Académique Documents
Professionnel Documents
Culture Documents
Page 1 - CONFIDENTIAL -
Not-So-Secret Agenda
Motivation
Hybrid Scenario
Features Discussion
Proof of Concept Highlights
Demo&Discussion!?
Abstract: a what-if worm scenario based on
SQL/JS real incidents and prototype code,
leads to proof-of-concept on laboratory with
widely-deployed technologies (unhardened).
Helps anticipate future trends and protections.
Page 2 - DECLASSIFIED -
Attacks in the Wild! (2008)
Page 4 --
SQL and JavaScript can
be combined in a Worm?
Page 5 - CONFIDENTIAL -
Basic Quines in T-SQL and Javascript
Lab:
1. CherryPy,
2. Two ad-hoc-vulnerable webapps in different domains,
3. MS-SQL.
4. Python SQL interface, no modifications.
Two-stage self-replication.
Targets VARCHAR and TEXT db fields, ALL TABLEs…
Page 9 - CONFIDENTIAL -
Proof of Concept (cont.)
http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR
E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX),
@S4+VARCHAR(MAX)%3BSET+@S=CAST(0x0d0a444398498468...
No choke point.
Stealthier infections.
More portability (interpreted lang?)
Target generic vulnerabilities (idem)
Easily obfuscated (idem)
Less crashes (idem)
Data/Web 2.0/Cloud centric?
Page 11 - CONFIDENTIAL -
Demostration!?
...but I can only show you the door. You're the one that has to walk
through it...
Acknowledgements:
- Core Security Team: support and creative environment.
- Sebastián Cufre: T-SQL tricks.
- Aureliano Calvo: Javascript concepts.
- Pedro Varangot: suitable testing computer.
Page 12 - DECLASSIFIED -
Questions?
Thanks!
Contact:
Page 13 - CONFIDENTIAL -