Hacking and Securing DB2 LUW

Video thumbnail (Frame 0) Video thumbnail (Frame 2268) Video thumbnail (Frame 3174) Video thumbnail (Frame 5694) Video thumbnail (Frame 6834) Video thumbnail (Frame 19613) Video thumbnail (Frame 31897) Video thumbnail (Frame 44181) Video thumbnail (Frame 56465)
Video in TIB AV-Portal: Hacking and Securing DB2 LUW

Formal Metadata

Title
Hacking and Securing DB2 LUW
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
DB2 for Linux, Unix and Windows is one of the databases where only little bit information about security problems is available. Nevertheless DB2 LUW is installed in many corporate networks and if not hardened properly could be an easy target for attackers. In many aspects DB2 is different from other databases, starting at the user management (normally no user/passwords in the database) to the privilege concept. With the latest versions, DB2 LUW became more and more similar to Oracle (views, commands, concepts to make more stuff query-able from the database) and allows even to run PLSQL code from Oracle databases. IBM is also cloning the insecure configuration from Oracle by granting a lot of the PLSQL packages to public. This talk will give a quick introduction into the DB2 architecture, differences to other relational database systems and the most common DB2 configuration problems. Showing a lit of available exploits and typical pentester questions (how can I run OS commands, how can I access the network or file system) will also be covered. This talk will also demonstrate SQL injection in stored procedure code inside of the database (SQL/PL and PL/SQL), how to find, exploit and fix it. The last part covers the hardening of DB2 databases. Alexander Kornbrust is the founder of Red-Database-Security a company specialized in database security. He provides database security audits, security training and consulting to customers worldwide. Alexander audited 3000 Oracle, DB2 and MSSQL instances over the last years. Alexander is also the co-author of the book "SQL Injection Attacks and Defense ". Alexander has worked since 1992 with Oracle and his specialties are the security of databases and secure software architectures. In the last 7 years Alexander has reported more than 1200 security bugs to Oracle and gave various presentations on security conferences like Black Hat, Defcon, Bluehat, HITB,... Twitter: @kornbrust

Related Material

Video is accompanying material for the following resource
Table (information) Link (knot theory) Real number Patch (Unix) Expert system Database Bit Content (media) Revision control Internetworking Information Information security Vulnerability (computing)
Server (computing) Multiplication sign Computer-generated imagery Expression Design by contract Database transaction Database Exploit (computer security) Revision control Medical imaging Software Network topology Revision control Website Physical law Freeware Window Vulnerability (computing)
Laptop Multiplication sign Statement (computer science) Database Utility software Information Computer architecture Wave packet
Parsing Hoax Code Multiplication sign Insertion loss Instance (computer science) Mereology Bookmark (World Wide Web) Computer programming Variable (mathematics) Software bug Order (biology) Strategy game Single-precision floating-point format Memory management Cloning Cuboid Vertex (graph theory) Information security Partition (number theory) Physical system Vulnerability (computing) Injektivität Service (economics) Structural load Constructor (object-oriented programming) Keyboard shortcut Interior (topology) Instance (computer science) Entire function Partition (number theory) Web application Data management Crash (computing) Website Resultant Web page Point (geometry) Random number Server (computing) Random number generation Table (information) Sequel Computer file Exploit (computer security) Similarity (geometry) Crash (computing) Root Network topology Internetworking Data stream Software testing Condition number Buffer overflow Database Denial-of-service attack Predicate (grammar) Exploit (computer security) Vector potential Single-precision floating-point format Mathematics Number Word Personal digital assistant Statement (computer science) Object (grammar)
User-defined function Dynamical system Injektivität Code Multiplication sign System administrator Source code Parameter (computer programming) Mereology Sign (mathematics) Different (Kate Ryan album) File system Information security Physical system Vulnerability (computing) Oracle Scalable Coherent Interface Injektivität Source code Programming language Email File format Block (periodic table) Software developer Structural load Computer file Keyboard shortcut Electronic mailing list Sampling (statistics) Bit Variable (mathematics) Entire function Message passing Sample (statistics) Order (biology) IRIS-T output Normal (geometry) Text editor Procedural programming Escape character Sinc function Resultant Reading (process) Writing Row (database) Ocean current Functional (mathematics) Server (computing) Computer file Sequel Real number Mathematical analysis Number 2 (number) Revision control Escape character Internetworking String (computer science) Operating system Energy level Selectivity (electronic) Software testing Traffic reporting Booting Tunis Default (computer science) Dialect User-defined function Validity (statistics) Mathematical analysis Code Plastikkarte Database Denial-of-service attack Directory service Limit (category theory) System call Cache (computing) Software Personal digital assistant Query language Commodore VIC-20 Function (mathematics) Statement (computer science) Table (information) Window Library (computing)
Program code Code Multiplication sign System administrator Set (mathematics) Port scanner Parameter (computer programming) Mereology IP address Software bug Web 2.0 Mathematics Different (Kate Ryan album) Extension (kinesiology) Information security Physical system Link (knot theory) Software developer Moment (mathematics) Topological vector space Parameter (computer programming) Benchmark Hand fan Process (computing) Configuration space Procedural programming Asynchronous Transfer Mode Point (geometry) Asynchronous Transfer Mode Implementation Functional (mathematics) Computer file Patch (Unix) Virtual machine Infinity Login Event horizon 2 (number) Wave packet Revision control Goodness of fit String (computer science) Operating system Energy level Selectivity (electronic) Plug-in (computing) Authentication Module (mathematics) Addition Default (computer science) Execution unit Information Database Timestamp Software Personal digital assistant Password Statement (computer science) Table (information)
