josé ramón palanco - nosql security [rootedcon 2011]
TRANSCRIPT
![Page 1: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/1.jpg)
NoSQL Security
José Ramón Palanco
![Page 2: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/2.jpg)
Agenda
✦ Introducción NoSQL✦ NoSQL vs RDBMS✦ Arquitectura NoSQL✦ Implementaciones de NoSQL
✦ Vectores de ataque✦ Injections✦ Key Bruteforce✦ HTTP Protocol Based Attacks en listeners✦ Cassandra security y Thrift security✦ Denial of Service (connection pollution, evil queries)
![Page 3: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/3.jpg)
Introducción NOSQL
![Page 4: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/4.jpg)
¿Qué es NoSQL?
✦ Por lo general, no requieren de un esquema de la tabla fija ni utiliza join
✦ Todas las soluciones de NoSQL no implementan una o más de las propiedades ACID
![Page 5: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/5.jpg)
Teorema de CAP ✦ Propiedades: consistencia,
disponibilidad (availability) y particiones
✦ Al menos son necesarias 2
✦ Para escalar es necesario particiones
✦ En la mayoría de los casos primará disponibilidad sobre consistencia
![Page 6: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/6.jpg)
Arquitectura NoSQLRDBMS NoSQL
Servidor HTTP
Connector BBDD
Cliente
SQL
ODBC, ADO, JDBC
Servidor HTTP
Connector BBDD
Cliente
REST, JSON, XML, ...
Binario, HTTP, ...
![Page 7: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/7.jpg)
NoSQL vs RDBMS
✦ Las RDBMS modernas muestran pobre desempeño y escalabilidad en aplicaciones que hacen un uso intensivo de los datos
✦ Cloud Computing (SaaS)
✦ Redes sociales
✦ Para consultas complejas es inviable utilizar algo diferente a RDBMS
![Page 8: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/8.jpg)
Ejemplos de entornos
✦ En muchos entornos es necesario distribuir las escrituras en clusters, MapReduce, ..
✦ Facebook necesita almacenar 135 mil millones de mensajes cada mes
✦ Twitter almacena 7 TB diarios (duplica varias veces al año)
![Page 9: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/9.jpg)
Desventajas NoSQL
✦ OLTP
✦ SQL
✦ Ad-Hoc queries
✦ Relaciones complejas
![Page 10: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/10.jpg)
Arquitecturas NoSQL
✦ Almacen de documentos
✦ Grafos
✦ Clave/Valor y Tupla
✦ Multivalor
✦ Objetos
✦ Tabular
![Page 11: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/11.jpg)
Almacén de documentos
✦ CouchDB:
✦ MongoDB
✦ Terrastore
✦ ThruDB
✦ OrientDB
✦ RavenDB
![Page 12: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/12.jpg)
Grafos
✦ Neo4J
✦ Sones
✦ InfoGrid
✦ HypergraphDB
✦ AllegroGraph
✦ BigData
![Page 13: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/13.jpg)
Clave/Valor y Tupla
✦ Redis
✦ Riak
✦ Tokio Cabinet
✦ MemcacheDB
✦ Membase
✦ Azure
![Page 14: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/14.jpg)
Multivalor
✦ U2
✦ OpenInsight
✦ OpenQM
![Page 15: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/15.jpg)
Objetos
✦ db4o
✦ Versant
✦ Objetivity
✦ NEO
![Page 16: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/16.jpg)
MongoDB
✦ Protocolo: Binario (BSON)
✦ API: varios lenguajes
✦ Query: JavaScript/JSON
✦ Lenguaje: C++
![Page 17: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/17.jpg)
Features• Schema-Free (JSON)
• Document Oriented, Not Relational
• Highly Concurrent
• RESTful HTTP API
• JavaScript-Powered Map/Reduce
• N-Master Replication
• Robust Storage
CouchDB
✦ Protocolo: REST
✦ API: JSON
✦ Query: MapReduce (JS)
✦ Lenguaje: Erlang
![Page 18: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/18.jpg)
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/ HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Date: Sat, 19 Feb 2011 05:20:28 GMTContent-Type: text/plain;charset=utf-8Content-Length: 188Cache-Control: must-revalidate
{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":0,"compact_running":false,"disk_size":4182,"instance_start_time":"1298092462502662","disk_format_version":5}
![Page 19: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/19.jpg)
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Etag: "1-2512702fff02fe841adecde4a22c62b5"Date: Sat, 19 Feb 2011 05:20:47 GMTContent-Type: text/plain;charset=utf-8Content-Length: 155Cache-Control: must-revalidate
{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a22c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}Connection closed by foreign host.
