The Database Hacker’s Handbook by David Litchfield, Chris Anley, John Heasman and Bill Grindlay

The Database Hacker’s Handbook

  • Authors: David Litchfield, Chris Anley, John Heasman and Bill Grindlay
  • 500 pages
  • Publisher: Wiley (Jul 5 2005)
  • Book Dimensions: 9.2 x 7.4 x 1.2 inches
  • ISBN: 0764578014
  • Buy on Amazon: Paperback, Kindle
  • ITBookworm Score: 5 / 5


If you want to understand DB exploits, and I mean actually understand them, and not just follow a list of lockdown procedures with no real idea of why what you’re doing is important, then you’ll love this book. This is one of those books that you will read again and again as your understanding of the subject matter increases. I have never seen a book that better explains database-specific exploits… much less across as many platforms as this one covers. This is an excellent book to begin your understanding of the science of the different categories of attacks. The book explains all the attacks in detail and gives plenty of examples for each. The one thing to bring away from this book is that NO database is immune to being exploited and that popularity and functionality of the product have just a lot to do with security. Put simply, the more popular a DB is the more it is likely to be attacked, and the more functionality it has, the larger the surface area for attack is going to be. Of course, the skill of the DBA and of the hacker is also important. If I had to apply a simple thesis statement to this book it would simply be: If you think you know database security, think again.

Who is this book really for?

Have you ever wondered exactly how Slammer worked? Do you know what a salt is? How about a buffer overflow? Well, if you don’t know the answer to any or all of these questions then this book is for YOU. This book is mainly for DBAs, but anyone wanting to really learn about database exploits will benefit. Notice I said database exploits, and not database security. There is a huge difference between an exploit and security, at least in how the terms are usually used. Typically, whenever database security is discussed it refers to the specific implementation of rights and surface area configuration. That is not what this book is about. This book is about exploits. It gives generic terms and explanations of actual exploits, and then gives specific examples from all the big DBs on the market.

Writing Style

I have met guys like David Litchfield before… the kind of guy who has forgotten more about security than most of us will ever know. You find yourself hanging on every word he says because you never know when he’s going to say something in passing that will wake you up to something you never even thought of. This book is presented in exactly that way. The authors really prove how important attention to detail can be. Their style is relaxed and straightforward without being overly technical or condescending. The subject matter itself can be dry, but it isn’t presented in a way that’s the least bit boring. In fact, if I were pinned down, I’d have to say that this book is somewhere between watching Halle Berry sunbathe in Swordfish, and reading Great Expectations. If you really want to learn about database exploits you’ll love the no-nonsense writing style of these authors.

Table of Contents

Chapter 1: Why Care about Database Security?

In this chapter, the basics of DB security are discussed. This doesn’t mean the basics of creating user accounts or locking down a server. The discussion revolves around security alert releases and the different classifications of security flaws. Each one of the flaws is given ample time so that you understand exactly what the classification means. Although I call this the chapter on basics, most DBAs will learn something. It also gives advice on the best defense against each type of attack. It gives 6 pieces of advice on how to go about finding your own bugs. In short, this chapter is an excellent beginning to understanding database attacks. Several types of attacks are discussed, most with specific examples of discovered vulnerabilities in the different DB systems.

Chapter 2: The Oracle Architecture

Discusses how TNS listener works, and how it’s likely to respond to requests. Also discusses all Oracle processes and their roles. Discusses Intelligent Agent, how it works, and how to exploit it. Gives large script used to dump information out of the agent. Talks about authenticating using a default accounts and passwords, and gives some great advice on changing these default passwords, and how by merely changing the password the wrong way can leave you exposed. Next it discusses authentication to Oracle itself as well as default user accounts and passwords. The authentication process is discussed in some detail and in the true fashion of Litchfield’s previous works, network traces are provided to illustrate the process. Key system privileges that can be used to gain complete control of the database are also discussed. The chapter finished up with a brief discussion on auditing.

Chapter 3: Attacking Oracle

Starts out with discussion on port scanning for oracle services and lists the services and their default ports. Next it discusses how to get information about the version and OS and even gives the code to make it happen. Compromising the TNS listener and the log file is discussed next. It’s just amazing the different ways there are to gain access to a system… which is the point of the book I suppose. It also gives the full source code for this attack. Then attacking the DB through pl/sql vulnerabilities is discussed in detail including getting information on encrypted packages. Tons of explanation and code for pl/sql injection. Then attacks on Oracle Application server are explained and shown.

