August 26th, 2009
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View August 26th, 2009 as PDF for free.
More details
- Words: 545
- Pages: 13
August 26th, 2009
SQL/JavaScript Hybrid Worms As Two-stage Quines Workshop Seguridad Informática 2009 – 38 JAIIO (MDQ) Lic. José Orlicki (jorlicki@)
Page 1
- CONFIDENTIAL -
Not-So-Secret Agenda Motivation Hybrid Scenario Features Discussion Proof of Concept Highlights
Demo&Discussion!?
Abstract: a what-if worm scenario based on SQL/JS real incidents and prototype code, leads to proof-of-concept on laboratory with widely-deployed technologies (unhardened). Helps anticipate future trends and protections. Page 2
- DECLASSIFIED -
Attacks in the Wild! (2008)
[..]Anyone know about www.nihaorr1.com/1.js? The db that supports our companies ecommerce is lling up with this url[..] [..]The script www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db. I'm the accidental techie in my oce, and I'm clueless[..] Huge Web Hack Attack Infects Many Pages Gregg Keizer, Computerworld (nihaorr1 -> favorite search engine) Page 3
- CONFIDENTIAL -
Prototype of infected RFIDs! (2006)
Is Your Cat Infected with a Computer Virus? Melanie R. Rieback, Bruno Crispo, Andrew S. Tanenbaum SQL Virus Prototype propaging via RFID tags. (Virus != Worm?) Uses SQL Quines, self-replicating statements.
Page 4
--
SQL and JavaScript can be combined in a Worm?
Page 5
- CONFIDENTIAL -
Basic Quines in T-SQL and Javascript
Version 1: quine classic techniques in T-SQL
Page 6
- NOT CONFIDENTIAL -
Basic Quines in T-SQL and Javascript
Version 2: quine using native reflection hack in T-SQL
Page 7
- NOT CONFIDENTIAL -
Basic Quines in T-SQL and Javascript Version 3 (fail!): quine classic and native getElementById() techniques in SQL Similar to Version 1 but on the JS/client-side
Similar to Version 2 but idem…
Page 8
- NOT CONFIDENTIAL -
Proof of Concept 1.
2. 3. 4.
Lab: CherryPy, Two ad-hoc-vulnerable webapps in different domains, MS-SQL. Python SQL interface, no modifications.
Two-stage self-replication. Targets VARCHAR and TEXT db fields, ALL TABLEs…
Version 1: MS-SQL Quines, JavaScript regexes to extract new possibles victim URL, blind injection. (7359 bytes of SQLi egg) Version 2: MS-SQL Reflective Features. (3000 bytes aprox, idem) Version 3 (fail!): JavaScript quines and reflection worked, complete worm don’t. (estimating 1500 bytes) Page 9
- CONFIDENTIAL -
Proof of Concept (cont.)
SQL Hex and URL Encoding: stealthness and SQLi correctness. 4variable (original, 1 variable, 2008) scattered egg http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX), @S4+VARCHAR(MAX)%3BSET+@S=CAST(0x0d0a444398498468...
Regex matching for detecting possible new victim sites. var regexp = new RegExp("[a-zA-Z0-9-.?_&=:\/]+\/[azA-Z0-9-\.?_&=]+=[0-9]+","g"); var m = infected_html.match(regexp);
Javascript blind XSS for progapagation (very naive!) document.write( "
“ );
Page 10
- NOT CONFIDENTIAL -
¡Hybrid Worms Discussion! Billy Hoffman and John Terrill. The Little
Hybrid Web Worm that Could, Black-Hat USA 2007. (they focus in JS obfuscation and Perl) No choke point. Stealthier infections. More portability (interpreted lang?)
Target generic vulnerabilities (idem) Easily obfuscated (idem) Less crashes (idem) Data/Web 2.0/Cloud centric? Page 11
- CONFIDENTIAL -
Demostration!?
...but I can only show you the door. You're the one that has to walk through it... Acknowledgements: - Core Security Team: support and creative environment. - Sebastián Cufre: T-SQL tricks. - Aureliano Calvo: Javascript concepts. - Pedro Varangot: suitable testing computer.
Page 12
- DECLASSIFIED -
Questions?
