Database system security vulnerability excavations-vulnerability warning-the black bar safety net

2008-01-09T00:00:00
ID MYHACK58:62200818062
Type myhack58
Reporter 佚名
Modified 2008-01-09T00:00:00

Description

Today, in the virus raging, hacking the ubiquitous network environment where software security has become a concern of the topic. Traditional software security main concern is that the permissions and roles of management, such as access control or data confidentiality and integrity, such as encryption and decryption. But a software system in the application of these security measures can ensure its foolproof? The answer does not seem so simple, which is an important(even fatal)problem is that the software system vulnerabilities. Often in a seemingly unbreakable system, simply because there is a little loophole, cause the entire security system is hacker easily broken, the whole system of control is completely lost.

The so-called vulnerability, usually refers to the software in the presence of some bugs, but this bug is different from conventional software testing in the bug. General Software Testing bug refers to a functional or logical error, such as a dialog box pop-up error, the system performs a certain function fails. These bugs affect only the user experience, not for the safety of the system constitute a threat. And software security vulnerability refers to some with ulterior motives of the user normal use of the software and let the software to perform some of their well-designed malicious code, or parse the malformed file, when the software in the presence of security vulnerabilities, the program's normal execution flow is changed, so as to achieve the access control of the system or to steal confidential data.

The database system is in theoperating systemplatform on top of the most important system software, the database system security can be said to be very important. Once there are words to say so: if the network over and over is money, then money is in the database server. With paperless business environment continues to expand, the people stored in the database with more and more sensitive information: Bank accounts, medical records, government documents, military secrets, etc., the database system will become an increasingly valuable target for attacks, and therefore ensure that the database system security has become increasingly important.

As a large-scale system software, Database System, there are also a wide variety of security vulnerability, where the hazard is larger with buffer overflows, heap overflows and SQL injection](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>), etc.

1. Buffer overflow

Buffer overflow is a very common also very old security vulnerabilities. Early in the last century 8 0 ' s, a buffer overflow has been known, but today, a large number of buffer overflow vulnerabilities is still to be found. The most famous Morris worm is the use of the Unix system on the fingerd program of the buffer overflow vulnerability. In Oracle 9i release at the beginning of Oarcle the company has claimed that his database is“ unbreakable”, but within a few months time, you storm out of Oracle 9i 中 oracle.exe and XDB programs such as the presence of multiple buffer overflow vulnerabilities.

In the C language the most common buffer is a character array, and manipulate the character array in the function with the gets and strcpy, and sprintf, etc. These functions perform string copy process there is no string length check, so it is prone to super-long string to overflow the buffer. The original of this design is for efficiency reasons, but now it seems that these function use has become C language software vulnerability is an important factor. If the programmer does not have good programming habits, always pay attention to the function call whether the process of copying over the buffer length of the string, then buffer overflow is inevitable. For a buffer overflow vulnerability in the program, when ordinary users to input long strings, usually will only make the program crash. For example, the following is a small section of code:

| The following is quoted fragment: / vulprog /

include

int main(int argc , char * argv[]) { char buff[8]; strcpy(buff, argv[1]); }


If the user executed ./ vulprog AAAAAAAAAAAAAAAA, on Linux it will segfault, because the user input a long string, in addition to filling up the buffer, also covers some other program to exit normally required data. In order to study this problem, we need to understand Linux system in the process memory space.

In a Linux system, 2G ~ 3G of memory address is a normal user process loaded space, its memory layout as shown below:

! 1from the figure it can be seen that the stack structure is from high address grows to lower address, and the function call when the system made the“prologue”of the work is to the function's return address and EBP onto the stack, then the ESP is assigned to EBP so that it becomes a local base pointer, the last ESP subtracting a certain value of local variables to stay out of space. So when the program will be too long of a string copied to the buffer will be overwritten EBP and the return address. When using the AAAA overwrite the return address, the function return stack when the system will be 0x41414141(A The 1 6 hexadecimal ASCII code)is assigned to the EIP to execute, because it is an illegal memory address, so the program crashes. But if you use a actual existence of the address to overwrite the return address, then the program will turn to implementation at the address of the instruction, typically the hacker will in the address of the implant the so-called shellcode, by the shellcode to produce a shell, if the attack program is set suid bits, then the resulting shell is the root shell, the hacker will get the system the highest control of this process is the basic buffer overflow attack.

