Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 30 - "But wait! there's more!"

I saved this gem for last on purpose. If you're reading this and say to yourself ..."Hey! That's my company" then I think you can thank your one appsec guy (you know who he is) because he's driving awareness, process and tools into your environment to help fix these "neon welcome sign" equivalents in your environment.  Also ... if you're reading this and you remember this meeting ... I congratulate you for continuing the awareness that was started over a year ago... you're on your way, just don't give up!


------ now, on to the final chapter


Truth is, sometimes people in massive IT organizations that work with patient and health information just don't believe they have security issues until you show them... with their manager watching.  This incident took place a little over a year ago when I was visiting a company who was struggling with web app security like everyone else ... and losing.  The one IT guy who really did care about web app sec was not being heard and the proof just wasn't there that issues were plentiful within the organization's infrastructure.  I was invited to demo our web app sec testing suite to these guys and my contact wanted to make sure we found as much impactful stuff as possible ... and we sure did.  Given only 2 days we had to make fast work of our findings, but sadly it was almost too easy... like shooting dead fish in a bucket.  After a day and a half of findings and putting together a presentation I got a chance to present to the CISO and some senior IT staff which was great ... and we started talking security vulnerabilities and the issues we found.


little did I know how crazy things would get ...


So, as soon as I dived in I was asked the typical question ... "So what?" ... so I decided to fire up our SQL Injector tool (just for the record, if SQL Injector can pull out your database it's time to shut down your web site ....just sayin') and go to town.  I started with the company's home page which had had a login form ...and things went sideways from there.  Immediately SQL Injector was able to determine that the application was easily vulnerable to SQL injection.  Since this was a panel of seasoned skeptics, I decided to take it a step further and get SQL Injector to pull back the database name, version and some basic information.  I was still faced with the "so what?" question ...


Not wanting to be stumped by apathy I went a step further and started explaining what this tool was doing ...and then went ahead and pulled the database table names for the audience.  NOW I was getting a silghtly panicked look from the DBAs and developers in the audience ... finally!  Next, I showed that with the click of the mouse I could pull the columns and start "pumping data" ... all without setting off any of their IPS alarms ... whoops #1.


In the spirit of "But wait! there's more" ...the DBA manager started looking a little worried.  I was explaining that the typical xp_cmdshell commands could be used to entirely take over the system ...and just before I was going to execute the command to add myself as an admin user on this machine through SQL injection ...I was stopped.


I was fairly proud of myself that this demo and talk was going so well and that i was effectively able to demonstrate totally owning their database and server ... but there was more to this.  The DBA lead stopped me from adding myself to the system, because, as he explained, this system was clustered ... and it shared the instance with their ERP application.


Ouch, right?  But wait ...there's more...


This system which I could completely exploit through SQL injection was not only clustered and shared with their ERP system - but because it was also hosting their ERP system ...it was not in the DMZ but on their internal network.


But wait ... there's more.


OK, let's review ... I can steal the database, add myself as a user on a box that is on their internal network ... how much worse can it get?!


Well ... as was explained to me and the audience, as this machine was on their internal network ... it was also participating on their internal AD environment.


Wait ... seriously?!  Yes.


So ... to summarize ... I was able to (without triggering any alerts) using SQL injection steal their database (or modify it), and not only compromise their server but also add myself as an administrator on their internal Active Directory ...


... I think my mouth hung open, and my eyes were wide.  What do you say to this sort of situation but - "Wow".


Whoops?  Yea ...whoops indeed boys and girls.

Labels: 30_in_30| OOPS
Search
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...
About the Author(s)
  • Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging the gaps between security technologies and business needs to reduce enterprise risks and create embedded, lasting solutions on behalf of the HP Application Security Center group. He has spent over 10 years in various facets of information security and data protection, building programs at companies ranging from startups to Fortune 50 enterprises. Additionally, Los helped to write the first release of the Open Web Application Security Project (OWASP) testing guide. Prior to joining HP, Los led the web application security program and served as a security lead at General Electric (GE) Consumer Finance. Los also worked with GE Power systems, leading security engineering, architecture and building the web application security program. Before GE, Los helped build a service-oriented security consulting company and was among the first 25 employees in a successful financial-based startup, leading internet-facing systems and security management and architecture. Raf received his B.S. in Computer Information Systems from Concordia University, River Forest, Ill.


Follow Us
Guidelines
Follow the White Rabbit on Twitter! Home