Information Leakage from Compromised Resources

A number of ways exist to glean useful information from a compromised host or account:

  • Psql is a terminal-based PostgreSQL client that uses libpq, the C API for PostgreSQL. libpq will attempt to read passwords from the .pgpass file if the connection requires a password and none has been specified. This file is stored in the user 's home directory ( %APPDATA%\postgresql\pgpass.conf on Windows systems). Interestingly, PostgreSQL verifies the .pgpass file permissions before using its data; if world or group have access to the file it is deemed insecure and ignored (this does not necessarily mean that the passwords in .pgpass are incorrect, though).

  • The presence of a cron job that runs psql at scheduled intervals implies that the database's pg_hba.conf has been configured to allow trusted access from that host/username or that the .pgpass file contains valid credentials. Cron jobs can be listed by executing crontab “l.

  • pgAdmin is a popular GUI query analyzer for Windows systems. It is currently installed with PostgreSQL 8.0 for Windows. pgAdmin stores server details in the registry at HKEY_CURRENT_USER\Software\pgAdmin III\Servers. pgAdmin does not save passwords.

  • If a web server or development system is compromised, the attacker may be able to gain database credentials from an inspection of the source code (likewise if the web server/web application contains a vulnerability permitting source code disclosure). If the application is written in PHP, a search for calls to pg_connect() or odbc_connect() will reveal the database hostname, database name, port, username, and password, or the Data Source Name .

  • If the compromised system runs a Java application that connects to a PostgreSQL database, it is likely to be using the PostgreSQL JDBC interface. Credentials may be stored in .properties files or may be hardcoded into the application. If the application source code is available, a search for the DriverManager.getConnection() method will reveal the JDBC URL, username, and password. If the source code is not present, running strings over the class files may reveal the credentials, otherwise the code can be partially reverse-engineered to source code with a tool such as Jode ( http://jode. sourceforge .net ).

  • If the compromised system is running Microsoft Windows, PostgreSQL connectivity may be provided via psqlODBC, the PostgreSQL ODBC driver. There are three types of Data Source Names (DSNs) that may contain PostgreSQL connection details: system, user, and file. A DSN is likely to contain a hostname, database name, and username. If it is used by a non-interactive client it is also likely to contain a password:

    • System DSNs are available to all users and are stored in the registry at HKEY_LOCAL_MACHINE\Software\ODBC\ODBC.INI, typically under a key name of PostgreSQL.

    • User DSNs are available only to specific users and as such are stored under HKEY_CURRENT_USER\Software\ODBC\ODBC.INI.

    • File DSNs are stored in the directory specified by DefaultDSNDir under HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC ”this is C:\Program Files\Common Files\ODBC\Data Sources by default.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net