Shulou(Shulou.com)06/01 Report--

Database system is the most important system software on the operating system platform, and the security of database system can be said to be very important. There used to be a saying: if the network is full of money, then the money is in the database server. With the continuous expansion of the paperless business environment, people store more and more sensitive information in the database, such as bank accounts, medical records, government documents, military secrets, etc., the database system has become a more and more valuable target of attack, so it is more and more important to ensure the security of the database system.

As a large-scale system software, there are also a variety of security vulnerabilities in the database system, including buffer overflow, heap overflow and SQL injection.

1. Buffer overflow

Buffer overflow is a common and old security vulnerability. As early as the 1980s, buffer overflow has been known, but today, a large number of buffer overflow vulnerabilities are still found. The most famous Morris worm exploits a buffer overflow vulnerability of fingerd programs on Unix systems. At the beginning of the release of Oracle 9i, Oarcle claimed that his database was "unbreakable", but in less than a few months, multiple buffer overflow vulnerabilities were exposed in programs such as oracle.exe and XDB in Oracle 9i.

The most common buffer in C language is the character array, and the functions that manipulate the character array are gets, strcpy, sprintf and so on. These functions do not check the length of the string during the string copy, so it is easy to overflow the buffer with an overly long string. At first, it was designed for the sake of efficiency, but now it seems that the use of these functions has become an important factor in the fragility of C language software. If programmers do not have good programming habits and always pay attention to whether strings that exceed the length of the buffer are copied during function calls, buffer overflows are inevitable. For a program with a buffer overflow vulnerability, when an ordinary user enters an overly long string, it usually only crashes the program. For example, for the following short piece of code:

The following is a reference clip:

/ * vulprog * /

# include

Int main (int argc, char * argv [])

{

Char buff [8]

Strcpy (buff, argv [1])

}

If the user executes. / vulprog AAAAAAAAAAAAAAAA, a segment error occurs on the Linux because the user enters a very long string, which not only fills the buffer, but also overwrites the data that other programs need to exit normally. In order to study this problem, you need to understand the memory space of processes in the Linux system.

The "prologue" work done by the system when making a function call is to stack the return address and EBP of the function, then assign ESP to EBP to make it a local base pointer, and finally ESP minus a certain value to make room for the local variable. In this way, when the program copies an overly long string to the buffer, it overwrites the EBP and the return address in turn. When the return address is overwritten with AAAA, the system assigns 0x41414141 (hexadecimal ASCII code of A) to EIP to execute when the function unstacks. Because it is an illegal memory address, the program crashes. But if you overwrite the return address with an actual address, the program will instead execute the instructions at that address. Usually, the hacker will insert the so-called shellcode at this address, and the shellcode will generate a shell. If the attacked program sets the suid bit, then the resulting shell is root shell, and the hacker will gain the highest control of the system, which is the basic buffer overflow attack.

The return address of the override function is a common attack, but the methods of buffer overflow attacks are flexible and varied, and often a small mistake in programming may lead to attack. Here are some more advanced attacks.

(1) attack by overwriting the function pointer:

The following is a reference clip:

/ * vulprog * /

Int main (int argc, char * argv [])

{

Void (* fp) (char *) = (void (*) (char *)) & puts

Char buff [256]

Strcpy (buff,argc [1])

Fp (argc [2])

Exit (1)

}

The above program does not check the boundary when performing the copy, so it is possible for the user data to overwrite the function pointer fp. If the fp is overwritten with the address of the shllcode, then the shellcode will be executed when the function pointer is called.

This way of overwriting the function pointer is a more direct way of overwriting (because the function pointer is on top of the buffer), and there is also an indirect way of overwriting, that is, when the function pointer is not directly above the buffer, overwrite the function pointer by overwriting another pointer, and then populate the function pointer with the address of shellcode.

(2) attack by overwriting the address of the .dtors area:

The following is a reference clip:

/ * vulprog * /

Int main (int argc, char * argv [])

{

Char * pbuf = malloc (strlen (argv [2]) + 1)

Char buff [256]

Strcpy (buff,argv [1])

Strcpy (pbuf,argv [2])

Exit (1)

}

Although this program does not have a function pointer, any data can be copied to any address when the second copy is executed (this address is specified by the first copy), you can choose to overwrite the pointer pbuf with the address of the .dtors area, copy the address of the shellcode to the .dtors area when the second copy is executed, and the shellcode will be executed when the function exits.

In fact, for this program, an attacker can overwrite not only the address of the .dtors area, but also the address of exit in the GOT (global offset table), or the address of _ _ deregister_frame_info.

As can be seen from the above examples, if you do not pay attention to the checking of buffer boundaries in programming, it is likely to lead to overflow attacks.

Due to the frequent outbreak of buffer overflow attacks, many operating system manufacturers have been forced to introduce measures such as unexecutable stack, updating C library functions and so on. These measures curbed ordinary buffer overflows to some extent, but as virtue rises one foot, vice rises ten and hackers quickly turned their attention to new overflow attacks, such as heap overflows. From the initial overflow important variables (such as function pointers, file pointers) to heap overflows of type malloc-free in dlmalloc to heap overflows in ptmalloc, they emerge one after another. In fact, no matter how clever these techniques are, there is only one root: the use of programs that do not effectively check buffer boundaries.

2.SQL injection

In addition to the possible attack of buffer overflow, the attack mode of SQL injection has appeared in recent years, which is called "SYSDBA nightmare". SQL injection may cause ordinary users in the database system to steal confidential data (such as obtaining SYSDBA passwords) and upgrade privileges (such as obtaining SYSDBA privileges). However, this kind of attack does not require much computer knowledge, as long as they are proficient in using SQL language, so it poses a great threat to the security of the database.

The attack method of SQL injection is relatively simple, generally, some privileged statements are injected into vulnerable stored procedures or triggers to cause these statements to be executed illegally. For example, in Oracle, the following stored procedure is created by SYS and the execution permission is granted to ordinary users:

The following is a reference clip:

CREATE OR REPLACE PROCEDURE PROC1 (INPUT VARCHAR2) AS

......

STMT:='SELECT TITLES FROM BOOKS WHERE AUTHOR =''| | INPUT | |'

EXECUTE IMMEDIATE STMT

......

Normally a user can query DICKENS's work by executing: EXEC SYS.PROC1 ('DICKENS'), but if a malicious user executes the stored procedure like this:

EXEC SYS.PROC1 ('DICKENS'' UNION SELECT PASSWORD FROM USERS_TABLE WHERE''A'='A'), then he illegally finds out the passwords of all users.

Although this is a simple example, it shows that care must be taken to prevent SQL injection when writing system stored procedures, functions, and triggers.

Database is the cornerstone of information system, once hacked, the consequences will be unimaginable. The good way to resist hacker intrusion is to overcome all kinds of loopholes in software programming and make hackers have no opportunity to take advantage of. Various security risks in the existing system can be better corrected by means of source code audit, vulnerability tracking and so on. At present, we are actively carrying out the work of exploring loopholes in the Dameng database, and strive to make the Dameng database a truly unbreakable database and build a strong foundation for the country's information security.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.