rooted 2011 nosql security

NoSQL Security

José Ramón Palanco

miércoles 16 de marzo de 2011

Agenda

✦ NoSQL Introduction✦ NoSQL vs RDBMS✦ NoSQL Arquitecture✦ NoSQL Implementations

✦ Attack vectors✦ Injections✦ Key Bruteforce✦ HTTP Protocol Based Attacks in listeners✦ Cassandra security y Thrift security✦ Denial of Service (connection pollution, evil queries)


NOSQLIntroduction


¿What is NoSQL?

✦ In general, don’t need table scheme and don’t uses “join”

✦ NoSQL solutions don’t imeplement one or more ACID properties


CAP Theorem

✦ Properties: consistency, availability and partitions

✦ At least need 2 of them

✦ To scale partition is needed

✦ In general is preferer availability over consistency


NoSQL ArquitectureRDBMS NoSQL

HTTP Server

Connector BBDD

Client

SQL

ODBC, ADO, JDBC

HTTP Server

Connector BBDD

Client

REST, JSON, XML, ...

Binary, HTTP, ...


NoSQL vs RDBMS✦ RDBMS show poor performance and

scalability in application which make a heavy use of data

✦ Cloud Computing (SaaS)

✦ Social Networks (SN)

✦ To make complex queries is not possible perform them with something diferent than RDBMS


Enviroments

✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, ..

✦ Facebook needs store 135 billions of messages each month

✦ Twitter stores 7 TB diary


Disadvantages NoSQL

✦ OLTP

✦ SQL

✦ Ad-Hoc queries

✦ Complex relations


NoSQL Arquitectures

✦ Document store

✦ Graph

✦ Key-value store

✦ Multivalue

✦ Objets

✦ Tabular


Key-value store

✦ CouchDB:

✦ MongoDB

✦ Terrastore

✦ ThruDB

✦ OrientDB

✦ RavenDB


Graph

✦ Neo4J

✦ Sones

✦ InfoGrid

✦ HypergraphDB

✦ AllegroGraph

✦ BigData


Key-value

✦ Redis

✦ Riak

✦ Tokio Cabinet

✦ MemcacheDB

✦ Membase

✦ Azure


Multivalue

✦ U2

✦ OpenInsight

✦ OpenQM


Objets

✦ db4o

✦ Versant

✦ Objetivity

✦ NEO


MongoDB

✦ Protocol: Binary (BSON)

✦ API: several languages

✦ Query: JavaScript/JSON

✦ Language: C++


Features• Schema-Free (JSON)

• Document Oriented, Not Relational

• Highly Concurrent

• RESTful HTTP API

• JavaScript-Powered Map/Reduce

• N-Master Replication

• Robust Storage

CouchDB

✦ Protocol: REST

✦ API: JSON

✦ Query: MapReduce (JS)

✦ Language: Erlang


{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/ HTTP/1.1Host: localhost

HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Date: Sat, 19 Feb 2011 05:20:28 GMTContent-Type: text/plain;charset=utf-8Content-Length: 188Cache-Control: must-revalidate

{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":0,"compact_running":false,"disk_size":4182,"instance_start_time":"1298092462502662","disk_format_version":5}


{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1Host: localhost

HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Etag: "1-2512702fff02fe841adecde4a22c62b5"Date: Sat, 19 Feb 2011 05:20:47 GMTContent-Type: text/plain;charset=utf-8Content-Length: 155Cache-Control: must-revalidate

{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a22c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}Connection closed by foreign host.


Redis

✦ Protocol: Plain Telnet

✦ API: Several Languages

✦ Query: Commands

✦ Language: C/C++


✦ Protocol: Binary (Thrift)

✦ API: Thrift

✦ Query: Column/ranges

✦ Languages: Java

Cassandra


Cassandra

✦ Column (tuple/triplet)

✦ Supercolumn (composed by columns)

✦ Column Family (contains supercolumns)

✦ Keyspace (stores column families)


Cassandra

<Keyspace Name="BloggyAppy">  <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace>

storage-conf.xml

Attack vectors


Introduction

✦ Several database concepts

✦ Several implementations

✦ So attack vectors are very specifics and depends on each implementation


HTTP Based Attacks✦ ¿Who uses HTTP?

✦ CouchDB

✦ HBASE

✦ Riak

✦ ¿How to locate vulnerabilities?

✦ fuzzing: hzzp


Listeners explotation

✦ As they work on HTTP, it’s possible use cache proxies misconfigured to get access

$ telnet server.com 80Trying X.X.X.X...Connected to server.com.Escape character is '^]'GET /_all_dbsHost: 192.168.2.18


JSON Injection

db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )

db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )

In the same way that the SQL is escaped, when working with

CouchDB or MongoDB, we should do the same


Array InjectionMongoDB + PHP

✦ In PHP it is possible that a variable is an array by adding brackets

✦ If admin passwd ‘Not Equal’ anything, you can access

✦ Besides that of $ne, we can inject:

✦ $or, $exists, $nin, $in, $lt, ... (logics)

✦ &var[‘$regex’]=/privileged/i (regex)

<?$collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd']));

?>

/login.php?username=admin&passwd[$ne]=1

<?$collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1)));?>


View Injection

✦ CouchDB uses SpiderMonkey as scripting engine

✦ The views are loaded as js

$ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ...


View Injection

✦ There are predefined views and temporary

✦ To make MapReduce

✦ Get arbitrary data, change values to alter the execution flow


REST INJECTION

✦ Cross Database:

✦ /?db=_all_dbs

✦ /?db=myusers

<?$dbname = $_GET["db"];$doc_id = $_GET["d_id"];$resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id);?>


CouchDB info

✦ http://172.16.163.129:5984/_config

✦ http://172.16.163.129:5984/_all_dbs

✦ http://172.16.163.129:5984/_stats

✦ http://172.16.163.129:5984/_utils


http://172.16.163.129:5984/_config

http://172.16.163.129:5984/_config

http://172.16.163.129:5984/_all_dbs

http://172.16.163.129:5984/_all_dbs

http://172.16.163.129:5984/_all_dbs

http://172.16.163.129:5984/_all_dbs

http://172.16.163.129:5984/_utils/

http://172.16.163.129:5984/_utils/

CouchDB cmd exec.


GQL Injection

✦ You can reach GQL injection, but in a very controlled environment

✦ There is no negation operator "!"

✦ The set of GQL commands is very limited


Key Bruteforce

✦ As there are no schemes, we do not have to find out them

✦ The IDs are large, but not generated at random:

e479f720ff9a05fb2f441fef97000c87

e479f720ff9a05fb2f441fef97000b61


Cassandra Security

✦ If we change the name of a family, we can get items from other family

<? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL;

if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”;

$sliceRange = new cassandra_SliceRange(); $sliceRange->start = ""; $sliceRange->finish = ""; $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; $predicate->slice_range = $sliceRange;

$consistency_level = cassandra_ConsistencyLevel::ONE;

$keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level);

print_r($result); ...

?>


Denial of Service

✦ Connection polution

✦ Couchdb-> implementación interface = restfull

✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPU


Questions


rooted 2011 nosql security

Technology

nosql vs rdbmsrdbms

json injection

http based attackswho

keyvalue store couchdb

view injection couchdb

rest restful http api

foreign host

dbsget access host