Information Security CS 526 Lecture 11 - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Information Security CS 526 Lecture 11

Description:

Steal a password file and run dictionary attack ... Set up some way to return. Install login program or web server with back door. Cover your tracks ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 16
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Information Security CS 526 Lecture 11


1
Information Security CS 526Lecture 11
  • Software Vulnerabilities Input Validation Issues

2
Steps in a standard break-in (Getting in)
  • Get your foot in the door
  • Steal a password file and run dictionary attack
  • Sniff passwords off the network, social
    engineering
  • Use input vulnerability in network-facing
    programs (e.g., web server, ftp server, mail
    server, browser, etc.)
  • Use partial access to gain root (admin) access
  • Break some mechanism on the system
  • Often involve exploiting vulnerabilities in some
    local programs

3
Steps in a standard break-in (After Getting in)
  • Set up some way to return
  • Install login program or web server with back
    door
  • Cover your tracks
  • Disable intrusion detection, virus protection,
    system functions that show list of running
    programs,
  • Perform desired attacks
  • break into other machines
  • taking over the machine

4
Common Software Vulnerabilities
  • Input validation
  • Buffer overflows
  • Format string problems
  • Integer overflows
  • Failing to handle errors

5
Input Validation
  • Sources of input
  • Command line arguments
  • Environment variables
  • Function calls from other modules
  • Configuration files
  • Network packets
  • Sources of input
  • Web form input
  • Scripting languages with string input

6
Weak Input Validation
  • What are some things that the attacker may try to
    achieve?
  • Crash programs
  • Execute arbitrary code
  • setuid or setgid programs
  • Obtain sensitive information
  • Many web site examples
  • Web form input
  • Scripting languages with string input

7
Command line
  • User can set command line arguments to almost
    anything
  • Using execve command
  • Do not trust name of the program (it can be sent
    to any value including NULL)
  • Do not check for bad things (blacklisting)
  • Check for things that are allowed (whitelisting)
  • Check all possible inputs

8
Simple example
  • void main(int argc, char argv)
  • char buf1024
  • sprintf(buf,cat s,argv1)
  • system (buf)
  • Can easily add things to the command by adding

9
Environment variables
  • Users can set the environment variables to
    anything
  • Using execve
  • Has some interesting consequences
  • Examples
  • LD_LIBRARY_PATH
  • PATH
  • IFS

10
An example attack
  • Assume you have a setuid program that loads
    dynamic libraries
  • UNIX searches the environment variable
    LD_LIBRARY_PATH for libraries
  • A user can set LD_LIBRARY_PATH to /tmp/attack and
    places his own copy of the libraries here
  • Most modern C runtime libraries have fixed this
    by not using the LD_LIBRARY_PATH variable when
    the EUID is not the same as the UID or the EGID
    is not the same as the GID

11
More fun with environment variables
  • A setuid program has a system call system(ls)
  • The user sets his PATH to be . and places a
    program ls in this directory
  • The user can then execute arbitrary code as the
    setuid program
  • Solution Reset the PATH variable to be a
    standard form (i.e., /bin/usr/bin)

12
Even more fun
  • However, you must also reset the IFS variable
  • IFS is the characters that the system considers
    as white space
  • If not, the user may add s to the IFS
  • system(ls) becomes system(l)
  • Place a function l in the directory

13
A Remote Example PHP passthru
  • Idea
  • PHP passthru(string) executes command
  • Pages can construct string from user input
  • Put in user input to run your favorite
    command
  • Morris Internet worm did something similar using
  • Example
  • passthru(find . print xargs cat grep
    test)
  • User input ls /
  • Runs find . print xargs cat grep
    ls /

14
Readings for This Lecture
15
Coming Attractions
  • September 24
  • Buffer overflow (attacks defenses)
Write a Comment
User Comments (0)
About PowerShow.com