 So, hello everybody. Thank you for coming this evening to this talk about connection stream attacks. First of all, thank you. I know it's Saturday, it's late, everybody wants to be in another place, having beers and so on. And for us, it's very good to have you here. So, thank you very much. First of all, let me introduce ourselves. He is José Palazón, Palaco. He's working on Yahoo as a software architect. And I'm Chema Lonso. I'm a Microsoft MVP in enterprise security, but I'm not working on Microsoft. I'm working in a security company in Spain called I-64. The talk for today is about connection stream injection attacks. But before that, I would like to make a quick introduction about our country, about Spain, because maybe you don't know it, but you love Spain. We was funny. Well, this year, we won the World Cup, so we are very proud of this. I'm sorry for the Indian people and the rest of the world. I'm sorry for the people from Germany and Holland. Well, also we got very good sports. Paul Gasol, very well. Rafa Nadal, and Alberto Contador. We are very proud of that, guys. And we got sexy people, like Antonio Banderas. Oh, my God. Penelope Cruz. And of course, Chema Lonso and José Palaco. That's very nice, guys. Well, maybe everybody knows where is Spain, but this Europe and Spain is not that country. It's not that country. Spain is that small country in the south of Europe. You know, we got a long, long beaches around the whole country, so it's a very nice place to be. Please come to Spain. We would love you. And of course, in Spain, we got parties for everybody. We got the most famous party. This is San Fermines. It's the greatest party ever. It's very nice, and it's very simple. You only have to run. It's quite simple. And of course, we got food and flamenco. Everybody knows flamenco, of course. And that's very nice. We got very good people like Dali, painters like Dali or Picasso. Maybe you know it. Who knows Picasso and Dali. Despite all the good things that Spain has done for the world, we have the two apologizes on behalf of the government and pretty much 80% of the population for the Macarena. Oh, Macarena. Sorry about that. I like it. I like the Macarena. How many of you have been dancing Macarena sometime in your life? Please, confess it. Well, all right, let's get into business. Okay, so what we're actually going to talk today is connection string attacks. So to define what this is, so basically a connection string is how you define how your application, like a web application or any other kind of application is going to connect to a data source. Being a data source, either a database, LDAP, some kind of file system base, XML, kind of whichever you want to use. And in particular what we're going to focus our work here is database connection strings. If you look at that slide, what you have here is the very minimal database connection string that you can put together. It's in four lines for the sake of clarity, but you could consider that as like a single string. What you have is the data source that is the server where your data source is going to be, your database in this case. You have the schema. Of course you might have many databases in your server, so you're going to choose which one you want to use. And then you have the credentials, username and password. As I said, it is like a string. And this is a sample, a piece of code where you can see how these strings are constructed. Usually when an application connects to a database, there's two ways of doing that. It's either a static string or it's a dynamic string. If this is a static string, then you just put everything together, like data source, something, semicolon, the schema, username and password. If this is dynamic, for some reason, and we will see the cases afterwards, you want to use dynamic parameters here. You have to create this string somehow. Unfortunately, most of the times you create this string by simple concatenation. And I think we all know more or less where this is going, right? So that's an example of how you put together a string by concatenation. And you can see kind of pretty much good suspect there to allow us to play with that. There's a character there that we're using to separate the field and we might be able to abuse that. So that's all. We're finished. That's all. You can go. Well, some of the cases is not needed even to inject to extract data from the connection stream. There are a lot of easy queries that you can throw through Google to discover a lot of information from connection stream. Just looking for lodging pages with data source parameter and you can discover, of course, the data source, the username and the password. The password is this. It's quite simple to do this. There are a lot. In this case, this is an example with an IBM. There are a lot of cases just playing with Google, you can discover a lot of information from connection stream. And in some other cases, the database administrator creates an special file, which is only a plain text file, but with a special extension, which is UDL, and that file stores the information of the connection stream. So you can just use Google to discover that kind of files. Just searching for the file type UDL password. And there are a lot of cases. In this example, there is a very complex password you will never figure out what it is. And you can do it. Let's do it. We got time. So just Google, so X, UDL password. That's all. Oh. No. It's the other one. Thanks, Google. Yeah. They even suggest how to do it right. Well, as you can see, there are files with information about the database, about the connection stream. Let's download one of these for instance. Let's see. One of my country. Which one? Whatever. This one. The first one. Okay. Let's start the file. Okay. In Windows, it's quite simple because you only have to double-click the file, and Microsoft has a special tool to connect against that database, and you got the username, the password, and you just test the connection. It's in Spanish because in Spanish it's better. You only have to click this button, and that's all. So it's quite simple. Okay. So back to business. Let's review very briefly how a web application