Feeds

Next-gen SQL injection opens server door

1 in 10 sites naked

5 things you didn’t know about cloud backup

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server.

Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the door to much more serious exploits that give hackers unfettered access to a website's database and the operating system that runs it. Penetration tester Bernardo Damele Assumpcao Guimaraes says his techniques prey on design flaws in three of the most popular databases, including MySQL, PostgreSQL, and Microsoft SQL Server.

SQL injections are the result of applications that fail to vet user-supplied input entered into search boxes and other website fields. Hackers can abuse this failure to access private information by entering valid commands that get executed by a website's back-end database. Over the past five years, SQL injections have tripped up some of the world's most sensitive sites, including the Department of Homeland Security, embassies, banks, and security companies.

Now, Damele Assumpcao Guimaraes has found a host of new techniques that can wreak even more damage from SQL injection vulnerabilities. With one, he shows how to exploit buffer overflow flaws that may be present in the database. He says he was able to use the method to take complete control of servers running SQL Server before Microsoft patched a buffer overflow vulnerability in February.

A separate technique allows him to exploit a SQL injection vulnerability to finagle a command shell from servers running MySQL and PostgreSQL.

"I use the SQL injection only as a stepping stone to my target, and my target is the operating system, not only the data on the database," Damele Assumpcao Guimaraes said in an interview. "So far, a lot of research has been focused on data exfiltration and data manipulation."

The designer of a popular security tool called SQLMap, Damele Assumpcao Guimaraes plans to offer an update during his Black Hat talk that will help penetration testers detect the new type of attacks he's discovered.

The findings should bring new urgency to fixing a problem that industry groups say affects all too many websites. White Hat Security, a firm that specializes in web application security, estimates at least 16 of the top 1,000 websites suffer from the bug. Taking all the websites into account, the percentage is probably closer to 33 percent, said Jeremiah Grossman, the company's CTO. He argues here why fixing the epidemic could cost from $3bn to $8.5bn depending on the metrics used.

Those costs generally involve patching flaws in the web application. Damele Assumpcao Guimaraes's research would suggest that fixing web apps is only the first step. To fully protect against the new attack, administrators will also need to take a hard look at the way their databases are configured.

For starters, they'll want to make sure databases have as few unprivileged users as possible. But because many of his attacks rely on database design flaws that allow local privileges to be ported remotely, even that best practice isn't enough to prevent some of the attacks.

Up to now, getting it wrong has meant running the risk that the world can rifle through databases that cough up sensitive user information or system secrets that could be used to gain access to a server. Soon, it could mean much more, not only for the tens of million of sites vulnerable to the bugs, but their visitors as well. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?