotrash RSS feed. I’m promise you, it’ll at least be entertaining, if not informative ;)

Rumours are already spreading of the plans for this years BruCON podcasters meetup. All I can say, is if Wim gets his way, it’s going to be an event to be remembered!

Here’s to another year of Eurotrash… may the trash be with you!

→ Leave a comment

Posted in Security

Tagged , , ,

Underground pricelist

Posted on August 23, 2010 by ChrisJohnRiley| 2 Comments
photo by Neubie (source: Flickr Creative Commons)

photo by Neubie (source: Flickr).

I was shifting through some blog comments last night, and came across one that was more than a little interesting (no, not death threats again… been there, done that)

I’m not usually a follower of underground sites or forums, and I certainly don’t go digging about to get price lists of interesting info (bank accounts, paypals, etc..) . So it was more than a little surprising that it came to me… and in response to a blog entry I wrote about Ian Iftach Amit’s Cybercrime|war talk from Blackhat of all things.

The comment below was posted from 41.210.30.66, an IP in Ghana (owned by Ghana Telecom ADSL DYNAMIC ADDRESS POOL). Maybe it’ll be an interesting tid-bit for some of you. For others, it’s an interesting reminder that our info isn’t worth hardly anything anymore!

Something I took away from this is the big difference in price between a US CVV $3, and an EU CVV $10. I’m not sure for the 3x increase in price, any thoughts?

The post below is slightly edited to cover some numbers and remove some FULL dumps… to protect the hopelessly 0wn3d!

Author : paypal1 (IP: 41.210.30.66 , 41-210-30-adsl-dyn.4u.com.gh)
E-mail : paypal.bank1@yahoo.com

PRICELIST OF STUFFS
Logins
Halifax 10K TO 85K
Hsbc 10K TO 80K
Wells 10K TO 90K
Rbc 10 TO 90K
10K TO 90K
Boa 10K TO 90K
Barclays 10K TO 90K
Citi 10K TO 80K
ALL TYPES OF LOGIN ASLO AVAILABLE…

PAYPAL(COUNTRY)
PAYPAL 10K TO 50K

LEADS(ALL COUNTRY)
MILLINOS LEAD WITH UNLIMITED SMTP FOR INBOX DELIVERY=100$

1 US CVV=3$
1 UK CVV=5$
1 EU CVV=10$
FULL CC with mmn,ssn,dob,pin=pm me for price
PHP Mailers inbox=15$
Webmailer=10$

1 US Fullz=30$
1 UK Fullz=35$
1 EU FULLZ=50$

Dump Writer and Reader Machine
MSR206 Reader/Writer 400$

US Dumps (101)(201)
US Mix (20Gold/20Plats/20Biz&Corp/40MCstandard&Classic)
bin of my choice 20$
US Classic 40$
US Debit Classic 50$
US MC Standard 60$
US Gold 100$
US Platinum 120$
US Business/Corporate 120$
US Purchasing/Signature 150$
US MC World 120$

Canada Dumps (101)(201)
Canada Classic 60$
Canada MC Standard 70$
Canada Gold 120$
Canada Platinum 150$
Canada MC WorlD 120$

Europe Dumps (101)(201)
EU Classic 120$
EU MC Standard 100$
EU Gold 140$
EU Platinum 150$
EU Business/Corporate 150$
EU Infinite 200$

ASIA DUMPS (101)(201)
Asia Classic 50$
Asia MC Standard 60$
Asia GolD 120$
Asia Platinum/Business/Corporate 150$

ITALY DUMPS (101)(201)
ITALY CLASSIC 50 $
ITALY PLATIUM 150 $
ITALYINFINIT 200 $
ITALY MC STANDAR =60$

GERMANY DUMPS (101)(201)
GERMANY classic=50 $
GERMANY BUSINESS/CORPORATE/PLATIUM=150 $
GERMANY GOLD=120
GERMANY MC STANDARD=60$

SPAIN DUMPS (101)(201)
SPAIN CLASSIC=50$
SPAIN PLATIUM=150$
SPAIN MC STANDARD=60$
SPAIN BUSINESS=150$
SPAIN INFINITY=200$

MEXICO DUMPS(101)(201)
MEXICO CLASSIC=50$
MEXICO BUSINESS/CORPORATE/PLATIUM=150$
MEXICO GOLD=120$
MEXICO MC STANDARD=60$

!!!! I HAVE ALL COUNTRIES DUMPS +PIN+BIN!!!!