Overwrite the function return address is the more common of the attack, but a buffer overflow attack methods are flexible and diverse, often programming in a small blunder may lead to attacks, the following simple introduce several kinds of more advanced attacks.

(1)by overwriting a function pointer attacks:

The following is quoted fragment: / vulprog / int main(int argc , char * argv[]) { void ( fp)(char ) = (void ()(char ))&puts; char buff[2 5 6]; strcpy(buff,argc[1]); fp(argc[2]); exit(1); }


This program is executed when the copy did not check boundaries, so that the user data it is possible to overwrite the function pointer fp, if shllcode address to cover the fp, then the function pointer call will be to execute the shellcode in.

This covering the function pointer approach is a more direct coverage mode(because the function pointer in the buffer above), there is an indirect overlay mode, that is, when the function pointer is not directly in the buffer above, by covering an additional pointer to overwrite a function pointer, and then the shellcode address to populate the function pointer.

(2)through the cover . dtors address to attack:

The following is quoted fragment: / vulprog / int main(int argc ,char * argv[]) { char * pbuf = malloc(strlen(argv[2])+1); char buff[2 5 6]; strcpy(buff,argv[1]); strcpy(pbuf,argv[2]); exit(1); }


Although this program does not have function pointers, but in the execution of the second copy can be any copy of the data to an arbitrary address(the address of the first copy is specified), then you can choose to use . dtors area address overwrite pointer to the pbuf and in the execution of the second copy of the shellcode address to copy to. dtors area, then the function exits when the shellcode is executed.

In fact, for this program, the attacker can not only cover. dtors area of the address, but also can overwrite the GOT(global offset table)in the exit address, or__deregister_frame_info address.

From the above examples it can be seen, if the programming in the attention buffer boundary checks, it is likely to lead to overflow attacks.

Due to the buffer overflow attacks the Frequent outbreak, forcing many of theoperating systemmanufacturers introduced the non-implementation of stack, update the C library function and other measures. These measures to some extent, to curb the common buffer overflow, yet know one foot magic Ridge, hackers quickly turned their attention to the new overflow attacks such as stack overflow. From the initial overflow of the important variables(such as function pointer, a file pointer)to the dlmalloc, malloc-free type of a heap overflow to here in stack overflow, abound. In fact, regardless of whether these tactics are more sophisticated, and ultimately the root cause is only one: the use of the program, not on the buffer boundary for effective inspection. 2. SQL injection

The database system in addition to may be subject to buffer overflow attacks, in recent years, has emergedSQL injectionattack, this attack is known as “ SYSDBA nightmare”is. SQL injectionmay cause the database system in the ordinary user to steal confidential data(such as access to the SYSDBA password), elevation of privileges(such as access to the SYSDBA privileges), etc., and this attack also does not require much computer knowledge, General as long as the skilled use of SQL language to the database of the security constitute a great threat.

SQL injectionthe attack is relatively simple, the General is the some of the privileged statement is injected into the vulnerable stored procedure or trigger that causes these statements to be illegally executed. For example, in Oracle by SYS to create the following stored procedure and execute privileges granted to ordinary users:

The following is quoted fragment: CREATE OR REPLACE PROCEDURE PROC1 ( INPUT VARCHAR2) AS ... ... STMT:='SELECT TITLES FROM BOOKS WHERE AUTHOR ="' || INPUT || ""; EXECUTE IMMEDIATE STMT; ... ...


Under normal circumstances, the user can execute: EXEC SYS. PROC1('DICKENS')to query the DICKENS ' writings, but asIf a malicious user so that the execution of the stored procedure:

EXEC SYS. PROC1( 'DICKENS '" UNION SELECT PASSWORD FROM USERS_TABLE WHERE "A" = "A'), then he will illegally find out all the user's password.

Although this is just a simple example, but it shows that the writing system stored procedures, functions and triggers must pay attention to preventSQL injection.

The database is the information system cornerstone, once it is hacked, the consequences will be dire. And resist hacking the best way is to overcome the software programming in the presence of various vulnerabilities that allow hackers inorganic can be multiplied. By source code auditing, bug tracking and other ways may be better to amend the existing system in a variety of security risks. We are currently up to dream database in the active conduct vulnerability discovery-related work, trying to make up to dream database to become really unbreakable database for the country's information security build a strong Foundation.