Geneva Information Security Day
Total Page:16
File Type:pdf, Size:1020Kb
Geneva Information Security Day 17 September 2013 ©2011 High-Tech Bridge SA – www.htbridge.ch # whoami Frédéric BOURLA Chief Security Specialist Head of Ethical Hacking & Computer Forensics Departments High-Tech Bridge SA ~13 years experience in Information Technologies GXPN, LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT GREM, CHFI RHCE, RHCT, MCP [[email protected]] ©2011 High-Tech Bridge SA – www.htbridge.ch # readelf prez Slides in English. Talk in French. 3 rounds of 20’ [not including Q&A] focused on the offensive angle. No need to take notes, the whole slides and demos will be published on High-Tech Bridge website. Given the very short time and the heterogeneous attendees, slides will not dive to far in the technique. Nevertheless, I will also publish an additional low level and step by step guide for all of you who may be interested by the technical part of those hacking principles. ©2011 High-Tech Bridge SA – www.htbridge.ch # readelf prez The first two parts are server-side oriented, whereas the third one focuses on client-side attacks. If you missed previous conferences, you can learn more on server-side attacks here: https://www.htbridge.com/publications/frontal_attacks_fro m_basic_compromise_to_advanced_persistent_threat.ht ml And here are the slides which introduced client-side attacks: https://www.htbridge.com/publications/client_side_threat s_anatomy_of_reverse_trojan_attacks.html ©2011 High-Tech Bridge SA – www.htbridge.ch Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Round 1: Web Servers vs. SQL Injections 0x03 - Round 2: Web Servers vs. Blind SQL Injections 0x04 - Round 3: Web Users vs. Cross-Site Scripting 0x05 - Conclusion ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection On 5th February 2011, the security firm HBGary was compromised by LulzSec using a SQL Injection in their CMS-driven website. On 1st June 2011, LulzSec exploited SQL Injections to steal coupons, download keys and passwords that were stored in plaintext on Sony's website, accessing the personal information of million users. In July 2012 a hacker group was reported to have stolen 450’000 login credentials from Yahoo!. Those logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a “Union-Based SQL Injection” technique. ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection The first step to compromise a server is to find a vulnerability. For web servers you can rely on the efficiency of ImmuniWeb Self-Fuzzer®, a decision-making tool developed to help people know if they need ImmuniWeb®, the next-generation web application security assessment solution with Software-as-a-Service delivery model. Basically, ImmuniWeb Self-Fuzzer® is a free Firefox browser extension designed to detect Cross-Site Scripting and SQL Injection vulnerabilities in web applications. To know more on ImmuniWeb Self-Fuzzer®: https://www.htbridge.com/publications/immuniweb_self_fu zzer_firefox_extension.html ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection While browsing the website, ImmuniWeb Self-Fuzzer® can silently fuzz GET and POST variables, and even cookies and URL. During this first round, we will focus on the SQL Injection. ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection 1 4 2 3 ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection 1 4 2 3 ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection So basically SQLi is nothing more than a code injection technique aimed to alter original queries in order to get unexpected results and/or remotely collect sensitive database information. All fields which can be altered by a visitor do represent an entry point, such as GET and POST parameters or even cookies. A bad sanitization of input data can lead to database exfiltration, information tampering, website defacement and even full compromise via arbitrary files download. There are several types of SQLi. Error-Based SQLi permit to directly read DBMS’ answers in error messages. [+] https://www.htbridge.com/vulnerability/sql-injection.html ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection The concept for database exfiltration is quite simple. Usually we begin by identifying the DBMS, in order to optimize our crafted requests. Here an error message kindly reveals DBMS and Operating System versions. Attackers can quickly identify MS SQL Server 2012 on Windows 7 x64 or Windows Server 2008 R2 x64: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection Then we can enumerate tables on the targeted database, one table at a time: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection We select the first table to enumerate its columns, one column at a time… Then the second table, and so on: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection Now that we have the remote database structure, we can finally extract the records which sounds interesting [or just dump everything in case of a database theft]: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection Here the attacker can directly read the answer to a query which was specially crafted to reveal admin account information: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection The SHA1(password+salt) hash of the first customer can be broken in only 3 seconds with GPU brute forcing: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection The SHA1(password+salt) hash of the second customer can be broken in less than 9 minutes: ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection And depending on the DBMS we can even upload arbitrary file and deeply compromise the web server. ©2011 High-Tech Bridge SA – www.htbridge.ch SQL Injection ©2011 High-Tech Bridge SA – www.htbridge.ch system("pause"); End of 1st round ©2011 High-Tech Bridge SA – www.htbridge.ch Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Round 1: Web Servers vs. SQL Injections 0x03 - Round 2: Web Servers vs. Blind SQL Injections 0x04 - Round 3: Web Users vs. Cross-Site Scripting 0x05 - Conclusion ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection On March 27th 2011, the official homepage for MySQL [mysql.com] was compromised by a hacker who exploited a Blind SQL Injection On June 27th 2013, the hacker group known as “RedHack” compromised Istanbul Administration Site and claimed to have been able to erase people's debts to water, gas, Internet, electricity, and telephone companies. This kind of attacks has been known for years, but it is still widely spread today. ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection Sometimes hackers are not so lucky, and the results of their injections are not forwarded as part of the HTTP answer. Invisible results do not necessarily mean that the injection vulnerability will not be exploitable. If the webpage displays differently depending on the results of a logical statement injected into the legitimate SQL query, then attackers are basically facing boolean answers, and they can therefore think to try as many yes/no questions as necessary to achieve the same exfiltration than with classical Error-Based SQL Injections. For sure it will be far more time consuming, but it is still exploitable, and the process can often be automated once the vulnerability has been uncovered. ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection 1 Original query… + Is the first char of DBMS version ‘a’ ? No page! + Is the first char of DBMS version ‘b’ ? No page! …/… + Is the first char of DBMS version ‘m’ ? Page OK 2 4 3 ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection A Y/N question which deserves a negative answer will create a “page not found” or no page at all: ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection A Y/N question which deserves a positive answer will engender the normal page, based on the initial query: ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection So it is just a matter of time [and noisy queries]… ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection Even with a quick and dirty DOS script of 20 lines, we can rudimentary automate our Blind SQLi exploitation: ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection And with a more powerful exploitation tool, you can quite quickly exfiltrate the whole database. ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection After a quick fingerprinting, we can enumerate tables: ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection And then focus on the columns for a given table: ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection And finally we can dump records by selecting the columns of interest in a given table: Stealing a remote database can take a few minutes up to several days, depending on the size of the attacked database. Generally, the whole exfiltration only last a few hours once the SQL Injection has been uncovered. ©2011 High-Tech Bridge SA – www.htbridge.ch Blind SQL Injection ©2011 High-Tech Bridge SA – www.htbridge.ch system("pause"); End of 2nd round ©2011 High-Tech Bridge SA – www.htbridge.ch Table of contents 0x00 - About me 0x01 - About this conference 0x02 - Round 1: Web Servers vs. SQL Injections 0x03 - Round 2: Web Servers vs. Blind SQL Injections 0x04 - Round 3: Web Users vs. Cross-Site Scripting 0x05 - Conclusion ©2011 High-Tech Bridge SA – www.htbridge.ch Cross-Site Scripting Samy and Yamanner viruses spread on MySpace and Yahoo! Mail in 2005 and 2006. During the second half of 2007, nearly 12’000 websites were documented by XSSed.org. Most of Switzerland security companies have been recorded on this website those last 3 years.