Transfers WESTERN UNION(w u t r f) AND BANK TRANSFER
WU Transfer 10% upfront of whatever amount you want me to transfer for you…
BANK Transfer 10% upfront of whatever amount you want me to transfer for you…
eg: if you want $1000 you will have to pay $100 upfront.

SAMPLE DUMPS+PIN!!!!!!!!!!
Track1 : Xx2176531046971xx^AMY/HILTON M^xx0610127352005210000xx ,
Track2 : xx176531046971xx=xx03101383678xx
Pin : 18xx

Track1=xx325560610187xxWYATT/ROBERTSONxx071011714100002710000xx
Track2=xx325560610187xx=xx0710110000424000xx
pin:56xx

CVV ALL COUNTRY SAMPLE

Demo US
<STRIPPED DEMO DUMPS>

Demo UK
<STRIPPED DEMO DUMPS>

Demo CA
<STRIPPED DEMO DUMPS>

Demo au
<STRIPPED DEMO DUMPS>

demo FR
<STRIPPED DEMO DUMPS>

demo japan
<STRIPPED DEMO DUMPS>

demo italy
<STRIPPED DEMO DUMPS>

demo ger
<STRIPPED DEMO DUMPS>

Weeds also Available

SSN SOCIAL SECURITY NUMBER
DOB DATE OF BIRTH
DL DRIVING LINCENSE
MMN MOTHER MAIDEN NAME

CONTACT INFORMATION

CONTACT US IF YOU DONT UNDERSTAND ANYTHING ABOUT THIS STUFFS AND ALSO IF YOU WANT TO BUY MORE YOU CAN CALL THE NUMBER BELOW OR EMAIL ME:

YAHOO:paypal.bank1@xxxxx.com
ICQ:604716xxx

VALID AND FRESH INFO FOR SELLE PM ME
WE MAKE SURE YOU ARE SATISFIED WITH WHATEVER YOU ARE BUYING AND YOU GET IMMIDIATE DELIVERY OF STUFFS AFTER PAYMENT………WE DONT GIVE DEMO NOR SAMPLES NOR TEST ….. EVERY STUFFS 100% FRESH AND LIVE.

* Sorry about the long post… Contact me for the unedited version (if you have good reason obviously!)

→ 2 Comments

Posted in Security, Strange

Tagged , , , ,

New Advanced Penetration Testing Class from SANS

Posted on August 18, 2010 by ChrisJohnRiley| Leave a comment

Back in 2008, SANS released their Network Penetration Testing and Ethical Hacking class (SEC560). At the time it was listed as “SANS Security 560 is one of the most technically rigorous courses offered by the SANS Institute”. I had the pleasure of taking the class with John Strand back in 2008 and it was a great class, with a lot of great pointers for a penetration tester getting into the business. It was certainly head and shoulders above the other classes on offer.

Since then, the industry has been all about certification. New certs and classes have popped up all over the place. Just over 2 years later, and SANS have just released their new Advanced Penetration Testing, Exploits, and Ethical Hacking class (SEC660). Incorporating new techniques that build on the previous class. The new class will be given boot camp style (with evening sessions), to maximize the content.

SANS will be running the SEC660 class with Stephen Sims at the December SANS London event… Make sure to book early, if the SEC560 class is anything to go by, then this ones going to be popular!

Links :

→ Leave a comment

Posted in Security, Study

Tagged , , , , , ,

Bigger, Better, Faster, More!

Posted on August 10, 2010 by ChrisJohnRiley| 4 Comments

Las Vegas – The entertainment capital of the world.

Where your every desire is catered for, and you never have to go without. If there’s another place on earth with so many flashy lights, then I’ve certainly never heard about it!

Still, When I saw that this year Blackhat had gone to 11 tracks, I couldn’t help but think they’d were going a little bit too far, even for Vegas!

There’s a fine line between offering good content and swamping visitors with just too much choice…  and no matter how much I try, I just can’t help but get the feeling that Blackhat Las Vegas just jumped the shark!

