lost in translation - blackhat brazil 2014
TRANSCRIPT
Lost in TranslationJoaquim Espinhara&Rodrigo Montoro
$ whois @jespinharaSenior Security Consultant at TrustwaveAuthor of 0 patent pending technologiesBJJ enthusiastTriathleteDad (of dog)
$ whois @spookerlabsSenior Security Administrator at Sucuri SecurityAuthor of 2 patent pending technologiesResearcherOpen Source enthusiastTriathleteDad
Motivation
ERROR 1045 (28000): Acesso negado para o usurio 'spooker'@'localhost' (senha usada: SIM)
NoteWe are not talking about specific products only, all demos are to prove our idea that probably affects any vendor / product.
LanguagesSource: http://www.bbc.co.uk/languages/guide/languages.shtml
Native English countries
Map of nations using English as a de facto or official majority language (dark blue) or an official minority language (light blue)Source: http://en.wikipedia.org/wiki/List_of_territorial_entities_where_English_is_an_official_language
Products
How detection works
Offensive
Tool PrepareRequestbased on services
Sendrequest todevice
Service processrequest
Servicesend response
Tool receiveresponse
Tool process response
Defensive
Tool PrepareRequestbased on services
Sendrequest todevice
Service processrequest
Servicesend response
Tool receiveresponse
Tool process response
DefensiveTool
Attack sample
What kind of problems ?
Non-Detection aka False NegativesOffensiveDefensive
Compliance bypass
Stealth backdoors / problems
Changes on the fly ...mysql> select @@@version;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1
mysql> SET lc_messages = 'pt_BR';Query OK, 0 rows affected (0.00 sec)
mysql> select @@@version;ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1mysql>
Proof of Concepts (PoC)
Offensive Tools Acunetix W3AF Qualys Free online version
Acunetix
Acunetix Demo
w3af
Qualys Free Scan
Defensive toolsSnort / Sourcefire (Cisco)OSSEC (Trend Micro)WAF Parser
Snort / Sourcefire (IDS or IPS)alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures, Possible Brute Force Attempt"; flow:from_server,established; content:"|15 04|"; depth:64; content:"|32 38 30 30 30|Access denied for user|20|"; fast_pattern:only; content:"using password|3A 20|"; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:3;)
Snort / Sourcefire
OSSEC (HIDS)
Logtest OSSEC
WAF Parser
Offensive & Defensive
Desktops
Future / Mitigations
Not easy fix, just talking about MySQLBy default, mysqld produces error messages in English, but they can also be displayed in any of several other languages : Czech, Danish, Dutch, Estonian, French, German, Greek, Hungarian, Italian, Japanese, Korean, Norwegian, Norwegian-ny, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, or Swedish.
20 languages
Improve ASV tests for PCI scanners
Work more with code errors (when available)
mysql> select @@@version;ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1
mysql> select @@@version;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1
Possible attack surface
Something we couldnt measure yet, needtests and more tests.
Engine to detect language (not that easy)
ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1
Contacts && Thank you!Rodrigo [email protected]@sucuri_security@spookerlabshttp://www.sucuri.netJoaquim [email protected]@spiderlabs@jespinharahttp://www.trustwave.com