Re: SQL Injection Legalities

From: Pete Finnigan (pete@peterfinnigan.demon.co.uk)
Date: 07/18/02 

Date: Thu, 18 Jul 2002 19:27:01 +0100
To: "Wolf, Glenn" <glenn.wolf@we-inc.com>
From: Pete Finnigan <pete@peterfinnigan.demon.co.uk>

Hi Glen

I am currently writing the SANS Step-by-step guide to securing Oracle
which aims to all possible settings and actions that can be taken on on
Oracle database, application server et al to secure it.

I cover use of various settings in the profile that can be set per user/
per profile to stop this, cpu_per_session for instance.

A large number of Oracle DBA's and security professionals have been
reviewing the guide and a number of people are bench testing it now. It
should be available soon and I hope useful to anyone securing an Oracle
database.

kind regards

Pete Finnigan 

-- 
pete@peterfinnigan.demon.co.uk
pete.finnigan@pentest-limited.com

http://www.pentest-limited.com/oracle-security.htm - "Exploiting and
protecting Oracle"

http://online.securityfocus.com/infocus/1522 - "A simple Oracle Security
Scanner"

http://www.pentest-limited.com/default-user.htm - "Oracle Default User
and Password List"

http://www.pentest-limited.com/utl_file.htm - "Extracting Clear Text
Passwords from the SGA"

In message <1712C308DB2ED311821F009027468B78B79E9E@primailserver.we-
inc.com>, Wolf, Glenn <glenn.wolf@we-inc.com> writes
>This was being discussed as a legal issue in pen-test, but I was curious if
>anyone else has thought of using SQL Injection to cause a DoS.
>
>The search box could be used to extend the SQL query to include something
>like this:
>
>SELECT product_id, product_name
>FROM   product
>WHERE  product_name like '%bicycle%'''
>OR      product_name in (SELECT product_name
>                        FROM   product AS p1,
>                               product AS p2,
>                               product AS p3,
>                               product AS p4)
>OR     product_name = ''
>
>where everything after the first OR is the SQL Injection.  The second OR is
>only to maintain a valid SQL statement (assuming the final character in the
>query will be a single quote).
>
>The DoS is in the inner query, and caused by the cartesian product (joining
>all tables in every possible combination) generated by the query.  If the
>PRODUCT table only has 1,000 rows, the inner query will generate
>1,000x1,000x1,000x1,000 rows, or 1 trillion rows.  A larger product table or
>more aliased references to it would generate an even larger result set.
>
>This will most likely cause the database to a) Use up all available CPU
>resources, b) Use disk resources in temp space and swapping.
>
>In a web environment, even with many front-end load-balancing web servers,
>there is typically only one database.  DoS-ing the database effectively
>DoS's all web users utilizing any kind of database function (search,
>ordering, etc.).
>
>As an Oracle DBA, I've seen this scenario caused by developers accidentally
>forgetting a join, and I've also seen LARGE production websites go down
>simply because there is too much load on the back-end database.
>
>As far as mitigation goes, there are parameters that can be set at a user-
>or profile-level to lower the execution priority of certain queries, or to
>limit query run-time, but in most cases, these are not set.
>
>Glenn
>
>
>-----Original Message-----
>From: Quickfinger [mailto:junk@quickfinger.com]
>Sent: Wednesday, July 17, 2002 4:12 PM
>To: Deus, Attonbitus
>Cc: Pen-Test
>Subject: Re: SQL Injection Legalities
>
>
>I am not a lawyer, but I do remember reading an article that used a
>very similar example.  I believe this is illegal in California and I
>would not be surprised to hear that it's illegal in Oregon.  Most
>likely this depends on the state, probably the state in which the
>server resides.
>
>I too am interested in hearing from a lawyer if there is on one this
>list.
>
>D. Joe Royer II, CCNA, CISSP
>
>On Wed, 17 Jul 2002, Deus, Attonbitus wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> I hesitate asking the group about law, but here goes:
>>
>> Lets say a site gives you the capability to search their product-base via
>a
>> web input box.  You know, the standard search/submit deal.
>>
>> You type in "bicycle" and it gives you everything that starts with
>> "bicycle."  Simple enough.  As we all know, web app susceptibility to SQL
>> injects runs amok; lets say in this case that instead of typing "bicycle,"
>> I type "bicycle' or 1=1--" and get all the products.  Have I broken the
>> law?  More specifically, have I broken the law in the US?
>>
>> One could argue that the site is allowing me to specify what I want to
>see,
>> and all I am doing is typing in what I want...  Though the developer may
>> not have intended for me to pull up the data like that, does my doing so
>> constitute a crime?
>>
>> I'm not looking for ethical or moral debate here, I am hoping someone has
>> some distinct legal experience who knows.  Thanks.
>>
>> AD
>>