connects to a database because when it comes to authenticating with the database, there's a big main separation that we want to do here. A usual kind of web application that you probably have built. You take control of your users. So you have to take care inside the database to create the columns and tables for the whole authentication and authorization scheme. So that's how you manage the users in your application. There's other, well, I'll explain in a bit later. The other main way of authenticating is when you don't want one single user authenticating to the database, and then you have your users inside the database. You actually want your users to be the database users. Okay. So in this slide, we have the two parts are how the strings are constructed here, and the main difference is if you're going to use the integrated security, which is no when you want to handle your authentication, or yes, when you want to use the system authentication. Okay. Usually when you have the first one, most cases, you have one single user that the application, the entire application uses to connect to the database, and then you do whatever. That is not very right because if something goes wrong, then whichever user, no matter how your permission scheme is in your application, if something is wrong, like you have a SQL injection problem, then you can exploit that with whichever permissions that user has in the database. And usually, well, not usually, always if you're using just one user, that user needs permission all over the database for writing, reading, and modifying that. So if you have the chance, and you have to write one of this application, ideally what you want to do is have as many roles as possible, not one role per user, but one role per kind of action or functionality. So you want one role to write, and if possible, one role to write here, one role to write in this other place, and then one other role to read. That way, if you have a SQL injection problem in a script that reads something from the database, then you're not going to be able to write or modify the database, right? So, you know, see, can you go back to the other? Okay. The way this works is, like, the way this application works, no matter if you use one single user or you use several users, is that this is the user that the application is using to authenticate against the database, which is different than my user, when my user name as a user of the application, when I authenticate against the application. So in this case, first the application is going to use those kind of static credentials to authenticate against the database, and then the application is going to ask me, the user, for my credentials, and then using the database connection that has already been established with that static credentials, then it's going to look in this scheme that I've defined to see if I have permissions to do whatever I've done as a programmer in the application. On the, when the application is authenticated using database users, it goes the other way round. First, the application is going to ask me for my credentials and it's going to use these credentials to establish the connection with the database, all right? And then all that I can do in the database is whichever my user has permissions to do on the database. That's good in those environments in which you have an internal application with single sign-on credentials, or you are working with internal user and you want to know what is doing every user in your database and so on. In the previous case, it's impossible to trace from the database who did anything because the trace had to be done in the web application. So it's different. In one case, one environment is good for one kind of application and the other one is good for another kind of application. And of course, that environment is mandatory if you want to manage the database. If you want to manage the database to create tables, to create new databases, to expand the table space or whatever, you need to manage the database so you need a special connection against the database. This means that pretty much every possible control panel that you can find out there is going to use something similar to this to work because the user that you're using, when you're authenticating the application, it is actually a database user. So as we said before, this is put together in a string and then you're going to do a string concatenation to put all these values together. So the way this works is you get one string with this value first with the parameter equal value, semicolon, parameter equal value, semicolon. So what we're going to do is we're going to use this semicolon as a separator and if this string is going to be put together as a standard SQL string, then we're going to be able to add new information here. So now we're going to see what can we do by adding new information. This was discovered, the fact that this was not the right way of doing it, this was known something around 2005. And Microsoft was aware of this in 2005. So what they did is they provided the proper way of doing this and the ASP.NET 2.0. So since 2.0 you have this SQL connection string builder which is an object that the framework provides and that's how you should do it. You shouldn't do string concatenations to create your strings. And that's secure. The problem is that nobody was aware about how to exploit this vulnerability. What can we do if we got a connection string injection into a component? What can be done? When we were starting this research we were trying to discover all the information published about this and in OAS last September it wasn't possible to discover any single reference about connection string attacks or connection string injection and whatever. Nobody was aware about how can we exploit this. So the problem is, is this important? Can we do something important with the semicolon? Is this dangerous? So we did it. So you know that this is not how you should put together a string connection but you didn't know that it's exploitable so we've been working on a few ways of exploiting it. So there's two main things that we're going to do. We're going to use the semicolon to add new parameters