Revision control Slide rule Bit Probability density function
and today I will talk about a new topic for me so database db2 security and if you look in the Internet normally the first way is always to go to Google and search for db2 security experts but so far there are no real db2 security experts available and I think the majority of the security crowd is not looking at vulnerabilities in db2 and today I want to show you a little
bit of my research and also give you the resources with links to reinvest that you can also start a little bit research if you want because I think it's a juicy target as well ok I'm not sure who has experience with db2 ok a few I have difficulties to see ok and when I start looking into a new topic everyone is looking at Google and my experience is that IBM is quite slow in releasing patches so that's one of the first thing even after CEO days were released it took a few months until they released new security patches the latest version
of db2 luw be Linux UNIX windows is version 9.7 called coca and this version is will be supported until 2014 and here you can see when the packets are coming out the fixed packs then we have version 9.5 and version 9.1 and 9.2 normal support and of 2012 so people should start slowly thinking about my creating 29.7 one of the questions and in the IBM
world it's much more complicated to be the database software you can get the free Express Edition and this free Express Edition is available thank you for different platforms but in some places they are quite limited for example the Express Edition does not support pl/sql and some other nice things they also try versions 90-days available from IBM but you have to register the biggest problem for me if you don't have a support contract with IBM is to get old versions because if you are looking for security vulnerabilities if you want to play with exploits you're normally more interested in older versions than in newer versions but that's quite complicated to get there are also some we embed images available one is called one is created by a guy called db2 hitman and he has one true version so you can just download this VM and then you can start playing with it so that's probably the fastest way to start with db2 because you save all the time to setup and configure the database and there also Express Edition and iBM has also a data server but sometimes it's difficult to find so whenever I want to download the IBM website for me it's a nightmare so I have always difficulties to find something there so this is the
architecture but I don't want to spend too much time here for me and many other
people the first time when you work with a database probably the biggest challenge is how to connect to this stem database so I saw it so many times that people want to connect to an Oracle database in the training and it took sometimes 3040 minutes before they were able to connect with their laptop to the to the database so Oracle has the IBM db2 they have a small command-line utility CLP and you started db2 CMD then you connect to the database and then you can run statements it's not nice it's not
actually it's similar to sequel plus a
little bit more convenient is a sequel plus clone from IBM as well so if you install it it's part of the installation it's called CLP plus and you have even a history something sqlplus doesn't have in 20 years now I want to show you
exploits and if you search in the internet you will only find a few of these exploits because most of these exploits are coming from IBM itself because iBM is releasing a lot of exploit code so if you go to the support pages you find a lot of working exploits there the problem by IBM guys are not aware that this code is exploit code and I will show you some of them so far there are only a few exploits available if you come from the Oracle world it's really a small amount of exploits available so one problem auric I always say Oracle I did it too long DB tuned they have problems with unsecure random numbers this was fixed in 9.7 fix Pack 1 and the majority of the exploits in the db2 world are denial of service exploits so whatever I saw it's crashing the database creating it all denial of service killing something and so on ok in 9.7 it's similar ok so I think your random number if you call the random number generator 2 times you're getting the same value back so this is not always a good idea then this was one of the few zero-day exploits a Russian guy released co2 exploits and it took four or five months before IBM released fixes point so by running such a simple select statement you were able to crash the database so the load went to 100% and stayed at 100% so this would be a candidate if you are if you have a sequel injection in a web application you can just use the Union statement append to select statement and then you are able to do a denial of service somehow my keyboard is not working okay so this from a guy from Ukraine then is gyro chef by sending this special package you were able also to create a denial of service attack and Denis was also reporting another one but it's too big so by using passing I'm quite sure you will be able to find a lot of vulnerabilities there and this is one of the exploits from from IBM and the easiest way to find these exploits is you go whenever IBM releases a new fake spec for example fix pick four or fix pack three then you go through all the security bugs and you should also go through the instance crash box because the majority of the database vendors they say if you crash a database that's not a security problem so if you run a select statement and the database dies that's not a security problem that's opinion of IBM Microsoft and also of db2 and only if you release it to the press and you explicitly say that the security vulnerability then they are fixing it but the majority of denial of service and database crashes are not handled from the database vendors as a as a security bug and this is a good example that the entire quality of db2 I talked also to several db2 DBAs is not that good comparing to Oracle for example here you have two problem if you have a duplicate predicate so if you have the same