Friday 12 December 2008

How to make 1 + 1 = -10 (AKA combining two attack vectors to control a database)

Let me start out by warning that this post is quite “techie” and may be seen as academic by some readers.

I am always impressed by the ingenuity of the security researchers who find new ways to make systems do things that their designers and engineers never had in mind when the systems were built. Recent news from researchers discloses how it is possible to combine the elements of two long-known attack strategies: Buffer Overflow exploits and SQL Injection – to produce an attack on one SQL database platform. This is reported by The Register as “the vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application”. Tragically, the only advice from the vendor is to drop a particular stored procedure (there is no advice on what this is likely to break).

The basic attack strategy is to exploit a stored procedure that is vulnerable to SQL Injection and use this to then get access to the memory address space of the underlying operating system. Broadly speaking, this is similar to the outcome provided by a good-old buffer overflow exploit. (For those old security hands reading this you will probably remember the classic work “Smashing the stack for fun and profit” by AlephOne) . With access to the operating system and the precision of controlling directly what is put in the memory space we can pretty much get the machine to do anything! In reality, there are many easier to craft SQL injections that will give an attacker control of a system, but this new approach is worth understanding.

What caught my attention about this was that one of the areas I researched whilst at the Oxford University Computing Laboratory was automatically learning the high level strategies behind families of buffer overflow exploits. At Secerno, we have the technology (SynoptiQ(TM)) and the products (Secerno DataWall(TM)) to protect our customers’ databases from SQL Injection – whether or not it is attempting to smuggle a buffer overflow type attack, and stop the attackers causing something large and negative to happen on your databases (the minus 10 in the title of this post).