Home » Data Protection » Network Security

Industry View

Database Crime Scene Prevention

Imperva's Amichai Shulman looks at database attack and defense.

By Amichai Shulman, CTO, Imperva

Page 4

Privilege abuse is hard to detect using traditional access control mechanisms because in these cases, perpetrators employ legitimate commands under illegitimate circumstances. For instance, perpetrators with legitimate privileges avoid detection by committing the crimes outside of normal working hours, by using a different client machine, or by using illegitimate channels, i.e., client applications.

4. Privilege Elevation
If a perpetrator cannot accomplish his crime by using the basic privileges granted upon initial contact, chances are he'll move toward obtaining administrative privileges. Privileges at this level in the database would allow the perpetrator to gain virtually unlimited access to any information stored within the database server, and worse, total control over the server itself.

There are a number of techniques that result in administrative privileges being granted to a non-privileged user. The most notorious (yet the toughest to exploit) is the use of the buffer overflow attack. Server software is not designed to handle long user input. When used naively, the buffer overflow vulnerability can be exploited to quickly bring down a server. However, if the attacker carefully plans this exploit, he/she will be allowed to execute arbitrary code with administrative privileges. Buffer overflow vulnerabilities are found in built-in stored procedures, SQL statements, and even built-in functions. While the first two can be mitigated using internal access control mechanisms, the third type requires access control semantics that do not exist in the database server.

The second type of privilege elevation technique perpetrators employ is the SQL injection through stored procedures attack. Stored procedures are written in a manner that uses their parameters to construct SQL statements which are then executed with the privilege of the procedure owner. As a consequence, a perpetrator that is only allowed to execute a stored procedure can actually execute any SQL statement with administrative privileges (assuming that in most scenarios, the owner of the stored procedure is an administrative user, exposing some reduced functionality to less privileged users).

A third type of privilege elevation attacks take advantage of SQL parsing vulnerabilities such as the one reported by Oracle in 2007 (see http://www.red-database-security.com/advisory/oracle_view_vulnerability.html). This vulnerability allows an attacker to create a special database view that provides unauthorized INSERT, UPDATE or DELETE capabilities on database tables. All these privilege elevation techniques can be employed using basic database client tools such as the tools provided with the Microsoft Office suite or with the default database client installation.

A newer and lesser known, yet incredibly clever attack technique exploits the vulnerabilities inherent in the implementation of database network communication protocols. These proprietary protocols are used for client-server communication and include a host of security vulnerabilities an attacker could exploit to gain control over the server. To do this, a perpetrator can use a simple text editor, though some require a standard Telnet client, and others require more sophisticated network control tools. There are no internal mechanisms within a database server to proactively protect against this type of attack.