Download Presentación de PowerPoint

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Remote Desktop Services wikipedia , lookup

Computer security wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cross-site scripting wikipedia , lookup

Transcript
Common Vulnerabilities and Attacks
From genesis to exploitation
Max Caceres
CORE Security
Technologies
www.coresecurity.com
Common vulnerabilities and attacks: from genesis to exploitation
AGENDA

Intro

Vulnerabilities and Attacks

Network Infrastructure Attacks

Application Attacks

Web Application Attacks

Q&A
A simple glossary of terms
VULNERABILITY / THREAT / ATTACK

Vulnerability
–

Threat
–

An error or weakness in design, implementation or operation
An adversary motivated and capable of exploiting a vulnerability
Attack
–
The means (sequence of actions) of exploiting a vulnerability
A vulnerability enables an attacker to subvert one or more of these security
elements
SECURITY ELEMENTS

Authentication
–

Authorization
–

Data can only be viewed by authorized parties
Integrity
–

What did you do?
Confidentiality
–

What can you do?
Auditing
–

Who are you?
Data is protected from accidental or deliberate modification
Availability
–
The system or service is available for legitimate users
The origin of a vulnerability can typically be traced to a coding error or a
design decision
VULNERABILITY

Design
–
–
–

Hard-coded or design limitations
Unforeseen conditions
Implicit trust
Implementation
–
–
Coding mistakes
Misconfiguration
Attacks can be classified by their impact: what is the attacker trying to achieve
ATTACKS BY IMPACT

Spoofing

Tampering

Repudiation

Information disclosure

Denial of service

Elevation of privilege
We will cover the most popular network infrastructure attacks
NETWORK INFRASTRUCTURE ATTACKS

Sniffing

ARP spoofing

Man in the Middle

SYN flood

Distributed Denial of Service
In certain network configurations, and attacker can eavesdrop on network
traffic
SNIFFING

Eavesdropping network traffic
–


Some link-layer protocols more vulnerable than others (ethernet, 802.11)
Authentication and private information can be viewed
LAN access required
–
Making the switch “stop switching” (resource starvation)
ARP | Who has 192.168.10.10?
ARP | is at de:ad:be:ef
MAC ADDR
PORT
00:01:03:02
2
0a:bd:10:21
3
de:ad:be:ef
4
…
…
IP relies on the ARP protocol to map IP addresses to physical addresses. ARP
is not cryptographically sound.
ARP SPOOFING

Impersonate a different IP address
–
–
Stage a Man-in-the-Middle attack
Gratuitous ARP
ARP | is at de:ad:be:ef
ARP | Who has 192.168.10.10?
ARP spoofing is used to stage a MitM attack, where the attacker positions
himself between the server and the victim to steal his private information
MAN IN THE MIDDLE

Attacker impersonates server
–

Credentials and private information can be captured
SSL
–
A warning is generated but, who reads them?
Sends
ARP
Sends
spoofs
requests
response
SERVER
to to
ATTACKER
VICTIM
address
Sends
Sends response
VICTIM req
to to
ATTACKER
SERVER
A design weakness in the TCP session establishment sequence allows an
attacker to exhaust the server’s memory
SYN FLOOD

Keeps many TCP connections in the HALF-OPEN state
–
Resource starvation
SYN | port 80
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
SESSION
SEQ#
23012:80
2222
12392:25
2223
12493:80
2224
…
…
Several network nodes are used to “fill” the target system’s network
DISTRIBUTED DENIAL OF SERVICE

Totally consumes the target network’s bandwidth
–

Resource starvation
Hard to trace
–
Attackers use compromised machines to launch attack
We will cover the most popular application layer attacks
APPLICATION ATTACKS

Buffer overflow

User supplied format strings

Integer manipulation

Race conditions
Buffer overflows, format strings and integer manipulation attacks represent
code injection attacks
CODE INJECTION ATTACKS

Take advantage of implementation specifics at the machine code level
–
–

Aimed at redirecting the execution flow of the target process
–

Most are C language specific
Attacks are tightly coupled with the target platform
If the attack fails it will almost always crash the target process
Originate due to mistakes during coding
Code Injection attacks are very dependant on internal memory structures such
as the stack or the heap
MEMORY LAYOUT

Stack
–
–
–
Top of the stack
Local variables
Function parameters
RETURN ADDRESSES
…
Function locals
Saved frame pointer (EBP)
Return address (saved EIP)
Function arguments
First block

Heap
–
–
Dynamic memory allocation
Linked lists of memory blocks
Second block
Third block
Buffer overflows are the most common code injection vulnerability, often
leading to system compromise
THE BUFFER OVERFLOW

Data exceeds the expected size and memory is overwritten
–
–
–

Stack overflows
Heap overflows
Function pointer overwrite (regular function pointers, exception handlers, v-tables)
A simple example:
void not_so_smart_f(char* user_controlled)
{
char not_big_enough[200];
strcpy(not_big_enough, user_controlled);
printf(“The user_controlled string really had %I chars”,
strlen(user_controlled));
}
/* profit */
Attacking a buffer overflow requires precise math but it is not that hard to
execute
BUFFER OVERFLOW | ATTACK

Attacks are broken in two pieces
–
–

Injection. Make the payload available to the target and point execution flow to
payload.
Payload. The code (actions) to be performed after control has been seized.
A simple example: the stack overflow attack
Attack
Payload (pad to 200 bytes)
xxxx
New return address (payload address)
Top of the stack
not_big_enough
payload
(200 bytes)
Saved frame
xxxx
pointer (EBP)
Return
Payload
address
address
(saved EIP)
user_controlled*