condition two times the database dies so this was fixed few months ago and that's really weird that if you use the same condition a database dies so the entire parsing engine from db2 from my experience is less stable then the engine from Oracle or sequel server Secret Service the most secure for my and then also if you use special construct for example a single byte partition so you create this object and the database dies and you get this entire code as a test case so the database vendors say it's a test case in the security world it's an exploit you can get it from the IBM pages and I think IBM should rethink about their strategy to release this kind of code to to to public also here if you create such a table and run a select statement against it then the database dies also here if you use a keyword as a column name you have to same problem but it's not that bad for IBM if you look at the Oracle site it's quite the same so if you use really weird SQL statements the chances that you crash the database are quite big so especially if you use reserved words if you use short words if you special characters and so on and here it's quite difficult to protect against these attacks because there's no privilege which could be revoked you just have to wait until IBM is releasing a buck back fix also yeah outer join is probably one of the most complicated constructs Oracle in the last few years and also IBM and Microsoft sequel server they always had problems with outer joins and here by using this outer join you can crash the database sometimes you are also getting wrong results also by using weird insert statements you can also crash the instance it's also one of my favorites just by using a lot of Union statements you can crash the database so if you do a sequel injection and you append too many unions the database will die but it's not a security vulnerability for IBM this was one gulnur ability on the command line so there's a small program from IBM called db2 license manager and with this db2 license manager you can change the ownership of a file so normally db2 does not run with root privileges on a unique system but using this db2 license manager you are able to to change the ownership from root files and other files so you see there are a lot of potential issues there but comparing to if I compare two different databases so in the Oracle world you have 10 times more vulnerabilities and IBM db2 is between Microsoft which is the best system so far and and Oracle so it's in the middle and the fake specs are normally the most interesting way to find new issues so just go to the websites look for everything which can crash the database it's also a good idea to do this on the MySQL back database just look for database crashes or for
strange results and then you can often create your own exploit for it because the majority of administrators does not have to time to fix to apply all the fix packs just in time it often takes months or years before they apply the latest fix packs so that's common for all the big databases what I also saw and so far there's no paper about it it's sequel injection in custom pl/sql code because a lot of database vendors database developers are creating their own start procedure code in the database to be more performant and since our since db2 9.7 there are now two possibilities to write your own start procedure code one is SQL PL that's the old classic version and two the second possibility is to use pl/sql so they licensed pl/sql from the post-race guys because they hope that oracle customers will switch from oracle to db2 and here's before we look at the signal injection vulnerabilities to three nice things which are helpful if you work with security a lot of the interesting commands cannot be executed from a select statement something like exporting a table or describing a table that's not possible from a normal SQL command and to circumvent this problem there's a built-in start procedure from IBM called admin CMD and with this admin CMD command you can run from SQL these db2 commands so for example we can export a file or we can kill the session of another user but it's clear that you need advanced privileges to call this start procedure there was a few months ago there was a problem with start procedure called Mon report or current SQL in some fixed packs it was granted to a public and this start procedure is revealing the entire SQL cache so all the statements which were executed by other people are visible by at this one report function and this is quite useful if you are doing performance tuning or if you are looking for will if you are looking for problems and bottlenecks but it's also a security problem because every statement also insert into a passport table this statement is visible in this current SQL function or or if you are inserting numbers into a credit card table it's also visible here that's my you should be careful with this start procedure and sometimes if you work with sequel injection it's interesting to know how to create a semicolon separated list so this is useful to get more out of database so if you're doing sequel injection you're normally getting a row by row so if you have if a query returns 100 rows you're getting 100 lines and with this statement it's possible to get a semicolon or here a comma separated list in one row one column so this can be useful for a sequel injection because with one SQL statement you can get the entire table back instead of doing instead of enumerated row by row and it's special because every database vendor has its own special dialect it's not part of the normal syntax so every vendor has a different approach so my sequel for example it's called koukin ket to do this so now we are looking at vulnerabilities in custom code and all the code I reviewed so far in the internet and also at the customer side most vulnerable so I never saw database developers doing input validation so it's difficult to understand why they are not doing it probably they think we are too close to the database and nobody will ever inject code but that's not the case so here we have a typical example and you can see even without deep db2 or database knowledge you can find this vulnerability we have a start procedure administrator cron privileges and here we have a parameter OS user and you see there's no input validation to the input validation here is missing and the develop of this code was doing the following