Chapter 4: Oracle: Moving Further into the Network

This is just an excellent chapter. It basically talks about hacking PL/SQL through extended packages (XPs to us SQL Server folk). It weaves a very frustrating tale of exploits and attempted fixes by Oracle. It seems that as soon as a hole was plugged, another would spring, or they hadn’t take something else into account and the hole still existed. It’s really frustrating to realize that there are so many pitfalls, and how difficult it could be to lock your box down. It almost makes you think that they should pay people whose sole purpose it is to secure your network. Accessing the file system through packages, and through java is also explored, and some example code is given. Gaining access through database links, and a buffer overflow exploit using database links is discussed though no code is given. Next, accessing the network through default packages is discussed and gives insight into the attacks work by offering source code for a port scanner that also uses one of these functions.

Chapter 5: Securing Oracle

OK, with all the exploits listed in the book so far, it’s now time to lock it down. This chapter gives some solid step-by-step advice on what to do to lock down your Oracle box. Of course, there’s really no way to lock it down completely, but you can lock it down as much as possible. One of the reasons you can’t lock it down completely is because it would mean turning off many of the features that makes the product what it is, and that’s just not practical. But you will at least know what you should do for a thorough lockdown, and then pick and choose at your leisure.

Chapter 6: IBM DB2 Universal Database

This is already a detailed chapter beginning with analyzing the DB2 network communication packets. I believe the authors are just thorough enough in their analysis. They can’t tell you everything you ever want to know about the encoding of these packets, but they do point you to a reference where you can look it up yourself. Next, they discuss the DB2 processes, and gives a helpful tutorial on connecting to DB2 from a client machine. As they say in the book, this is a good tutorial for those of us who don’t like to read the documentation. It surprised me that connecting to DB2 isn’t the same as connecting to SQL Server. You can’t just install the client and connect… there’s a little setup to perform. Then you get into a very brief description of physical file layouts for both Windows and Linux as well as default schemas and what they contain. Now we discuss DB2’s authentication strengths and weaknesses. Some interesting points are made about the way DB2 handles its security, and this is followed up with pages and pages of code. Finally authentication is discussed revealing the main authentication tables, and how they can be locked down to prevent non-privileged users from seeing which accounts have elevated rights.

Chapter 7: DB2: Discovery, Attack, and Defense

OK, as with any server on a network, if you want to attack it, you have to find it. This chapter deals with finding DB2 boxes on the network, and getting information on them. It doesn’t really say a lot, but it does contain plenty of code with which to do it. It does mention how to make your DB2 servers invisible on the network, but that information is pretty to come by anyway. Not a bad chapter, and definitely a necessary one… it just doesn’t have the astounding insights some of the others have.

Chapter 8: Attacking DB2

Here you start to see the pattern of the book emerge. Specific attacks are discussed in some detail with plenty of information on when the attacks are useful. Again, the authors supply plenty of code and the overall chapter is written as well as the others. Truly a wealth of information for a beginner, and if you apply the concepts here, you will find yourself discovering other exploits not listed.

Chapter 9: Securing DB2

This chapter doesn’t offer anything earth shattering. It basically says lock down the OS, remove excess privilege, and patch your installation. Worth reading if you don’t know where to start, but for most of us… it’s only 3 pages, so you won’t miss much.

Chapter 10: The Informix Architecture

As the title says, this chapter gives an overview of Informix architecture. It’s fairly short, but definitely necessary since almost none of us have ever touched Informix, so this is also a very necessary chapter if you want to understand anything at all about Informix.

Chapter 11: Informix: Discovery, Attack, and Defense

This chapter is surprisingly long considering the lack of popularity of Informix, and the very short length of the last chapter. We start off here with a discussion of Informix’s weaknesses during its authentication process. Then there are several pages of code that show you how to connect to a server and even exploit a username overflow. Next you get to examine the communication packets themselves to find out what secrets they hold. This is all part of the pre-authentication attack phase. Next you get into the post-authentication phase and look at exploiting some of the system functions. One of the things I love most about this book is that it gives very specific information like which functions when used without parameters will actually crash the server. Next, the authors give you some very handy code for reading all the usernames and passwords directly out of memory as a low privileged user. Very scary. I really like the section that talks about running arbitrary code. As it turns out, pretty much any user can run the SYSTEM function, which is the equivalent to xp_cmdshell in SQL Server. The authors outline some very specific attacks using this method and even provide the code.