I go to more than my fair share of conferences, and one thing that connects them all for me is the excitement and anticipation I get when looking over the list of speakers and talks. Picking out the ones I really want to see, the people I want to meet and the things I want to learn about, are one of the highlights of a conference for me. The build-up is almost as important as the event after all. When I saw the schedule for this years Blackhat however, I didn’t feel excited. It wasn’t because there were no good talks, because there were a lot of great talks and great speakers. It was just too much. In my mind Blackhat had hit that point where it just didn’t matter what talks people went to anymore. It was just too big, too complex, and too confusing to me. I couldn’t help but get the feeling that no matter what talk I saw, I’d always be thinking about the other 10 tracks and what I was missing out on!

Maybe it’s just me, maybe everybody else thinks this was the best Blackhat ever. Everybody has his/her own opinion, and mine is that Blackhat (at least in Vegas) is dead to me. I doubt I’ll be attending next year for the new improved 12 track program (they have to make it more impressive next year after all… there’s no backing down now!). If you want to find me, I’ll be sitting by the pool at BSides talking to people who do this for the love of it, and not the money.

→ 4 Comments

Posted in Conference, Security

Tagged , , ,

[Defcon] SHODAN for Penetration Testers

Posted on August 2, 2010 by ChrisJohnRiley| 5 Comments

SHODAN for Penetration Testers – Michael “theprez98″ Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

  • after/before
    • Limit results by date
  • country
    • 2 letter country code
  • hostname
    • Filters by text in the hostname or domain
  • net
    • Specific IP range or subnet
  • os
  • port
  • SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

  • apache hostname:.nist.gov
  • iss-5.0 hostname:.edu

Port filtering

  • FTP 21
  • SSH 22
  • Telnet 23
  • HTTP 80
  • SNMP 161
  • HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

  • CISCO Devices
    • By searching for CISCO with a 200 OK, you will find devices without authentication
    • Some of these are probably test labs….. but not ALL of them!
    • 5-6,000 of such systems on the internet
  • Default Passwords
    • Search for the words “default password”
    • Find… a printer accessible from the web using the default password as displayed in the headers
  • HAUWEI
    • Exclusion of all 4XX codes –> We just want 200 OK
    • Most responses where all in the same Subnet
    • Lots and lots of VoIP phones public facing
    • However…. they needed a password. Most hauwei have easy to guess default passwords
    • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
  • Infrastructure Exploitation… or “How to pwn an ISP”
    • A number of CISCO devices discovered in the earlier section
    • Allow LEVEL 15 access (full admin)
    • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
    • ISP located in the US (small regional)
    • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
    • SNMP server IP address and community strings

Other interesting info

  • Some IIS searches
    • iis/5 –> 362695
    • iis/4 –> 9977
    • iis/3 –> 381
    • iis/2 –> 42
    • iis/1 –> 152
  • Wireless network cameras… with movement features
    • In Firefox you can do snapshots..
    • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links:

→ 5 Comments

Posted in Conference, Security

Tagged , , ,

[Defcon] You Spent All That Money And You Still Got Owned…

Posted on August 2, 2010 by ChrisJohnRiley| 1 Comment

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

  • Firewalls are commonplace (perimeter and host based)
  • Anti-virus is smarter
  • Intrusion Detection / Prevention systems are hard to detect, let alone bypass
  • NAC Solutions are making their way into networks
  • IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

  • Server Header
  • Time/Date

Use DNS queries and Netcraft.com

Tools to do this

  • Load Balancer Detection – lbd.sh
  • Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.

Example:

DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit

SQLNinja

  • Written in Perl, but still good.
  • Great from going from SQLi to shell

SQLMAP

  • Written in Python
  • Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu

PHPIDS

  • Smoketest
    • check your encoding and bypass techniques
    • find something that will bypass a lot of the rules

MOD_Security

  • Also now offers a smoketest
  • Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions

No DHCP

  • Use Static

DHCP MAC Address REservations

  • Find a system, steal MAC

Port Security

  • Find a printer….

NAC Solutions

  • Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

  • net commands on Windows are great for finding network information
  • Script output and find the Administrators
  • Escalate to SYSTEM/Administrator
  • Run commands using psexec, pskill, …
  • Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!

Links:

→ 1 Comment

Posted in Conference, Security

Tagged , , ,

[Defcon] Hacking Oracle From Web Apps

Posted on July 31, 2010 by ChrisJohnRiley| 1 Comment

Hacking Oracle From Web Apps – Sumit Siddharth

Exploitation techniques for exploit SQL Injection attacks on Web Applications with Oracle databases

Because it’s Defcon… and we love SQL Injection!

