1 / 30

Common Vulnerabilities and Attacks From genesis to exploitation

Common Vulnerabilities and Attacks From genesis to exploitation. Max Caceres CORE Security Technologies www.coresecurity.com. Common vulnerabilities and attacks: from genesis to exploitation. AGENDA. Intro Vulnerabilities and Attacks Network Infrastructure Attacks Application Attacks

emilios
Télécharger la présentation

Common Vulnerabilities and Attacks From genesis to exploitation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Common Vulnerabilities and AttacksFrom genesis to exploitation Max Caceres CORE Security Technologies www.coresecurity.com

  2. Common vulnerabilities and attacks: from genesis to exploitation AGENDA • Intro • Vulnerabilities and Attacks • Network Infrastructure Attacks • Application Attacks • Web Application Attacks • Q & A

  3. A simple glossary of terms VULNERABILITY / THREAT / ATTACK • Vulnerability • An error or weakness in design, implementation or operation • Threat • An adversary motivated and capable of exploiting a vulnerability • Attack • The means (sequence of actions) of exploiting a vulnerability

  4. A vulnerability enables an attacker to subvert one or more of these security elements SECURITY ELEMENTS • Authentication • Who are you? • Authorization • What can you do? • Auditing • What did you do? • Confidentiality • Data can only be viewed by authorized parties • Integrity • Data is protected from accidental or deliberate modification • Availability • The system or service is available for legitimate users

  5. The origin of a vulnerability can typically be traced to a coding error or a design decision VULNERABILITY • Design • Hard-coded or design limitations • Unforeseen conditions • Implicit trust • Implementation • Coding mistakes • Misconfiguration

  6. Attacks can be classified by their impact: what is the attacker trying to achieve ATTACKS BY IMPACT • Spoofing • Tampering • Repudiation • Information disclosure • Denial of service • Elevation of privilege

  7. We will cover the most popular network infrastructure attacks NETWORK INFRASTRUCTURE ATTACKS • Sniffing • ARP spoofing • Man in the Middle • SYN flood • Distributed Denial of Service

  8. MAC ADDR PORT 00:01:03:02 2 0a:bd:10:21 3 de:ad:be:ef 4 … … In certain network configurations, and attacker can eavesdrop on network traffic SNIFFING • Eavesdropping network traffic • Some link-layer protocols more vulnerable than others (ethernet, 802.11) • Authentication and private information can be viewed • LAN access required • Making the switch “stop switching” (resource starvation) ARP | Who has 192.168.10.10? ARP | is at de:ad:be:ef

  9. IP relies on the ARP protocol to map IP addresses to physical addresses. ARP is not cryptographically sound. ARP SPOOFING • Impersonate a different IP address • Stage a Man-in-the-Middle attack • Gratuitous ARP ARP | is at de:ad:be:ef ARP | Who has 192.168.10.10?

  10. Sends requests to ATTACKER ARP spoofs SERVER address Sends response to VICTIM Sends VICTIM req to SERVER Sends response to ATTACKER ARP spoofing is used to stage a MitM attack, where the attacker positions himself between the server and the victim to steal his private information MAN IN THE MIDDLE • Attacker impersonates server • Credentials and private information can be captured • SSL • A warning is generated but, who reads them?

  11. SESSION SEQ# 23012:80 2222 12392:25 2223 12493:80 2224 … … A design weakness in the TCP session establishment sequence allows an attacker to exhaust the server’s memory SYN FLOOD • Keeps many TCP connections in the HALF-OPEN state • Resource starvation SYN | port 80 SYN | ACK | ISN# 2222 ACK #2222 | port 80 | data ACK#bbbb| data

  12. Several network nodes are used to “fill” the target system’s network DISTRIBUTED DENIAL OF SERVICE • Totally consumes the target network’s bandwidth • Resource starvation • Hard to trace • Attackers use compromised machines to launch attack

  13. We will cover the most popular application layer attacks APPLICATION ATTACKS • Buffer overflow • User supplied format strings • Integer manipulation • Race conditions

  14. Buffer overflows, format strings and integer manipulation attacks represent code injection attacks CODE INJECTION ATTACKS • Take advantage of implementation specifics at the machine code level • Most are C language specific • Attacks are tightly coupled with the target platform • Aimed at redirecting the execution flow of the target process • If the attack fails it will almost always crash the target process • Originate due to mistakes during coding

  15. Top of the stack … Function locals Saved frame pointer (EBP) Return address (saved EIP) Function arguments Code Injection attacks are very dependant on internal memory structures such as the stack or the heap MEMORY LAYOUT • Stack • Local variables • Function parameters • RETURN ADDRESSES • Heap • Dynamic memory allocation • Linked lists of memory blocks First block Second block Third block

  16. Buffer overflows are the most common code injection vulnerability, often leading to system compromise THE BUFFER OVERFLOW • Data exceeds the expected size and memory is overwritten • Stack overflows • Heap overflows • Function pointer overwrite (regular function pointers, exception handlers, v-tables) • A simple example: void not_so_smart_f(char* user_controlled) { char not_big_enough[200]; strcpy(not_big_enough, user_controlled); printf(“The user_controlled string really had %I chars”, strlen(user_controlled)); } /* profit */

