Episode Information
Episode Name: Episode 16 - Mitigating a SQL attack with ASA, IPS and IOS Firewall
Contributors: Blayne Dreier, Jay Johnston, Magnus Mortensen, David White
Posting Date: February 2, 2011
Description: In this episode, the panel discusses SQL attacks against web servers, and how they are detected and mitigated by the IPS appliances. In addition, the panel looks at how you can use the same signatures from the IPS and apply them as regex matches to the http inspection engines on both the ASA and IOS-Firewall.
Listen Now (MP3 22.8 MB; 32:28 mins)
Subscribe to the Podcast
Subscribe to the Podcast in iTunes by clicking the image below:
Alternatively, you can search within iTunes for Cisco TAC Security Podcast, and subscribe there. By subscribing, you will automatically receive future episodes when they are posted.
About the Cisco TAC Security Podcast
The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.
Complete episode listing and show information
Show Notes
For the exploit used in the Podcast discussion, the following IPS signatures will detect the attack:
- Generic SQL Injection - Signature ID=5930
- SQL Query in HTTP Request - Signature ID=5474
Examining those signatures on the IPS, we can see the following Regular Expression (regex) patterns which are used to match against those signatures:
Generic SQL Injection - Signature ID=5930
Regex
[uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]
The above regex pattern is really looking for the following text "UNION ALL SELECT" - where the "ALL" is optional. It will also match on either a space or plus between words. Therefore, all of the following phrases will cause the regex to be matched:
UNION ALL SELECT
UNION SELECT
UNION+ALL+SELECT
UNION+SELECT
Also note that all of the text can be in any case, and that any space or plus can be either or. Thus the following also matches:
UnIoN+AlL sElEcT
Since the regex can be a little confusing, we have broken it apart to indicate what each section of the regular expression is doing.
One thing to note is that the (%20|\x2b) piece matches on either the URL encoding of a space, or a plus (+) - represented as \x2b in ASCII hexidecmal notation.
SQL Query in HTTP Request - Signature ID=5474
Regex
([%]2[0bB]|[=]|[+])[(]?[Ss][Ee][Ll][Ee][Cc][Tt]([%]2[0bB]|[+])[^\r\x00-\x19\x7f-\xff]+([%]2[0bB]|[+])[Ff][Rr][Oo][Mm]([%]2[0bB]|[+])
This second regex is slightly more complicated, but very similar to the previous one. In this case, the regex is matching on a preceeding space or plus or equal sign, with an optional open parenthesis, then the text SELECT followed by any number of characters and then the text FROM. Therefore, all of the following phrases will cause the regex to be matched:
+(SELECT+DATA+FROM+
=SELECT PASSWORD FROM
(SELECT * FROM
+(SELECT+*+FROM+
Given that there are 7 sections to the regex, there are quite a few different possibilities for this regex. Again, all text is case insensitive. One thing to note here is the alternate form of matching for a space or a plus ([%]2[0bB]|[+]). This form is a bit longer than the previous way we saw in signature 5930, and matches not only on the literal plus (+), but also the URL encoded form of a plus (%2b or %2B) - which is actually 3 ASCII characters.
CLICK TO ENLARGE IMAGE
Device Specific Configurations
IPS
No specific configuration is required on IPS, as the regular expressions above are included in the signature set which is installed on the IPS. They are also enabled by default, so users are protected from these types of attacks.
Signature definitions from http://www.cisco.com/security
Signature 5930/0: Generic SQL Injection
Signature 5474/0: SQL Query in HTTP Request
ASA
In order to match the above two regular expressions on the ASA (so that it detects the exploit), we have to do a few things.
First, the regex for signature 5474 is 133 characters, but the ASA has a limit on the maximum length of a regular expression - and it is 101 characters. Therefore, for the ASA we will use the following regular expression pattern
[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)
What we changed was we removed the leading check for a space, plus or equal, and also removed the optional brackets around the % and + signs. By removing the leading check for the space, plus or equal, it reduces the fidelity of the signature and can result in more false negative conditions.
Second, as the POST method we are using to exploit the vulnerability is sent in the Body, we need to increase the depth of how many bytes the ASA will look into the body, before stopping. By default it is 2,000 bytes. But, our exploit is just after 2,000 bytes, so we are increasing it to 3,000 bytes under the parameters section.
One final important note. The ASA parser will treat any question mark (?) you try to enter as the user asking for help. Therefore, in order to enter a question mark (?) in the regex, you must first escap it by entering Control+V character sequence, then the question mark. The Control+V character will not appear on the screen.
ASA Configuration
regex SQL_regex_1 "[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]"
regex SQL_regex_2 "[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)"
!
class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
!
policy-map type inspect http drop-SQL
parameters
body-match-maximum 3000
class SQL-map
drop-connection log
policy-map SQL-traffic
class WebServers
inspect http drop-SQL
!
service-policy SQL-traffic interface outside
ASA Syslog
When HTTP traffic matches the above regex, the ASA will generate the following syslog message to let the administrator know that the packet was denied and the connection reset.
%ASA-4-507003: tcp flow from inside:192.168.1.5/53583 to outside:198.51.100.208/80 terminated by inspection engine, reason - disconnected, dropped packet.
IOS
To mitigate this attack using IOS, we're using the Zone-Based IOS Firewall to watch just HTTP traffic to our webserver and monitor for any matches on the regex below. In this case the router happened to be running IOS version 15.1(2)T2, image c2800nm-adventerprisek9-mz.151-2.T2.bin
IOS Config
!
parameter-map type regex SQL-injection-regex-first
pattern [uU][nN][iI][oO][nN](%20|\x2b)([aA][lL][lL](%20|\x2b))?[sS][eE][lL][eE][cC][tT]
parameter-map type regex SQL-injection-regex-second
pattern ([%]2[0bB]|[=]|[+])[(]?[Ss][Ee][Ll][Ee][Cc][Tt]([%]2[0bB]|[+])[^\r\x00-\x19\x7f-\xff]+([%]2[0bB]|[+])[Ff][Rr][Oo][Mm]([%]2[0bB]|[+])
IOS Syslog
SQL Injection attacks can be funny too!
http://i.imgur.com/jWTXq.jpg
http://xkcd.com/327/