Thanks! Contact:
Page 13
- CONFIDENTIAL -
SQL/JavaScript Hybrid Worms As Two-stage Quines Workshop Seguridad Informática 2009 – 38 JAIIO (MDQ) Lic. José Orlicki (jorlicki@)
Page 1
- CONFIDENTIAL -
Not-So-Secret Agenda Motivation Hybrid Scenario Features Discussion Proof of Concept Highlights
Demo&Discussion!?
Abstract: a what-if worm scenario based on SQL/JS real incidents and prototype code, leads to proof-of-concept on laboratory with widely-deployed technologies (unhardened). Helps anticipate future trends and protections. Page 2
- DECLASSIFIED -
Attacks in the Wild! (2008)
[..]Anyone know about www.nihaorr1.com/1.js? The db that supports our companies ecommerce is lling up with this url[..] [..]The script www.nihaorr1.com/1.js is getting inserted into every record of my organizations SQL db. I'm the accidental techie in my oce, and I'm clueless[..] Huge Web Hack Attack Infects Many Pages Gregg Keizer, Computerworld (nihaorr1 -> favorite search engine) Page 3
- CONFIDENTIAL -
Prototype of infected RFIDs! (2006)
Is Your Cat Infected with a Computer Virus? Melanie R. Rieback, Bruno Crispo, Andrew S. Tanenbaum SQL Virus Prototype propaging via RFID tags. (Virus != Worm?) Uses SQL Quines, self-replicating statements.
Page 4
--
SQL and JavaScript can be combined in a Worm?
Page 5
- CONFIDENTIAL -
Basic Quines in T-SQL and Javascript
Version 1: quine classic techniques in T-SQL
Page 6
- NOT CONFIDENTIAL -
Basic Quines in T-SQL and Javascript
Version 2: quine using native reflection hack in T-SQL
Page 7
- NOT CONFIDENTIAL -
Basic Quines in T-SQL and Javascript Version 3 (fail!): quine classic and native getElementById() techniques in SQL Similar to Version 1 but on the JS/client-side
Similar to Version 2 but idem…
Page 8
- NOT CONFIDENTIAL -
Proof of Concept 1.
2. 3. 4.
Lab: CherryPy, Two ad-hoc-vulnerable webapps in different domains, MS-SQL. Python SQL interface, no modifications.
Two-stage self-replication. Targets VARCHAR and TEXT db fields, ALL TABLEs…
Version 1: MS-SQL Quines, JavaScript regexes to extract new possibles victim URL, blind injection. (7359 bytes of SQLi egg) Version 2: MS-SQL Reflective Features. (3000 bytes aprox, idem) Version 3 (fail!): JavaScript quines and reflection worked, complete worm don’t. (estimating 1500 bytes) Page 9
- CONFIDENTIAL -
Proof of Concept (cont.)
SQL Hex and URL Encoding: stealthness and SQLi correctness. 4variable (original, 1 variable, 2008) scattered egg http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX), @S4+VARCHAR(MAX)%3BSET+@S=CAST(0x0d0a444398498468...
Regex matching for detecting possible new victim sites. var regexp = new RegExp("[a-zA-Z0-9-.?_&=:\/]+\/[azA-Z0-9-\.?_&=]+=[0-9]+","g"); var m = infected_html.match(regexp);
Javascript blind XSS for progapagation (very naive!) document.write( "
Page 10
- NOT CONFIDENTIAL -
¡Hybrid Worms Discussion! Billy Hoffman and John Terrill. The Little
Hybrid Web Worm that Could, Black-Hat USA 2007. (they focus in JS obfuscation and Perl) No choke point. Stealthier infections. More portability (interpreted lang?)
Target generic vulnerabilities (idem) Easily obfuscated (idem) Less crashes (idem) Data/Web 2.0/Cloud centric? Page 11
- CONFIDENTIAL -
Demostration!?
...but I can only show you the door. You're the one that has to walk through it... Acknowledgements: - Core Security Team: support and creative environment. - Sebastián Cufre: T-SQL tricks. - Aureliano Calvo: Javascript concepts. - Pedro Varangot: suitable testing computer.
Page 12
- DECLASSIFIED -
Questions?
Thanks! Contact:
Page 13
- CONFIDENTIAL -
Related Documents
August 26th, 2009
June 2020 1
26th August 2009 Awamehind
May 2020 5
26th August Newsletter Web
May 2020 5
26th July 2009
May 2020 2
26th June 2009 Awamehind
May 2020 15