Wednesday, January 16, 2013

SQL Injection - enumerating Microsoft AD users using Oracle resources

In my last post I have talked about how to explore SQL injection flaws to perform port scanner when the database is Oracle.
Now I am sharing with you a way to perform brute force attack to enumerate users from Microsoft AD (or other LDAP repository).
Oracle provides a package called DBMS_LDAP since 9i version and this can help us with such task.
It seems that even in Oracle 11g there is no special ACL assigned to such resource. What does it mean?
It means we can use it in our SQL injection attacks with most of the Oracle users.

Let's take a look at a practical example performed on a penetration testing:

http://target/index_target.php?id=15||DBMS_LDAP.simple_bind_s((dbms_ldap.init('targetdomain.com',389)),'admin@targetdomain.com','password')--

In this case, the value of the vulnerable parameter id is concatenated with the result of DBMS_LDAP.simple_bind_s function.

We can manipulate the target domain and its port as well user names and passwords.

If the LDAP session cannot be established, we get this error:

ORA-31203: DBMS_LDAP: PL/SQL - Init Failed. ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79 ORA-06512: at "SYS.DBMS_LDAP", line 50

Probably the target domain could not be reached due wrong host name or port.
How can we discover the LDAP repository? We can use the previous port scanner technique.

On the other hand if we can establish the session and the username informed as a parameter is invalid, we get this message:

ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 ORA-06512: at "SYS.DBMS_LDAP", line 1455 ORA-06512: at "SYS.DBMS_LDAP", line 79

But if the user name is valid and the password is wrong, we get this:

ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86 ORA-06512: at "SYS.DBMS_LDAP", line 1455 ORA-06512: at "SYS.DBMS_LDAP", line 7

Don´t the messages look like the same? Yes, they do. But they are different. The difference is found here: data 525 and data 52e. According to some LDAP error code tables (I didn´t find the 525 and 52e errors code inside RFCs), the errors mean "user not found" and "invalid credentials", respectively. Thus using this approach is possible to enumerate valid users in AD or another LDAP repository.

And what does it happen if we provide valid username and password? In my case I´ve gotten the following error:

ORA-31223: DBMS_LDAP: cannot open more than 63 LDAP server connections ORA-06512: at "SYS.DBMS_LDAP_API_FFI", line 25 ORA-06512: at "SYS.DBMS_LDAP", line 48

Investigating the error, it seems the specific database tried to open more connections than it was allowed. It was enough to get a valid user name and password.

Conclusion:

If we consider that is common to find databases deployed inside the internal network, we can combine this technique with the port scanner technique to deliver more targeted attacks. How about an OWA server exposed to the internet? Have fun and be aware of accounts lockout!

3 comments:

  1. Awesome post!
    I've given it a shot to the whole thing, and almost everything works as described here, just one small detail.

    The string 'data 52e' does not change when I provide either an invalid username or password. I guess that this would make a little bit more tedious the process of brute forcing.

    ReplyDelete
    Replies
    1. Hi Sánchez!
      First of all, thanks for comment. Well, maybe you didn’t get the two different strings because of the backend (e.g. AD version). If you look for it you will see there are LDAP backend that provide different messages in a way I have explained.

      Delete
  2. I got a virtual lab running a Windows Server 2012, Windows 7 clients and Oracle 11g2 on one of this clients, that might be the reason.

    ReplyDelete