he's concatenating the value of OS user which is coming from the start procedure and this is concatenated here and after that it's executed so this is one vulnerability the second foreigner ability is a second-level order sequel injection so the developer is trusting that the table names are always sanitized but as a developer you can never guarantee what is the real table name for example you can create a table called exclamation mark I am or you can use - - in a table name in this case this custom code is concatenated without doing input validation so whenever you see such code you should try to find the responsible developer and he should use bind variables or if this is not possible here for example then he should do input validation so he has to validate that the table name is proper and you have to validate that the OS user is in the right format the another example and if you go to the internet it's really easy to find vulnerable code because I never found people doing input validation so the chances that you'll find something are really really high so here we have two parameters the old table schema and the old table name and you see here they are just concatenating the values without doing input validation or here it's similar they create a string concatenate everything together and then they call this with admin CMD here's one limitation if you use admin CMD you are not able to use command signs so you cannot use - - to put something at the end or you cannot use the semicolon to expand the query since DB 29.7 it's also possible to use pl/sql code and with pl/sql you have a bunch of new vulnerabilities coming into the system so the way in DB in the debe ver db2 version of pl/sql you can you have to use TBMs SQL to create dynamic SQL statements so the problem here is we have a a function this function looks if the table is empty and we have a parameter the table name and this table
name is concatenated to the query and the query is executed here with path it's passed and then executed and fetched so if you use a union or a - - at the end of this parameter you can extend this query and you can run whatever you want and this is quite common and whenever you do is security audit for db2 databases you should also look at a custom code because the vendors are getting better and better but typical database developer they do not get money or time to develop secure code that's why you will find a lot of these vulnerabilities in my experience the fastest way to do it is just extract the entire stop procedure code to a text file to one big text file and then use the crept statement or use a text editor and search for Strings like execute immediate and DBMS SQL and then you can search back for example here DBMS SQL execute where is it coming from from this parameter and then you can search if the parameters are validated or not so it's not real magic it's quite simple and easy way to to find this and for pl/sql d as a source code analysis tool from 45 but for SQL PL I'm not aware as source code analysis available but I think doing it manually is also sufficient if you don't have tons of SQL PL code what is also interesting is how to escape from the database so the typical ways to escape is read or write files access the network send something to the network or escape to the operating system and then from the operating system to a different system and accessing files there are different possibilities available in db2 so you can use the load data command you can import export you can use user-defined function and newest UTL file and DBMS lob from the Oracle world and I so in the Oracle world you take a file and DBMS lob are granted to public which is not a good idea and what do you think what is the default configuration of db2 its also granted to a public so with a low data it's quite simple with import/export I played a little bit it's by using this ADM CMD it's quite easy to use so you say export too and then you are creating a test file and what I did on my test system on on Windows I was able to override to boot in II so this export command does not protect your files so if you overwrite executable this executable is overwritten by the export statement so you can use it for a denial of service to destroy files on the database server the third possibility is a user-defined function and for user-defined function you need a start procedure create read file and the read file is calling a user-defined function and in the sample code from IBM this is granted to a public which is also a better idea so if you play on the test system you should not run it to public and additionally you need to see function and the C function is here limited so you can read a file from the operating system and the usage itself is quite simple you say select star from table and then you specify the function and you see the result from the fire in your statement so it's really easy to use next possibility is you tail file to use pl/sql in db2 you have to set a special environment variable and i would recommend not to use it so if you don't don't need pl/sql you should remove it from the database because I I think in the future you will find a lot of vulnerabilities here and I'm not sure if it's a good idea to use systems to use a language from a different database vendor and if you use it then use revoke all the public privileges you should revoke the privileges from public you can also remove files so if you look at the documentation from you tell file package you can rename files you can remove files so whatever you need on the operating system level can be easily done with a simple pl/sql function or an anonymous block the second possibility to read files is the function DBMS slope and here we have also a function oh that's a copy-paste a failure okay accessing the network I haven't found something from the original db2 part but the Oracle stuff in db2 has two problematic packages one is utl SMTP and the second UTL mail with utl SMTP you can write a small start procedure block and then you can further define the the message today it's the SMTP server and then you send the email if db2 is configured so for using UTL mail you have to configure the smtp server in your system and in this case you can just use this call you tail mail dot send and then you specify sender recipients and so on the last thing accessing operating system I found so far only the way why I user defined functions and this is also quite simple you can more or less use every language yeah I'm showing an example in C first we have to create an export file library dot F and we copy it to the SQL Lib directory then we create a function execute the function that's it it's similar to this read function we have here a function system call and this system call is calling the external file OS called system call and you grant this to public also here it's a bad idea to do this and this is the C code and you see here the system call system command and here you are executing the statement and once you installed it in the database you can just run the system call and can do whatever you want hardening db2 is much more easier in my experience than hardening Oracle because
