Feeds

Next-gen SQL injection opens server door

1 in 10 sites naked

Using blade systems to cut costs and sharpen efficiencies

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server.

Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the door to much more serious exploits that give hackers unfettered access to a website's database and the operating system that runs it. Penetration tester Bernardo Damele Assumpcao Guimaraes says his techniques prey on design flaws in three of the most popular databases, including MySQL, PostgreSQL, and Microsoft SQL Server.

SQL injections are the result of applications that fail to vet user-supplied input entered into search boxes and other website fields. Hackers can abuse this failure to access private information by entering valid commands that get executed by a website's back-end database. Over the past five years, SQL injections have tripped up some of the world's most sensitive sites, including the Department of Homeland Security, embassies, banks, and security companies.

Now, Damele Assumpcao Guimaraes has found a host of new techniques that can wreak even more damage from SQL injection vulnerabilities. With one, he shows how to exploit buffer overflow flaws that may be present in the database. He says he was able to use the method to take complete control of servers running SQL Server before Microsoft patched a buffer overflow vulnerability in February.

A separate technique allows him to exploit a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL.

"I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database," Damele Assumpcao Guimaraes said in an interview. "So far, a lot of research has been focused on data exfiltration and data manipulation."

The designer of a popular security tool called SQLMap, Damele Assumpcao Guimaraes plans to offer an update during his Black Hat talk that will help penetration testers detect the new type of attacks he's discovered.

The findings should bring new urgency to fixing a problem that industry groups say affects all too many websites. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. Taking all the websites into account, the percentage is probably closer to 33 percent, said Jeremiah Grossman, the company's CTO. He argues here why fixing the epidemic could cost from $3bn to $8.5bn depending on the metrics used.

Those costs generally involve patching flaws in the web application. Damele Assumpcao Guimaraes's research would suggest that fixing web apps is only the first step. To fully protect against the new attack, administrators will also need to take a hard look at the way their databases are configured.

For starters, they'll want to make sure databases have as few unprivileged users as possible. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks.

Up to now, getting it wrong has meant running the risk that the world can rifle through databases that cough up sensitive user information or system secrets that could be used to gain access to a server. Soon, it could mean much more, not only for the tens of million of sites vulnerable to the bugs, but their visitors as well. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.