Chapter 12: Securing Informix

Here we’ve got a couple pages on the same basic lockdown procedures… nothing special.

Chapter 13: Sybase Architecture

We start out here with a little history and some deployment scenarios. Nothing really special, but a good list of ports in case you’re trying to go through a firewall. We then jump basically into the security architecture so login basics, passwords, and file layout are discussed. It’s a high-level overview that remains extremely basic, so don’t expect too much.

Chapter 14: Sybase: Discovery, Attack, and Defense

The chapter starts out taking you through a failed authentication so you can read the packet to find out what version of Sybase you’re dealing with. The network packet wasn’t given the attention here that it has in other chapters, and that was a little disappointing. The real meat of this chapter seems to be injection attacks. There’s a section on injection basics that gives plenty of example code, but it’s only given in java, so those of us not skilled in the dark arts won’t be able to follow along very well. The actual injection portion is easy though, since it uses SQL, so regardless of how much java you know you’ll be able to at least follow along with the problem, even if you can’t try it out yourself. SQL Server has its roots in Sybase the authors decided to see what would happen using SQL Server injection techniques on Sybase. It starts with a very clever way to get a full list of DBs on the server. It then goes over specific T-SQL elements to see how they perform in Sybase. Again, it’s a basic section but there are some good pointers and some caveats on the subtle differences in how some of the elements work. There’s a very interesting section on using time delays as a technique to discover if an application is open to injection. An overview of defending against these attacks is given next. There’s not much detail, but it’s got a couple interesting points.

Chapter 15: Sybase: Moving Further into the Network

This one starts off with a few pages on java type attacks that I honestly couldn’t make myself are about. Then there’s a page on trojanning Sybase that is very interesting.

Chapter 16: Securing Sybase

This is a fairly short chapter that basically just provides a checklist for locking down your Sybase server. If you already have some experience with Sybase you probably won’t find it very interesting, but it’s a good sanity check to just run through it to make sure you didn’t forget anything. If you’re new to Sybase, it gives you some very good guidelines to securing an installation.

Chapter 17: MySQL Architecture

This starts out talking about the basic architecture, but within a very short time does a very good job of just scaring the hell out of you about ever installing MySQL. As it turns out it is open to many attacks right out of the box. It then goes into the problems with the protocol and discusses some specific attacks against it. There isn’t extensive code given, but enough to get the point across. Next there’s a very surprising discussion about the file structure and how exposed you are with the way MySQL keeps its files on disk. It also discusses the different storage engines and their different characteristics. It’s actually a very interesting read. Next users and groups are discussed along with the structures of the tables that hold the security information. We finish up with an overview of exploiting design flaws. Again, actually pretty interesting, especially if you’ve used MySQL and never gone under the covers.

Chapter 18: MySQL: Discovery, Attack, and Defense

This is a decent sized chapter. Apparently, there’s a lot to say about attacking MySQL. It’s not an enterprise-class DB so I’m not surprised that it’s got a lot of open holes though. OK, now the official material for the chapter begins. It starts off with a discussion on how to sniff your network for MySQL servers. It doesn’t analyze the authentication protocol like in the previous chapters, but somehow you’re left with the feeling that it isn’t that important. Then, it goes straight into injection. Several specific scenarios are given with PHP code for most of them. It’s a big section so take your time and learn the material. It’s very important. Knows bugs are given after this. Three pages of specific bugs are listed. It then gives extensive source code for performing the exploits in one of the bugs. Trojanning is next and goes over some specific examples of how to backdoor MySQL.

Chapter 19: MySQL: Moving Further into the Network

This chapter starts out by walking you through a password hash authentication attack and gives you the code and the step-by-step process to exploit it. Then it goes into UDFs on both UNIX and Windows and gives the C code. It’s a full page of code so have heart.