or we're going to use the semicolon to add existing parameters. And I'm going to refer now to something that I guess most of you know because it's been there for a couple of years now which is HTTP parameter pollution. When you have HTTP parameter pollution the way that works is you're going to have one parameter that's duplicated. So in your URL you're going to have twice, two different values for the same parameter. Depending on what system you're using that's going to behave differently. One platform, one set of technologies is going to take the first one. Another is going to take the second one. The most dangerous one is where sometimes you're going to use the first one and sometimes you're going to use the second one so you can use that to go over filters in that. So we have something very, very similar here. Actually we have the same here. We have a parameter pollution behavior and the way it works in this case is whichever happens last does what counts. So if in my string I have a value twice, I'm sorry I have two parameters twice, the second one is going to use. So if you look at this slide at the top that would be my string. Then if I start reading left to right I have value A for my first parameter. So that's fine. I have value B for my second parameter. That's fine. But then I repeat my first parameter with value C. Then what's going to happen is that value A is not there anymore. Value C is what counts. I'm the same for the second parameter. That's quite nice because you can rewrite the whole connection in a string, which is very good. And this is how it works. Like the previous slide was a generic example. This is how you modify the database connection object through the string. So you first usually have the data source, whichever value, then you have your username, then you have your password. But then as your password you can do something semicolon, data source equal something different. And then you're changing the database that the application is going to connect to. So how can you use that? Well you can use that for example to scan servers that you would not be able to scan because there's a firewall. Since the web application server is inside the network and the database server is inside the network, they can connect to each other. But you probably cannot connect to the database from outside or to many other servers from outside because there's a firewall. However, we've just seen that I can overwrite the data source parameter with whichever I want. So if my string I overwrite that to another internal server, I can just try to be using this application with a development data server with maybe data that has not been released so far. Important information inside the company like financial things, stuff like that, or even things that has been there and are not maintained anymore. But there's another, go ahead. There's another good thing that I can do, which is I can change the data source to a server that I control outside. And since most of the times the firewall is going to be allowing outbound connections, then if I change the data source to a server that I control, I'm actually getting the credentials, like the hash of the credentials. So I can use that to try to dictionary that or whichever. When you specify the value for the data source, you specify the server and the port. So same that we've just seen how to scan different servers, you can scan different ports. So the way it works is exactly the same. After whichever field in the data, in the connection stream where you can inject something, you do semicolon and then overwrite the data source, in this case trying different ports to do a port scan of a server that was not accessible to you before because of the firewall. That's how you change a parameter, right? We just change the data source to whichever. We've polluted the parameter. But you can also add a new parameter that was not there. The connection stream that we've seen at the beginning is like the most simple stream that you can have with those four parameters. But there's more stuff that you can do here. And in this case, you can see that I can use my data source, my username, my password, but then I can inject other information that wasn't there before, like integrated security equals true. This parameter is the one that defines the behavior between the two ways of authenticating that I've been explaining before. Integrated security equals no means that I handle the authentication by myself inside the database. Integrated security equals true is I'm going to use system and database accounts for this. So let's see this behavior in some demos in real with some commercial products. And first of all, let's analyze what kind of attacks can be done. So the first one, we can still the system account of the web server. The idea is to steal the hash and it's quite simple. First of all, we need a row server in which we are going to run a SQL server that we are able to manage. Then we are activate one sneaker on it. And then we only have to rewrite the data source parameter into the connection stream and of course set the integrated security equals to true. That means that the credentials that are going to be used are the operating system credentials. And in this case, it's the web application, the one which is trying to connect to the database. And the web application is running on the web server. So the operating system account that is going to be used is the operating system account of the web server. Understood? So it's quite simple. Let's suppose that we got this connection stream. So attacker only has to inject something like semicolon data source equals to row server password empty semicolon integrated security equals to true. That's an example with ASP net enterprise manager, which is a product that is on the internet in a lot of places. And the idea is quite simple. In this example, as you can see, we just use semicolon data source to an IP address and then just integrated security equals to true. It's a very bad product. As you can see, you can read the password even on the screen. And of course, if you have kind of running on your machine, you can read the hash of the system account, which