The details of 3 major identity theft breaches came to light today with the release of the federal indictment of Albert Gonzalez. It turns out that the main entry point was a SQL Injection vulnerability. The indictment states that a SQL Injection vulnerability was exploited and used to install malware on the target network. The indictment doesn't give any details of the technique that was used to leverage the SQL Injection vuhnerability to install the malware. I have my theories. Here are some potential ideas:

  • xp_cmdshell was enabled and allowed the attackers to execute the commands of their choice on the server
  • web content was served from the database and it was changed to allow executable file uploads to the web server and then execution on the web server
  • there was sensitive data stored in tables in the database that allowed the attackers access to machines they could execute code on.

I would be interested in other ways people know of to leverage a SQL injection vulnerability to execute code. Once an attacker has the tiniest foothold through a perimeter it can often be leveraged to compromize an entire organization. That is why public facing web applications are critical to secure. They are on the front line perimeter of your organization and demand the same care you would put into locking down your firewall, mail server, or VPN. Thinking that attackers who find a web vulnerability will only be able to manipulate web transactions deprioritizes the risk inappropriately. Sometimes a web vulnerability gives them the whole enchilada.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

MikeA | August 17, 2009 10:32 pm

How about SQL injection to leave XSS in the database that an internal user would access. The XSS then goes out and pulls code/applets or other browser exploits. Because it's an internal site, users may not be as wary about warning signs and have lower security settings.

Once the attacker has a single foothold on an internal machine, more-so if it's some form of privilaged user, it's just a matter of exploration and time.

That's perhaps another way of leveraging an SQL vuln, although I would bet it's probably one of the easier methods.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.