1 / 12

Injection

Injection. Mark Shtern. Example. Code from old IRIX login screen: char buf[1024]; snprintf(buf, "system lpr -P %s", user_input, sizeof(buf)-1); system(buf); Attack: FRED; xterm&. Injections. Injection problems occur when untrusted data is Placed into trusted data

yasuo
Télécharger la présentation

Injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Injection Mark Shtern

  2. Example • Code from old IRIX login screen: char buf[1024]; snprintf(buf, "system lpr -P %s", user_input, sizeof(buf)-1); system(buf); • Attack: FRED; xterm&

  3. Injections • Injection problems occur when untrusted data is • Placed into trusted data • Passed to some sort of compiler or interpreter • Treated as something other than data

  4. Impact • Privilege escalation • Information Leakage • Control of a victim machine • Denial of Service • Access to victim resources • Software unlocking

  5. Attack ideas • Code injection into script (eval, execv) • Module Substitution (DLL injection, Java class injection) • System call, external command, environment variable substitution • Debug mode

  6. DLL injection • Linker dynamically load modules • Linux LD_PRELOAD="./test.so" prog • Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

  7. Substitute external command • Example system(“ls -l”); • Execution depends on • The binary code associated with ls • The PATH environment variable

  8. Debug mode • Most industrial applications contain hidden debug hooks • They can be used for good or for evil

  9. Java class injection • Java VM loads classes dynamically • Attacker may substitute any Java class • Develop new class with the same signature • Modify existing class

  10. Modify existing class • Decompile Java class • Modify source code • Compile modified source code • Overwrite original class

  11. Injection Countermeasures • Validate user input • Do not store confidential information in the source code • Deploy obfuscated code • Use least privileges design concept • Do not pass user input to an interpreter • Digitally sign production code

  12. Tools • Debuggers (gdb, WinDgb) • Java decompilers (Jode, JD ) • Java code obfuscators (Jode, ProGuard) • IDE (Eclipse, Netbeans, Visual Studio 2008/2010)

More Related