We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SAINTCON 2023 - Alexander Rubin - Confused Deputy Problem
A comprehensive overview of the Confused Deputy Problem, a security issue where legitimate programs are tricked into performing malicious actions, with examples in MySQL, Postgres, and Redis databases.
- The Confused Deputy Problem is a security issue that occurs when a legitimate program is used to perform a malicious action.
- In relational databases, code can be stored inside the database, making it possible to exploit this issue.
- The problem occurs when a monitoring system or database administrator is tricked into running code that grants unauthorized access to sensitive data.
- An example of this issue is demonstrated using a MySQL database, where a monitoring user is tricked into running code that grants the password for the MySQL root user.
- The issue is also explained in the context of Postgres, where the search path is used to trick the database into running malicious code.
- The problem is not limited to relational databases, but can also occur in non-relational databases such as Redis.
- A corrupted search path can be used to trick the database into running malicious code, allowing unauthorized access to sensitive data.
- The concept of a “super user” is introduced, which has complete control over the database, and can be used to escalate privileges.
- The issue is compared to a situation on Linux, where a SUID bit is used to elevate privileges.
- The concept of a “definer” is introduced, which is similar to a SUID bit, but is used in databases.
- The use of a “cron job” is demonstrated, which is a scheduled task that runs a script to fix a problem in a user’s home directory.
- The cron job is used to demonstrate the concept of a “confused deputy”, where a legitimate program is used to perform a malicious action.
- The concept of a “payload” is introduced, which is the malicious code that is executed when the monitoring system or database administrator runs the script.
- The issue is explained in the context of WordPress, where a WordPress user is tricked into running code that grants access to sensitive data.
- The issue is summarized as a problem of “misusing the authority of a system or program, and using it in a way that it was not intended to be used”.