No free tools for hacking Oracle Databases from the web

  • Even commercial tools like Pangolin have outdated techniques

Oracle Privileges

Oracle comes with a number of default packages. This has reduced a lot with the latest 11g release

By default these packages run with the privileges of the definer

This can be changed to the caller of the function, but must be set in the function/procedure (AUTHID CURRENT_USER)

Owning from the network is easy

  • Enumerate SID
  • Enumerate common users
  • Connect to the Oracle DB
  • Exploit SQL Injection in a procedure owned by SYS
  • Become DBS
  • Execute OS Code

Demonstrated by Chris Gates last year using a number of Metasploit plugins

In Oracle there are 2 classes of Injection

  • PL/SQL
  • SQL
    • Limited
    • Doesn’t allow chained statements

OS Code execution is also not as simple as it is in Microsoft SQL Server

PL/SQL Injection

  • Injection in Anonymous PL/SQL Block
  • No Restriction
  • Execute DDL/DML

SQL

  • Common SQL Injection
  • Limited capabilities
  • No chained statements

eExploitating PL/SQL Injection

Using David Litchfield’s exploit from Blackhat DC 2010 –> Enable JAVA IO Permissions

OS Command Injection can then be obtained by calling a JAVA function (DBMS_JAVA_TEST) and calling a command on the local system

Exploiting SQL Injection

This could mean many thing… do you want data from the DB or a shell –> depends on the goals of a test/attacker

Extraction of Data

  • Error Messages Enabled
  • Error Messages Disabled
    • Union Query
    • Blind injection
    • Time delay / Heavy queries
    • Out-of-band channels
  • Privilege escalation
  • OS Command Execution

Is your SQL Injection Privileged or unprivileged?

Are you executing with DBA privileges or something else

  • Privileged SQL Injection
    • Happens more often when the application connects to a database with DBA privs
    • SQL Injection is in a procedure owned by the DBA (regardless of the connection string)
  • Unprivileged SQL Injection

To exploit the Os we need Functions executable by public and vulnerable to :

  • PL/SQL Injection
  • Allows PL/SQL execution as a feature
  • Buffer overflow

There are a few functions known but the exploit is not publicly available

e.g. DBMS_JAVA_TEST (10g) buffer overflow

Of those known the following are popular:

  • DBMS_EXPORT_EXTENSION
  • GET_DOMAIN_INDEX_TABLES()
    • Function vulnerable to PL/SQL Injection
    • Runs with definer (SYS) privileges
    • Allows privilege escalation
    • OS Command Execution

Privileges needed to execute code on the OS

  • DBA Privileges
  • JAVA IO Privileges

Versions prior to CPU April 2006 there are a number of exploits in Pangolin and CoreImpact

Functions to execute code on the OS

  • DBMS_JAVA.RUNJAVA()
  • DBMS_JAVA_TEST.FUNCALL()

These take an Oracle class as input and cannot be executed without JAVA IO Privileges.

DBA can grant himself the required privileges, however even without he can use the SYS.KUPP$PROC.CREATE.MASTER_PROCESS() function on 10g/11g to execute code on the remote OS.

Bsqlbf 2.6

Supports these new attack types and can be downloaded from Google Code.

Includes the ability to upload and execute a Metasploit payload through these vulnerabilities

Supports JAVA IO and DBA execution as required

Has a cleanup mode for nice penetration testers ;)

Non-interactive second order injections

Even if a field is not injectable it could be that the code is executed if for example, an administrator views the injected code through a second vulnerable application (for example a logging tool, or administration screen).

The malicious user will never see the response however, as the secondary user is running the injection. This means any output will be returned to the secondary user and not the malicious user.

Another possible scenario is a trigger or automated nightly process that acts on the injected code when run.

So how can we make these non-interactive attack vectors interactive ?

Encode and upload a binary (Metasploit payload) to the remote server and wait for the secondary user/process to trigger the exploit –> Shell –> WIN

webraider tool implements this style of attack to upload a Metasploit module

You’ve been hacked… so what?

PCI compliance mandates the card data must be stored encrypted –> So the output is encrypted

PCI doesn’t specific if the encryption happens at the DB or App level

If it’s at the DB level, then the App decrypts the data when requesting –> Passing the encryption key means an attacker could extract them

  • v$sql table logs statistics on shared SQL area
  • Typically stores last 500 queries –> including the encryption details


Links:

→ 1 Comment

Posted in Conference, Security

Tagged , , , , ,