is quite simple. Attack number two, a poor scanning attack. In this example, we are going to duplicate the data source parameter and we are going to use the data source, the target server, the server that we want to scan. So we only have to change the target port and check the error messages. In this example, if we obtain a no TCP connection, that means that the port is closed. If we retrieve no SQL server or no database discovered, then the port is open. And if we retrieve something like invalid password, then the SQL server is there, which is very good. So in this example, with this connection string against SQL server 2005, the idea is just to inject something like semicolon data source equals to target server, target port in the user ID. And in the password, just something like semicolon integrated security equals to. This is a commercial product, which is my SQL, my little admin. And in it, you got a panel to connect to your database and just trying to discover if Google is answering in the 80 port, you retrieve something like a connection wax successfully established with the server and blah, blah, blah. But if you try the 1, 4, 2, 0 port, you retrieve something like, there's nothing listening there. The third attack is quite simple. The idea is just okay, the web server has a system account that is in the company, the database is in the company. Why are you asking me a credential? Use your credential and get me in, which is the idea. So duplicate the data source parameter, then set integrated security equals to true and that's all because the application is going to take its credential to connect again the database and we are going to have a connection to the application. So the idea is quite simple, just in this connection stream, the only thing that we need to inject is data source equals to target server and integrated security equals to true. Quite simple. In this example, web data administrator, which is, it was a Microsoft application in 2004, it releases as an open source tool and right now is not depending on Microsoft, but the idea is similar, is the same. We got the username and password to connect to the database, so data source equals to the database, password, set as integrated security equals to true and then just we get into the control panel and of course you get access to all the users and so on. So you can do the same with the rest of the products that we've been seeing before and in this example, you can see better how it works. This is the connection stream information that you can see when you get into a My Little Admin control panel and in this example, you can see that we got one data source that is pointing to the original database and our data source, which is pointing to the local host server and then the integrated security is equals to no in the original query, the original connection stream and in our connection stream is set up set to true. So in this example, the last value wins. So it's quite simple. And we can do the same of course with the ASP net enterprise manager. So semicolon data source equals to whatever and semicolon integrated security equals to true and you get into the database. So this, we've been talking about how usually dot net applications connect to CQL server databases, but this, if we want to extend this to other, my CQL doesn't really extend this. So it doesn't support integrated security, but if you're using dot net application with a connection stream to connect to my CQL database, you still can do all the other stuff that we're doing like the poor scanning and stuff. With Oracle, it works. It works all everything that we've said works like scanning and the whole integrated security. It even works on Unix accounts. And it is also, there's this CCDBA thing that you can use in Oracle to kind of use your users, kind of a super user to do every administration thing that you want to do in the database. So that's something that you can even do. If your database here is Oracle, you will just append to your connection stream, this CCDBA thing, and then your user has full control there. So let's see this in action. We got a testing environment in the example. It's a window 2003 and meet the password. And let's open Internet Explorer. And let's connect to different parameters, connection stream. So let's start with the ASP net. This is the connection stream. This is the control panel for a Microsoft SQL server. There are a lot of control panel like this on the Internet. Any of you are using this software to manage your database? Well, the idea is quite simple. We need to use only one tool. It's the most powerful tool ever created, which is the node pack. And just integrated security equals true. That's all. Then right button, copy. It's in Spanish, but you know, in Spanish. So the user is test. The user is test. And we are going to try to duplicate the parameter pollution to local host. Index sample is the same because you can set up in this field whatever servers. But to do this, we are going to connect to the White House. It's not going to connect to the White House because the last parameter wins, you know. And then text integrated security equals true and connect. And that's all. And you get into the control panel. It's so easy. You can do the same on Internet. It's so easy just to do this. But it's illegal. Don't do that. So Web Data Administrator, the same idea. User name, Palaco. Thank you. I love you. Palaco and data source equals to local host. Index sample is a SQL server-spressed edition. So we need to use... We need to use the... It's not here. Integrated security equals to true. Just paste. And get into... Okay. And you get into the database and manage whatever. The last one, the commercial product, my little admin. That's control panel is using SQL server-spressed. So we need to connect against a SQL server-spressed which is more or less the same as with local host slash SQL server-spressed. That's it. And right button, paste, connect. And you get access to the database. Index sample, we can analyze the connection stream. So connection. And as you can see here, we got in the first place the original data source parameter, which is pointing to well