Lost in TranslationJoaquim Espinhara&Rodrigo Montoro

$ whois @jespinharaSenior Security Consultant at TrustwaveAuthor of 0 patent pending technologiesBJJ enthusiastTriathleteDad (of dog)

$ whois @spookerlabsSenior Security Administrator at Sucuri SecurityAuthor of 2 patent pending technologiesResearcherOpen Source enthusiastTriathleteDad

Motivation

ERROR 1045 (28000): Acesso negado para o usurio 'spooker'@'localhost' (senha usada: SIM)

NoteWe are not talking about specific products only, all demos are to prove our idea that probably affects any vendor / product.

LanguagesSource: http://www.bbc.co.uk/languages/guide/languages.shtml

Native English countries

Map of nations using English as a de facto or official majority language (dark blue) or an official minority language (light blue)Source: http://en.wikipedia.org/wiki/List_of_territorial_entities_where_English_is_an_official_language

Products

How detection works

Offensive

Tool PrepareRequestbased on services

Sendrequest todevice

Service processrequest

Servicesend response

Tool receiveresponse

Tool process response

Defensive

Tool PrepareRequestbased on services

Sendrequest todevice

Service processrequest

Servicesend response

Tool receiveresponse

Tool process response

DefensiveTool

Attack sample

What kind of problems ?

Non-Detection aka False NegativesOffensiveDefensive

Compliance bypass

Stealth backdoors / problems

Changes on the fly ...mysql> select @@@version;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1

mysql> SET lc_messages = 'pt_BR';Query OK, 0 rows affected (0.00 sec)

mysql> select @@@version;ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1mysql>

Proof of Concepts (PoC)

Offensive Tools Acunetix W3AF Qualys Free online version

Acunetix

Acunetix Demo

w3af

Qualys Free Scan

Defensive toolsSnort / Sourcefire (Cisco)OSSEC (Trend Micro)WAF Parser

Snort / Sourcefire (IDS or IPS)alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2;)

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;)

alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures, Possible Brute Force Attempt"; flow:from_server,established; content:"|15 04|"; depth:64; content:"|32 38 30 30 30|Access denied for user|20|"; fast_pattern:only; content:"using password|3A 20|"; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:3;)

Snort / Sourcefire

OSSEC (HIDS)

Logtest OSSEC

WAF Parser

Offensive & Defensive

Desktops

Future / Mitigations

Not easy fix, just talking about MySQLBy default, mysqld produces error messages in English, but they can also be displayed in any of several other languages : Czech, Danish, Dutch, Estonian, French, German, Greek, Hungarian, Italian, Japanese, Korean, Norwegian, Norwegian-ny, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, or Swedish.

20 languages

Improve ASV tests for PCI scanners

Work more with code errors (when available)

mysql> select @@@version;ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1

mysql> select @@@version;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@version' at line 1

Possible attack surface

Something we couldnt measure yet, needtests and more tests.

Engine to detect language (not that easy)

ERROR 1064 (42000): Voc tem um erro de sintaxe no seu SQL prximo a '@version' na linha 1

Contacts && Thank you!Rodrigo Montororodrigo.montoro@sucuri.net@sucuri_security@spookerlabshttp://www.sucuri.netJoaquim Espinharajespinhara@trustwave.com@spiderlabs@jespinharahttp://www.trustwave.com