you have less public privileges and the big difference is you have you are hardening more on the operating system level so you are running special commands and then you are changing the configuration and the db2 CIS benchmark is quite good so if you compare the CAS benchmark from for MySQL or Oracle the db2 benchmark is quite good and I would recommend to use this as a starting point so they have a lot of good recommendations and from my experience from security audits I normally recommend disable everything which is not necessary in db2 it's much easier because for a lot of additional functionality you need to license file and you have to pay for functionality in Oracle everything can be installed without additional license that's why people often install everything and in db2 they normally install only what is necessary do not install the pl/sql if it's not needed and check their OS credentials so in in most of the cases the biggest problem in other databases are the user credentials so developers are lazy guys and if you have a user name they often use the same the same string as a passport and this is also the case in the db2 world but it's not a db2 problem it's an operating system problem so finding credentials like db2 into our db2 admin db2 admin is not uncommon so it really depends from the configuration of the underlying operating system but in general the situation is better than other systems ok what are the typical steps to hardened db2 database you should have a look at os credentials you should in the real world you find weak or s credentials you find that the discovery mode is enabled the discovery mode it's announcing in the network what databases are available and just by disabling this discovery mode you will be much more secure because it's much more difficult to find the database what I got in db2 10 this will be removed from this discovery mode will be removed in db2 10 version 10 and we have too many privileges with default configuration missing patches and unsecure program code so this is more or less normal like every other database vendor okay so the hardening disabled to discovery mode change default part so this discovery mode is disabled by using these two db2 commands and after doing that this it's disabled then you can change the port it's also recommended in the cas benchmark I was never a big fan of changing the port but if you live better with it it's okay normally with port scanner you will find the part even if it's running on a crud strange part then here are some of the privileges which should be removed remove from public so you can just put it into a script and run it they're quite often then here are some other useful parameters and you should check that you have these strong settings available also discovery authentication that the authentication is encrypted and so on that's something I'm a big fan of log on trigger because the majority of database administrator doesn't matter what vendor they have no idea who is connecting to their database and that's why it's really important to know who is connecting from what machine with what account only in this case you can limit access to the database so you can say ok only from this machine the agent account is unable to do this and there's a new functionality called connect proc and with just connect proc it's quite easy to implement lock on trigger functionality so what we do first is to create a table and this table is storing the information about the user ID the event and the timestamp so you know at least who's connecting to the system if you play with this you should probably extend it to a few additional values and I think for the beginning it's quite a good idea then you create a stored procedure and it's important that the stored procedure doesn't have a parameter so only if this start procedure runs without parameter it works and here we are inserting this we are inserting in this audit table we created before the connect and the timestamp and the username then we update the configuration and here it's important that we first set it to null and after it we we specify the function so the next time when we connect we can see this connect string here in the Select statement in the in this table and I would recommend in the beginning look after a few hours into this table to avoid that it's filled up quite fast and if you have a process which is connecting every few seconds to the system you should probably add an extension and saying okay if this special user from this IP address is connecting to the system do not record this activity so I see I was quite fast faster than in my trainings in my preparation so at the moment there is nearly knows db2 security resources so if you look in the web there are a few outdated books and there are no modules in Metasploit as far as I remember and a majority of the security crowd is not looking at db2 but I'm quite sure if you look at it you will find a lot of interesting stuff and the most interesting security bugs are at a moment published by IBM but sooner or later they will also realize that it's a better idea to publish explored code and concerning the password problem which is the biggest problem in other databases like Oracle it's not existing because db2 delegated this problem to to the operating system but I'm aware there are also plugins where you can use your where you can use a table for connecting to the database so people migrate to the Oracle concept of a username table to the db2 world but it's quite rare that you find this
okay thank you for the time so it was
quite fast and I updated this slide a little bit to slide deck and you will get the updated version as PDF
Feedback