above. And then we got our data source that in this case is on the same machine, but you can use another machine. And the original integrated security is set to no. But our integrated security is set to true. Then the last wins. And we get access to the control panel. And you can do the same with an Oracle application index sample. It's a testing application because it's not that common to find on the internet control panels to manage Oracle databases with integrated security enabled. So index sample is just a testing application that we developed doing the same. So user, data source equals to local host, right button, integrated security equals to true. And you get access to the internal application. Is that all? So the good idea with this is that if something, someone is working on your company, like a vendor or a partner or whatever or an internal user, he can try to do the same with the integrated security parameter. The idea is that if he is able to publish an ASP or JSP application on the web server, he's going to be able to try to connect against any database on your company, which is very bad. In a hosting environment in which someone is able to put a file into your server, or maybe he's using Focal and discover a put option, put method enabled on your website, he can upload an scanner to discover the whole network trying the integrated security connection against the database. It's so simple. So we develop a scanner, which is CSPP scanner, which is available for download in that URL, and you can try it in your company. So the idea is quite simple. You put the ASP file on your website and just click the button and then the application is going to scan the whole network with internal IP address, trying to connection stream with the integrated security equals to the truth. And if the application discover a SQL server, then try to give you a SQL query environment in which you can throw your SQL queries against the internal database. So it's quite simple. Let's see this in our demo, in our testing environment. So it looks like this. And the idea is that you only have to put this file into our, into the website, then the application is going to check how many network interface you have on the web server. And just clicking on the network interface, you can scan the whole network, scan with 100 threads, scan SQL servers. And now it is going to try to discover the SQL servers. In this case, there is only one SQL server which is the one I'm using for the demos. And once it discover it, I only have to click on it and get connection. It's quite simple. So, finishing. All these, all these products, all these commercial software was advised before we released the talk. And they released an advisory in September. People of my little admin and my little backup released this security advisory about this vulnerability. And it says that there is a new version that fixes one security vulnerability. The good idea is, or the funny thing about this software is that at the beginning when we got in contact with the main developer, he said that wasn't a vulnerability. That wasn't a feature. So, yeah. So it released first a small patch with a minor security, minor security update. Vulnerability because it's minor that anyone can get into your database. It's a minor security. It's not that important. Your application is running. So that's important. And that guy was very, very nervous at the beginning when we got in contact with him. Because he was worried about the business. So he counterattacked with a marketing campaign saying, okay, there's a minor security vulnerability or a minor security bug. But a lot of companies are using our products. Like the use government, go daddy. Use army. Use army again. Oh my God. That's quite nice. Because I got the gun, but now I got the target. So it's quite nice. I love it. That's for you. This application is not maintained anymore. So if you are so unlucky to be using this, you're going to have to patch it yourself. So it's basically you just have to go over the code. It's actually not very well written. So there's not like a one single place where you go and change it. There's connections strings all over the place. So you have to go over the code and change these connection strings for the proper way of doing it with the objects in the framework that we were mentioning before. And the last one is the HPNet with data administrator. Originally it was a Microsoft application that in 2004 released as an open source project. And since that moment Microsoft didn't maintain the software. The problem is that Microsoft was publishing the old version on the internet. And there is a small problem with the search engine optimization that Microsoft has more page rank than open source project. So everybody was trying to download the HPNet web data administrator. The first link that appears on the web search web engine was the Microsoft link. So it was a problem because there was no difference between the original which was unsecure and the open source project which is secure. So we got in contact with Microsoft and Microsoft in the end take it off from the internet. So right now it's impossible to download the unsecure version which is good. And how you fix this? So give me this. First of all we've seen that you can do, you can steal credentials by allowing outbound connections to your server. So set up your server, set up your firewalls directly and don't allow connections, outbound connections that you shouldn't. You've also seen that by using integrating security equals to you can use system accounts to try different servers inside the network. Usually you don't need that many accounts in all your servers. So if you could take care of individual servers, what accounts do I need here and there? It's going to harden all your organization because even with integrated security equals true, if there's no credentials in the other servers, then there's nothing you can do. Of course don't use string concatenations, use the connection string builder object that is provided to you by the framework. And if you don't have any other option, filter the semicolons. And that's all. Questions at Rune 113. Thanks for all. Thank you.