![Page 20: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/20.jpg)
Redis
✦ Protocolo: Telnet plano
✦ API: Varios lenguajes
✦ Query: Comandos
✦ Lenguaje: C/C++
![Page 21: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/21.jpg)
✦ Protocolo: Binario (Thrift)
✦ API: Thrift
✦ Query: Columna/rangos
✦ Lenguaje: Java
Cassandra
![Page 22: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/22.jpg)
Cassandra
✦ Columna (tuple/triplet)
✦ Supercolumna (compuesto por columnas)
✦ Familia de Columna (contiene supercolumnas)
✦ Keyspace (alberga familias de columnas)
![Page 23: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/23.jpg)
Cassandra
<Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace>
storage-conf.xml
![Page 24: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/24.jpg)
Vectores de ataque
![Page 25: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/25.jpg)
Introducción
✦ Diversos conceptos de bases de datos
✦ Diversas implementaciones
✦ Por lo tanto los vectores de ataque son muy específicos y dependerán de cada implementación
![Page 26: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/26.jpg)
HTTP Based Attacks✦ ¿Quien usa HTTP?
✦ CouchDB
✦ HBASE
✦ Riak
✦ ¿Como localizar vulnerabilidades?
✦ fuzzing: hzzp
![Page 27: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/27.jpg)
Explotación de listeners
✦ Al funcionar sobre HTTP, se pueden utilizar proxies caché mal configurados para acceder a ellos
$ telnet server.com 80Trying X.X.X.X...Connected to server.com.Escape character is '^]'GET /_all_dbsHost: 192.168.2.18
![Page 28: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/28.jpg)
JSON Injection
db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )
db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )
De la misma manera que en se escapa el SQL, cuando trabajamos
con MongoDB ó CouchDB, debemos hacerlo igual
![Page 29: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/29.jpg)
Array InjectionMongoDB + PHP
✦ En PHP es posible que una variable sea un array simplemente añadiendo corchetes
✦ Si la passwd de admin Not Equal , podremos acceder
✦ Además de $ne, podremos injectar:
✦ $or, $exists, $nin, $in, $lt, ... (lógicos)
✦ &var[‘$regex’]=/privileged/i (regex)
<?$collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd']));
?>
/login.php?username=admin&passwd[$ne]=1
<?$collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1)));?>
![Page 30: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/30.jpg)
View Injection
✦ CouchDB usa SpiderMonkey como motor de scripting
✦ Los js se cargan como views
$ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ...
![Page 31: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/31.jpg)
View Injection
✦ Hay vistas predefinidas y temporales
✦ Para hacer MapReduce
✦ Obtener datos arbitarios, modificar valores para alterar el flujo de ejecución
![Page 32: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/32.jpg)
REST INJECTION
✦ Cross Database:
✦ /?db=_all_dbs
✦ /?db=usuarios
<?$dbname = $_GET["db"];$doc_id = $_GET["d_id"];$resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id);?>
![Page 33: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/33.jpg)
CouchDB info
✦ http://172.16.163.129:5984/_config
✦ http://172.16.163.129:5984/_all_dbs
✦ http://172.16.163.129:5984/_stats
✦ http://172.16.163.129:5984/_utils
![Page 34: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/34.jpg)
CouchDB cmd exec.
![Page 35: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/35.jpg)
GQL Injection
✦ Se puede a llegar inyectar GQL, pero en un entorno bastante controlado
✦ No existe el operador negación “!”
✦ El set de comandos GQL es muy limitado
![Page 36: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/36.jpg)
Key Bruteforce
✦ Al no existir esquemas, no tenemos porque averiguarlo
✦ Los id son de gran tamaño, pero no se generan de forma aleatoria:
e479f720ff9a05fb2f441fef97000c87
e479f720ff9a05fb2f441fef97000b61
![Page 37: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/37.jpg)
Cassandra Security
✦ Si podemos modificar el nombre de una familia, podremos obtener elementos de otra familia
<? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL;
if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”;
$sliceRange = new cassandra_SliceRange(); $sliceRange->start = ""; $sliceRange->finish = ""; $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; $predicate->slice_range = $sliceRange;
$consistency_level = cassandra_ConsistencyLevel::ONE;
$keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level);
print_r($result); ...
?>
![Page 38: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/38.jpg)
Denial of Service
✦ Connection polution
✦ Couchdb-> implementación interface = restfull
✦ Con GQL, es posible generar DoS al crear consultas maliciosas que consuman mucha CPU y se de de baja de GAE ó que se facture por esa CPU extra
✦ q
![Page 39: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/39.jpg)
Preguntas
![Page 40: José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://reader033.vdocuments.us/reader033/viewer/2022042817/55a939a31a28ab2f0a8b47db/html5/thumbnails/40.jpg)
Preguntas