From the real world: MS DCOM overflow  The Blaster Worm
Format string vulnerabilities are very easy to pinpoint and exploit
USER SUPPLIED FORMAT STRINGS

A user-controlled variable is used to format a specified buffer
–
–

C specific
printf() family of functions
A simple example:
void not_so_smart_f2(char* user_controlled)
{
char big_enough[200];
snprintf(big_enough, sizeof(big_enough)-1,
user_controlled, “not_so_smart_f2”);
irrelevant_computation();
}
/* profit */
A format string attack takes advantage of the vulnerability to write arbitrary
memory addresses
FORMAT STRING | ATTACK


Attacks are similar to a buffer overflow (separate injection + payload)
The vulnerability can sometimes be used to read memory

Some “useful” format strings
–
–
–
%x. Prints the hexadecimal value of the
argument
%20x. Pads the output of “%x” with 20 space
characters to the left
%n. Stores the number of written characters into
the specified pointer
Top of the stack
…
Saved return address (EIP)
pointer to “not_so_smart_f2”
user_controlled*
sizeof(big_enough)-1
big_enough*
big_enough (200 bytes)
Saved frame pointer (EBP)

From the real world: WU-FTPD format string
Saved return address (&main)
Integer errors are a serious coding mistake that can often go unseen
INTEGER MANIPULATION

Data exceeds the expected size and memory is overwritten
–
–

Integer overflows and underflows
Signed vs Unsigned integers
A simple example:
void not_so_smart_f3(char* user_controlled)
{
unsigned char len = strlen(user_controlled);
if(len < 255) {
char* new_str = malloc(len+1);
strcpy(new_str, user_controlled);
}
irrelevant_computation();
}
/* profit */
INTEGER MANIPULATION (2)

Another simple example:
void not_so_smart_f4(char* user_controlled)
{
int len = strlen(user_controlled);
if(len < 254) {
char new_str[256];
strcpy(new_str, user_controlled);
}
irrelevant_computation();
}
/* profit */

From the real world: Apache Chunked Encoding  Slapper worm
Race condition vulnerabilities typically arise when checking for a given
privilege and exercising that privilege are not an atomic operation
RACE CONDITIONS


Coding mistake / Design issues
Enough time to introduce changes exists between a privilege check is made
and a privilege operation is performed

A simple example:
void not_so_smart_f5()
/* running as root */
{
if(access(“/tmp/the_log_file”, W_OK) == 0) {
fd = open(“/tmp/the_log_file”, O_WRONLY | O_APPEND);
…
}
}
/* profit */

From the real world: Linux kmod ptrace race condition
We will cover the most popular attacks against web applications
WEB APPLICATION ATTACKS

Session Management

SQL Injection

Cross Site Scripting

Parameter manipulation
Managing sessions securely is critical for web applications
SESSION MANAGEMENT

HTTP protocol lacks the session concept
–
–

Applications need to identify multiple requests coming from the same user
during the same session
–

Based on isolated HTTP requests and responses
Client requests a URL, server sends the respective response
Shopping cart
Typically solved with cookies
–
Advantages
» Can be per-session only or browser can cache them
» Browser makes cookies available only to the originating domain
–
Disadvantages
» User can modify them (as with everything else in an HTTP request)
» Sometimes they are a proxy for authentication (replay attacks)
A Cross Site Scripting vulnerability enables an attacker to insert arbitrary
HTML code into the webpage received by the client
CROSS SITE SCRIPTING



Lack of input validation
An attacker can inject arbitrary HTML and script code into the webpage
received by the user
A simple example
Badly_written_CGI_script()
{
username = Request[‘user’]
output(“<html><body><h1>Good morning “ + username +
“!</h1></html”)
}
–

Set username to “<SCRIPT>alert(‘PROFIT!’)</SCRIPT>”
Typically aimed at stealing cookies used for authentication
SQL Injection attacks provide a direct interface into the database in the
backend
SQL INJECTION


Lack of input validation
An attacker can execute arbitrary SQL statements in a backend database

A simple example
Badly_written_CGI_script()
{
username = Request[‘user’]
query(“SELECT * FROM users WHERE name =‘” + username + “’”)
}
–
Set username to “’; DROP
Query ends up being:
TABLE audit_trail --”
“SELECT * FROM users WHERE name =‘’; DROP TABLE audit_trail --’”
It is always a bad thing to trust parameters that the user can manipulate
PARAMETER MANIPULATION


Lack of input validation
The application uses parameters embedded in the request to track session
information
–
–
–


HTTP Headers
Cookies
Hidden form fields
The attacker has complete control of the HTTP request
A simple example
<HTML><HEAD><TITLE>Don’t do this at home</TITLE><HEAD>
<BODY>
<P>CLICK TO CONTINUE!
<FORM ACTION=/next>
<INPUT TYPE=HIDDEN NAME=“ADMIN” VALUE=“NO”>
<INPUT TYPE=SUBMIT VALUE=“NEXT”>
</FORM></BODY></HTML>
Q&A
Some references for more vulnerability and attack information
REFERENCES

Vulnerabilities
–
–
–
–

Bugtraq (http://www.securityfocus.com)
CERT (http://cert.org)
CVE (http://cve.mitre.org)
OWASP (http://www.owasp.org)
Attacks
–
–
http://www.packetstormsecurity.org/
http://community.corest.com/~juliano/
Thank You!
Maximiliano Caceres | [email protected]
http://www.coresecurity.com