Feeds

Next-gen SQL injection opens server door

1 in 10 sites naked

Next gen security for virtualised datacentres

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server.

Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the door to much more serious exploits that give hackers unfettered access to a website's database and the operating system that runs it. Penetration tester Bernardo Damele Assumpcao Guimaraes says his techniques prey on design flaws in three of the most popular databases, including MySQL, PostgreSQL, and Microsoft SQL Server.

SQL injections are the result of applications that fail to vet user-supplied input entered into search boxes and other website fields. Hackers can abuse this failure to access private information by entering valid commands that get executed by a website's back-end database. Over the past five years, SQL injections have tripped up some of the world's most sensitive sites, including the Department of Homeland Security, embassies, banks, and security companies.

Now, Damele Assumpcao Guimaraes has found a host of new techniques that can wreak even more damage from SQL injection vulnerabilities. With one, he shows how to exploit buffer overflow flaws that may be present in the database. He says he was able to use the method to take complete control of servers running SQL Server before Microsoft patched a buffer overflow vulnerability in February.

A separate technique allows him to exploit a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL.

"I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database," Damele Assumpcao Guimaraes said in an interview. "So far, a lot of research has been focused on data exfiltration and data manipulation."

The designer of a popular security tool called SQLMap, Damele Assumpcao Guimaraes plans to offer an update during his Black Hat talk that will help penetration testers detect the new type of attacks he's discovered.

The findings should bring new urgency to fixing a problem that industry groups say affects all too many websites. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. Taking all the websites into account, the percentage is probably closer to 33 percent, said Jeremiah Grossman, the company's CTO. He argues here why fixing the epidemic could cost from $3bn to $8.5bn depending on the metrics used.

Those costs generally involve patching flaws in the web application. Damele Assumpcao Guimaraes's research would suggest that fixing web apps is only the first step. To fully protect against the new attack, administrators will also need to take a hard look at the way their databases are configured.

For starters, they'll want to make sure databases have as few unprivileged users as possible. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks.

Up to now, getting it wrong has meant running the risk that the world can rifle through databases that cough up sensitive user information or system secrets that could be used to gain access to a server. Soon, it could mean much more, not only for the tens of million of sites vulnerable to the bugs, but their visitors as well. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.