Chapter 20: Securing MySQL

This chapter is really the same as the other securing chapters with one major difference. MySQL isn’t as rich as the real enterprise DBs, so there are some different things you have to do to secure it that you wouldn’t have to do with say Oracle or SQL Server. Most of it is probably pretty basic, but it’s definitely worth a read if you want to harden your box at all. It’s not a long chapter, but it has all the checklists you’ll need.

Chapter 21: Microsoft SQL Server Architecture

This one opens with a brief discussion of SQL’s history. If you read the Sybase chapter it doesn’t say too much more than it did. Then it moves into a discussion of TDS and how it can be exploited in general. You now come to the section about network libraries and for the most part all of the important aspects are overviewed, but I found there to be a couple things I wish they had good deeper into. Authentication is discussed at a high level next. When using SQL authentication the passwords have a very weak hash when sent across the network. The secret to this code is revealed, and then C code is given that will decipher the captured hash into a readable password… good stuff that. Next there’s a discussion about OPENROWSET. It’s pretty basic, but I’m always surprised at how many DBAs don’t know functions like this exist. Next it talks about a few of the dangerous XPs and gives some example code for calling them. After that there’s an interesting discussion on password hacks and SP encryption weaknesses. It gives a couple external resources for both bypassing the encryption and creating unbeatable encryption for SPs. There are ways to break into a SQL box without having high privileges. This book shows you how you can perform a file upload attack as well as plant an XP Trojan. These are really very clever techniques that most DBAs don’t even know exist. It’s well worth reading more than once. Next, you get into a discussion of users, roles and passwords. Most of it can easily be found in BOL because it’s just an overview of the basics. The chapter shows how to breakdown the algorithm of the password hash, but that’s only so you’ll understand the different components. There’s no real solution to decrypting a SQL password that has been made public, so it really won’t do you any good for anything other than just knowing that it uses a time-based salt. What is fascinating though is that the Agent password is exposed by default and very few people bother plugging the hole. And what I mean by that is that the password hash is much simpler for the Agent and it is fairly easy to decrypt. If you want to really protect your SQL box, you need to read this chapter. Other types of passwords are discussed next, and it’s incredible yet again how easy it is to get at some of them. This is a very informative read and you can’t afford to miss it.

Chapter 22: SQL Server: Exploitation, Attack, and Defense

It starts out talking about the slammer worm and what made it work. It’s good discussion, but I would really like to see the actual code for performing the attack so I could experiment with it myself. Still, not many DBAs know what slammer was all about so this is a good primer. Next you get into injection. If you get this book for SQL Server then this will be excellent discussion for you. If you get it to read straight through chances are you’ll be kinda tired of injection by now. It does show some clever techniques and how to use them as well as some SQL Server specific stuff so you still won’t be disappointed. Next is a very interesting discussion on using OPENROWSET as a port scanner. This technique was more or less discussed in an earlier chapter, so there is some repetition. Now you get into defending against injection. There are some good techniques given that everyone can easily follow to protect their web code. Here’s something that goes overlooked in most DB security books… covering tracks. This next section is not only fascinating, it will scare you into checking all of your SQL boxes right away. It gives some really information on backdoors that hackers will use to allow themselves re-access into your system for future use. You can’t miss this section.

Chapter 23: Securing SQL Server

This chapter gives a good list of things to lockdown on your SQL box, though if you’ve got even a fair amount of experience you should know most of this. If you want to learn from scratch how to lockdown your box, then this is a good place to get started. It also makes a good sanity check for those of us who have done this before. You can just go down the list and make sure you’ve taken care of everything you need to.

Chapter 24: PostgreSQL Architecture

This is an excellent overview of PostgreSQL. If you’re just starting out and want a good primer on what it’s all about and what to look for then this is the place to be. It talks about file structure, protocols, authentication and many other topics.

Chapter 25: PostgreSQL: Discover and Attack

Covers the same stuff all the other discover and attack chapters covered of course this time with particular emphasis on PostgreSQL. It’s a good chapter that covers many topic areas with plenty of code to light the way. Since this book follows a pretty predictable pattern there’s no real need to go into details here.

Chapter 26: Securing PostgreSQL

Again, same basic lockdown procedures. If you’re being thrown into a support role for this DB go ahead and give it a glance just to make sure you’re on track.

-Sean McCown,

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *