lost in translation - blackhat brazil 2014
DESCRIPTION
This presentation we showed how security products fail to protect or detect against some type of flaws. Products includes web scanners , log analysis, ids, waf as Snort, OSSEC, Qualys, Acunetix, W3AF and so on. Problems aren't related only with those tools, we just use them to create our PoCs. Possible problems could be a Compliance bypass creating reports "without" SQLi for example.TRANSCRIPT
Lost in Translation
Joaquim Espinhara
&
Rodrigo Montoro
$ whois @jespinhara
➢ Senior Security Consultant at Trustwave
➢ Author of 0 patent pending technologies
➢ BJJ enthusiast
➢ Triathlete
➢ Dad (of dog)
$ whois @spookerlabs
➢ Senior Security Administrator at Sucuri Security
➢ Author of 2 patent pending technologies
➢ Researcher
➢ Open Source enthusiast
➢ Triathlete
➢ Dad
Motivation
ERROR 1045 (28000): Acesso negado para o usuário
'spooker'@'localhost' (senha usada: SIM)
Note
We are not talking about specific products
only, all demos are to prove our idea that
probably affects any vendor / product.
Languages
Source: http://www.bbc.co.uk/languages/guide/languages.shtml
Native English countries
Map of nations using English as a de facto or official majority language (dark blue) or an official minority language (light blue)
Source: http://en.wikipedia.org/wiki/List_of_territorial_entities_where_English_is_an_official_language
Products
How detection works
Offensive
Tool Prepare
Request
based on
services
Send
request to
device
Service process
request
Service
send
response
Tool
receive
response
Tool
process
response
Defensive
Tool Prepare
Request
based on
services
Send
request to
device
Service process
request
Service
send
response
Tool
receive
response
Tool
process
response
Defensive
Tool
Attack sample
What kind of problems ?
Non-Detection aka False Negatives
➢Offensive
➢Defensive
Compliance bypass
“Stealth” backdoors / problems
Changes on the fly ...
mysql> select @@@version;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '@version' at
line 1
mysql> SET lc_messages = 'pt_BR';
Query OK, 0 rows affected (0.00 sec)
mysql> select @@@version;
ERROR 1064 (42000): Você tem um erro de sintaxe no seu SQL próximo a '@version' na
linha 1
mysql>
Proof of Concepts (PoC)
Offensive Tools
➢ Acunetix
➢ W3AF
➢ Qualys Free online version
Acunetix
Acunetix Demo
w3af
Qualys Free Scan
Defensive tools
➢Snort / Sourcefire (Cisco)
➢OSSEC (Trend Micro)
➢WAF Parser
Snort / Sourcefire (IDS or IPS)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE
MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3;
depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track
by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/;
classtype:protocol-command-decode; sid:2015993; rev:2;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed
login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type
threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209;
reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login
Failures, Possible Brute Force Attempt"; flow:from_server,established; content:"|15 04|";
depth:64; content:"|32 38 30 30 30|Access denied for user|20|"; fast_pattern:only;
content:"using password|3A 20|"; threshold: type threshold, track by_src, count 5, seconds 120;
reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494;
rev:3;)
Snort / Sourcefire
OSSEC (HIDS)
Logtest OSSEC
WAF Parser
Offensive & Defensive
Desktops
Future / Mitigations
Not easy fix, just talking about MySQL
By default, mysqld produces error messages in English, but
they can also be displayed in any of several other languages
: Czech, Danish, Dutch, Estonian, French, German, Greek,
Hungarian, Italian, Japanese, Korean, Norwegian,
Norwegian-ny, Polish, Portuguese, Romanian, Russian,
Slovak, Spanish, or Swedish.
20 languages
Improve ASV tests for PCI scanners
Work more with code errors (when available)
mysql> select @@@version;
ERROR 1064 (42000): Você tem um erro de sintaxe no seu SQL próximo
a '@version' na linha 1
mysql> select @@@version;
ERROR 1064 (42000): You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near '@version' at line 1
Possible attack surface
Something we couldn’t measure yet, need
tests and more tests.
Engine to detect language (not that easy)
ERROR 1064 (42000): Você tem um erro de sintaxe no seu SQL próximo a '@version' na linha 1
Contacts && Thank you!
Rodrigo Montoro
@sucuri_security
@spookerlabs
http://www.sucuri.net
Joaquim Espinhara
@spiderlabs
@jespinhara
http://www.trustwave.com