Next-gen SQL injection opens server door
1 in 10 sites naked
A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server.
Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the door to much more serious exploits that give hackers unfettered access to a website's database and the operating system that runs it. Penetration tester Bernardo Damele Assumpcao Guimaraes says his techniques prey on design flaws in three of the most popular databases, including MySQL, PostgreSQL, and Microsoft SQL Server.
SQL injections are the result of applications that fail to vet user-supplied input entered into search boxes and other website fields. Hackers can abuse this failure to access private information by entering valid commands that get executed by a website's back-end database. Over the past five years, SQL injections have tripped up some of the world's most sensitive sites, including the Department of Homeland Security, embassies, banks, and security companies.
Now, Damele Assumpcao Guimaraes has found a host of new techniques that can wreak even more damage from SQL injection vulnerabilities. With one, he shows how to exploit buffer overflow flaws that may be present in the database. He says he was able to use the method to take complete control of servers running SQL Server before Microsoft patched a buffer overflow vulnerability in February.
A separate technique allows him to exploit a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL.
"I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database," Damele Assumpcao Guimaraes said in an interview. "So far, a lot of research has been focused on data exfiltration and data manipulation."
The designer of a popular security tool called SQLMap, Damele Assumpcao Guimaraes plans to offer an update during his Black Hat talk that will help penetration testers detect the new type of attacks he's discovered.
The findings should bring new urgency to fixing a problem that industry groups say affects all too many websites. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. Taking all the websites into account, the percentage is probably closer to 33 percent, said Jeremiah Grossman, the company's CTO. He argues here why fixing the epidemic could cost from $3bn to $8.5bn depending on the metrics used.
Those costs generally involve patching flaws in the web application. Damele Assumpcao Guimaraes's research would suggest that fixing web apps is only the first step. To fully protect against the new attack, administrators will also need to take a hard look at the way their databases are configured.
For starters, they'll want to make sure databases have as few unprivileged users as possible. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks.
Up to now, getting it wrong has meant running the risk that the world can rifle through databases that cough up sensitive user information or system secrets that could be used to gain access to a server. Soon, it could mean much more, not only for the tens of million of sites vulnerable to the bugs, but their visitors as well. ®