  17. payload xxxx Payload address Attack Top of the stack Payload (pad to 200 bytes) not_big_enough (200 bytes) xxxx Saved frame pointer (EBP) New return address (payload address) Return address (saved EIP) user_controlled* Attacking a buffer overflow requires precise math but it is not that hard to execute BUFFER OVERFLOW | ATTACK • Attacks are broken in two pieces • Injection. Make the payload available to the target and point execution flow to payload. • Payload. The code (actions) to be performed after control has been seized. • A simple example: the stack overflow attack • From the real world: MS DCOM overflow  The Blaster Worm

  18. Format string vulnerabilities are very easy to pinpoint and exploit USER SUPPLIED FORMAT STRINGS • A user-controlled variable is used to format a specified buffer • C specific • printf() family of functions • A simple example: void not_so_smart_f2(char* user_controlled) { char big_enough[200]; snprintf(big_enough, sizeof(big_enough)-1, user_controlled, “not_so_smart_f2”); irrelevant_computation(); } /* profit */

  19. A format string attack takes advantage of the vulnerability to write arbitrary memory addresses FORMAT STRING | ATTACK • Attacks are similar to a buffer overflow (separate injection + payload) • The vulnerability can sometimes be used to read memory • From the real world: WU-FTPD format string • Some “useful” format strings • %x. Prints the hexadecimal value of the argument • %20x. Pads the output of “%x” with 20 space characters to the left • %n. Stores the number of written characters into the specified pointer Top of the stack … Saved return address (EIP) pointer to “not_so_smart_f2” user_controlled* sizeof(big_enough)-1 big_enough* big_enough (200 bytes) Saved frame pointer (EBP) Saved return address (&main)

  20. Integer errors are a serious coding mistake that can often go unseen INTEGER MANIPULATION • Data exceeds the expected size and memory is overwritten • Integer overflows and underflows • Signed vs Unsigned integers • A simple example: void not_so_smart_f3(char* user_controlled) { unsigned char len = strlen(user_controlled); if(len < 255) { char* new_str = malloc(len+1); strcpy(new_str, user_controlled); } irrelevant_computation(); } /* profit */

  21. INTEGER MANIPULATION (2) • Another simple example: • From the real world: Apache Chunked Encoding  Slapper worm void not_so_smart_f4(char* user_controlled) { int len = strlen(user_controlled); if(len < 254) { char new_str[256]; strcpy(new_str, user_controlled); } irrelevant_computation(); } /* profit */

  22. Race condition vulnerabilities typically arise when checking for a given privilege and exercising that privilege are not an atomic operation RACE CONDITIONS • Coding mistake / Design issues • Enough time to introduce changes exists between a privilege check is made and a privilege operation is performed • A simple example: • From the real world: Linux kmod ptrace race condition void not_so_smart_f5() /* running as root */ { if(access(“/tmp/the_log_file”, W_OK) == 0) { fd = open(“/tmp/the_log_file”, O_WRONLY | O_APPEND); … } } /* profit */

  23. We will cover the most popular attacks against web applications WEB APPLICATION ATTACKS • Session Management • SQL Injection • Cross Site Scripting • Parameter manipulation

  24. Managing sessions securely is critical for web applications SESSION MANAGEMENT • HTTP protocol lacks the session concept • Based on isolated HTTP requests and responses • Client requests a URL, server sends the respective response • Applications need to identify multiple requests coming from the same user during the same session • Shopping cart • Typically solved with cookies • Advantages • Can be per-session only or browser can cache them • Browser makes cookies available only to the originating domain • Disadvantages • User can modify them (as with everything else in an HTTP request) • Sometimes they are a proxy for authentication (replay attacks)

  25. A Cross Site Scripting vulnerability enables an attacker to insert arbitrary HTML code into the webpage received by the client CROSS SITE SCRIPTING • Lack of input validation • An attacker can inject arbitrary HTML and script code into the webpage received by the user • A simple example • Set username to “<SCRIPT>alert(‘PROFIT!’)</SCRIPT>” • Typically aimed at stealing cookies used for authentication Badly_written_CGI_script() { username = Request[‘user’] output(“<html><body><h1>Good morning “ + username + “!</h1></html”) }

  26. SQL Injection attacks provide a direct interface into the database in the backend SQL INJECTION • Lack of input validation • An attacker can execute arbitrary SQL statements in a backend database • A simple example • Set username to “’; DROP TABLE audit_trail --” Query ends up being: “SELECT * FROM users WHERE name =‘’; DROP TABLE audit_trail --’” Badly_written_CGI_script() { username = Request[‘user’] query(“SELECT * FROM users WHERE name =‘” + username + “’”) }

  27. It is always a bad thing to trust parameters that the user can manipulate PARAMETER MANIPULATION • Lack of input validation • The application uses parameters embedded in the request to track session information • HTTP Headers • Cookies • Hidden form fields • The attacker has complete control of the HTTP request • A simple example <HTML><HEAD><TITLE>Don’t do this at home</TITLE><HEAD> <BODY> <P>CLICK TO CONTINUE! <FORM ACTION=/next> <INPUT TYPE=HIDDEN NAME=“ADMIN” VALUE=“NO”> <INPUT TYPE=SUBMIT VALUE=“NEXT”> </FORM></BODY></HTML>

  28. Q & A

  29. Some references for more vulnerability and attack information REFERENCES • Vulnerabilities • Bugtraq (http://www.securityfocus.com) • CERT (http://cert.org) • CVE (http://cve.mitre.org) • OWASP (http://www.owasp.org) • Attacks • http://www.packetstormsecurity.org/ • http://community.corest.com/~juliano/

  30. Thank You! Maximiliano Caceres | max@coresecurity.com http://www.coresecurity.com

More Related