Feeds

Next-gen SQL injection opens server door

1 in 10 sites naked

Securing Web Applications Made Simple and Scalable

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server.

Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the door to much more serious exploits that give hackers unfettered access to a website's database and the operating system that runs it. Penetration tester Bernardo Damele Assumpcao Guimaraes says his techniques prey on design flaws in three of the most popular databases, including MySQL, PostgreSQL, and Microsoft SQL Server.

SQL injections are the result of applications that fail to vet user-supplied input entered into search boxes and other website fields. Hackers can abuse this failure to access private information by entering valid commands that get executed by a website's back-end database. Over the past five years, SQL injections have tripped up some of the world's most sensitive sites, including the Department of Homeland Security, embassies, banks, and security companies.

Now, Damele Assumpcao Guimaraes has found a host of new techniques that can wreak even more damage from SQL injection vulnerabilities. With one, he shows how to exploit buffer overflow flaws that may be present in the database. He says he was able to use the method to take complete control of servers running SQL Server before Microsoft patched a buffer overflow vulnerability in February.

A separate technique allows him to exploit a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL.

"I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database," Damele Assumpcao Guimaraes said in an interview. "So far, a lot of research has been focused on data exfiltration and data manipulation."

The designer of a popular security tool called SQLMap, Damele Assumpcao Guimaraes plans to offer an update during his Black Hat talk that will help penetration testers detect the new type of attacks he's discovered.

The findings should bring new urgency to fixing a problem that industry groups say affects all too many websites. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. Taking all the websites into account, the percentage is probably closer to 33 percent, said Jeremiah Grossman, the company's CTO. He argues here why fixing the epidemic could cost from $3bn to $8.5bn depending on the metrics used.

Those costs generally involve patching flaws in the web application. Damele Assumpcao Guimaraes's research would suggest that fixing web apps is only the first step. To fully protect against the new attack, administrators will also need to take a hard look at the way their databases are configured.

For starters, they'll want to make sure databases have as few unprivileged users as possible. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks.

Up to now, getting it wrong has meant running the risk that the world can rifle through databases that cough up sensitive user information or system secrets that could be used to gain access to a server. Soon, it could mean much more, not only for the tens of million of sites vulnerable to the bugs, but their visitors as well. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.