Blackhat Recap

So I made it home tonight after spending a couple days out in California following Blackhat, so its time for my final recap. My last Blackhat training session was "Advanced Database Security Assesment" put on by a couple guys from NGS Software, and as I mentioned in the previous post, its first day didn't really live up to expectations. Well to be honest, neither did day 2, but it was still worthwhile. The presenters were both fairly entertaining, there were just too many technical difficulties to really get a good flow, including the fact that the VMWare demo images they gave us used British keyboard layouts and were incompatible with our US laptops. I am going to take the course materials and go through them again (and this time hopefully I can get alot of the demos to work), because there was alot of good stuff in there, they just didn't have much in the live demo department.

I was mostly interested in the MySQL material they presented, and they covered all of the major database implementations, so most of the material wasn't MySQL related, but there were some good gems in there. These included a couple of key MySQL authentication vulnerabilities: mainly one that allows the password hash to be used for authentication (if local network access is available, it can easily be sniffed off the wire) by patching a custom MySQL client. Chris Anley (who was not one of the session presenters), is the primary MySQL researcher at NGS, and has written some fairly interesting white papers if you are interested in MySQL security, the most notable of these being "Hack Proofing MySQL".

At any rate, the most interesting MySQL vulnerability is the hash authentication that can be done by modifying and compiling a custom client. This exists within the 4.0.x source tree and can be exploited by adding the following function into the password.c file in libmysql:

void use_hash(ulong *result, const char *password) {
if( strlen( password ) != 16 )
return;
sscanf( password, "%081x%081x", &(result[0]), &(result[1]) );
return;
}

Then, inside the scramble method, the following line should be removed (or commented out):

hash_password(hash_pass,password);

And replaced with the following line:

use_hash(hash_pass,password);

The client can then be recompiled and used to authenticate to the server using the password hash instead of the actual password.

In addition to this nifty trick, I also found out about a really neat tool called Absinthe, which can be used to exploit a SQL injection vulnerability to automatically enumerate the entire contents of the target database. Once you have located a vulnerable parameter, you just specify a few settings and let fly, and it will return all available database contents by automatically discovering tables and attributes.

If you have any specific questions for me regarding my thoughts on Blackhat (unfortunately I didn't stay to attend the briefings), or any of the material covered, please leave me a comment or contact me directly. I am usually on AIM during most normal hours.

And, on another note, due to my vacation eating habits, the fitness challenge is pretty blown and I'm probably as fat as ever.