David Litchfield’s BlueHat talk



Brad Sarsfield here again. I’d like to share with you my thoughts on David Litchfield’s BlueHatv3 talk.  David Litchfield is the Chief Research Scientist at Next Generation Security Software (NGS) and spoke to a 600+ standing room only crowd at Bluehat 3 on March 9th. David took us through his thoughts on the current state of the database security world and talked about his current areas and focus of his research.


 


David did not discuss specific database vulnerabilities but rather showed the concepts behind subverting the database application logic to attack the database. David talked about SQL injection inside the database and also second order SQL injection inside the database; whereby you store data in the database and at a later time it gets used in a place vulnerable to SQL injection.


 


David talked through the possible dangers of having system stored procedures and triggers that could be vulnerable to SQL injection. Since triggers execute under the permissions of the owner; if one can find a trigger that is vulnerable to SQL injection the permission boundaries can be crossed and it be used to gain escalation of privileges inside the database.


 


If you have access to the database and if you have a SQL injection vulnerability in a stored procedure or trigger that runs outside of your permission boundary a malicious user could use the vulnerable SP’s to grant themselves privileges that they are not supposed to have.


 


A the end of the day


1)    Tools are not enough. Your database and application design need to have clear forethought. Tools are a good start but don’t rely on them to catch all of your mistakes. (That’s exactly what our own security experts have been telling us)


2)    Triggers can be dangerous. Think about how you use them carefully.


3)    Even low risk issues should be respected


 


If you’re interested in David Litchfield’s work I would highly suggest a book that he co-authored titled “The Database Hacker’s Handbook: Defending Database Servers” (ISBN: 0764578014)


Comments (4)

  1. Anonymous says:

    One of the main defenses touted against SQL injection attacks is to use proper parameterization at the

  2. mattmurphy says:

    I’m especially interested in the #3 point here:

    "Even low risk issues should be respected."

    Funny, but people have been telling Microsoft that for a decade.  It’s a lesson that’s very applicable far beyond database security.

    Is this a case of "do as we say, not as we do?"

  3. BlueHat says:

    Hi Matt, thanks for the question!

    No, this isn’t a case of ‘do as we say, not what we do’, and we certainly aren’t claiming to be the first people to assert that even low risk issues should be reported.  Microsoft is just like any other natural organism – we learn as we evolve.  Will we suddenly do everything right now and forever more?  Probably not.  But are we trying to?  You bet.  And we believe part of doing the right thing has to do with sharing what we’ve learned with other vendors and customers.

    And yes, you are absolutely right that the advice to respect low risk issues applies to more than database security – I don’t believe Brad meant to suggest otherwise, he was merely re-capping key points from David Litchfield’s presentation.

    ~Kymberlee

  4. mattmurphy says:

    Brad didn’t say "reported", he said "respected."

    There’s a fundamental difference.  If you decide you have a low-risk issue and it’s several years before anything is done about it, the issue has ultimately been addressed and the resolution reported upon but it has certainly not been "respected."

    Such practices are disturbingly common in the handling of security issues in other Microsoft products and as a result, I found the comment rather intriguing.

    I didn’t mean to imply that Brad’s advice was limited to database security, rather that I hoped it would be *delimited* into broader meaning at Microsoft.  That would make a lot of people, including myself, very happy.