Friday, May 23, 2008
Priority: HIGH
Impact: Potential for database corruption or malware to be downloaded to website visitors. PCI DSS non-compliance.
Resolution: Verify blocking policy in web application firewall and remediate code flaws.
Who: Thousands of websites around the world have been successfully compromised with a mass generic SQL injection attack. The targeted web platform is the Microsoft IIS web server running ASP web applications with MS-SQL database on the back end.
What: The source of these attacks is an application called “Asprox” that is being distributed as part of a spam botnet. Asprox will execute on an infected client’s computer and initiate Google queries searching for vulnerable ASP sites with the following query string: inurl:”.asp” inurl:“a=”. It will then parse the results and initiate the SQL injection attack to attempt to inject malicious JavaScript links into the back-end MS-SQL database. If this is successful, the website will display the malicious JavaScript links in its output to clients. These links will force the user’s browser to download other JavaScript code that will attempt to exploit browser flaws to install other Trojan software and perhaps steal user credentials.
How: The underlying problem that is being exploited in this attack is a lack of proper input validation in the ASP web pages on the target sites. The injected SQL query data is leveraging an MS-SQL database feature called TABLE_CURSOR to generically loop through all table names; however, this is not a vulnerability in the database. Other databases have similar functionality and this attack could be ported over with minimal effort.
Impact: This mass attack has been so effective at compromising many sites as it is able to successfully conduct an SQL injection attack with only one request. With custom-coded web applications, attackers normally do not have any information about the structure of the target database so they must conduct reconnaissance probes using basic SQL injection attacks to enumerate table information. After a series of successful probes, they may eventually get to a point where they could successfully extract out sensitive user information such as customer credit card numbers.
It is during this reconnaissance probing phase that most attackers are identified and their attempts are blocked and other defensive actions are taken. With this new generic SQL injection query, however, the attacker does not need to conduct any reconnaissance probes at all as the attack will simply add the new malicious JavaScript code to all table values.
This injected data may corrupt the entire database resulting in significant damage and making the site non-responsive. If the database does not become corrupted, it will then serve out web pages to clients that will include this new malicious JavaScript code to visitors. In essence, the target website now becomes a distribution point for the attacker’s malware.
Additionally, organizations impacted by Asprox may be classified as out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). Requirement 6.5.6 of the PCI DSS states that organizations should:
“…Cover prevention of common coding vulnerabilities in software development processes, to include the following…injection flaws (for example, structured query language (SQL) injection).”
Prevention: Perhaps the most surprising discovery associated with this attack is that it was entirely preventable. Had the developers of these web applications created them based on secure coding guidelines such as those from the Open Web Application Security Project (OWASP), their sites would have been protected. In addition, deployment of a Breach Security web application firewall prevents the attack.
Resolution: Breach Security’s web application firewalls enable security organizations to pinpoint security vulnerabilities in code for quick remediation and offer continuous protection by detecting and blocking hacks before they can reach the web application. Breach Security recommends remediation of the vulnerable code as a best practice as part of the normal development lifecycle.
Breach Security WebDefend and ModSecurity Pro M1100 customers are already protected against the Asprox SQL injection attacks through either the Adaption positive security model or by Generic Application Attack Detection rules. Customers should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically, that the appliances are configured in a blocking mode for these attacks.
Contact: For more information on this alert, please email support@breach.com.