Introduction to computer and network security
Session 2 : Examples of vulnerabilities and attacks pt1
Jean Leneutre
Outline
I- Introduction
II- Definitions
III- Vulnerabilities and attacks
1.
Common Vulnerabilities
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Usual sources of security problems
§
Introduction of new functionalities
§
Lack of access control
§
Flaw in the design/implementation/configuration of a protocol
§
Incorrect verification of input syntax or length in a code
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Introduction of new functionalities
§
New functionalities introduced to ease the use of a system may be
harmful from the security point of view
§
Example: Unix
sendmail
mail transfer agent
Ø One of the vulnerabilities exploited by first Internet worm (Morris Worm,
1988)
Ø Need: ease the administration of the system by allowing a remote
configuration of a sendmail client on a host
Ø Functionality: a “debug” mode activated on a destination host, allowed
to include in a mail shell commands that were executed on this host
Ø The worm used this mode to spread itself on new machien
Ø Correction: correctly configure sendmail on a machine by removing the
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Lack of access control
§
Access control mechanisms may be bypassed using some
operations that are not controlled (direct access to the memory,
covert communication channels
…
)
§
Example : Unix command “at”
Ø at <time> -f<file>: runs a command at a later tile Ø Effect: copy the file in /usr/spool/atjobs/
Ø Initially read access right to any file in /usr/spool/atjobs/ was set for
everybody
Ø However the “at” command does not check whether the user has the
read access right on the file before copying it in the spool
Ø An attacker was able to read a non executable protected password file
« /etc/shadow » by running the “at” command on this file
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Flaws in the design/implementation/configuration of a protocol
§
Some choices or errors in the design or implementation of a protocol
may introduce security problem
§
Example: « Smurf » attack
Ø Attacker spoofs victim IP address and sends an ICMP “echo
request” (ping) to one or several broadcast servers;
Ø The server broadcast the request to all hosts on the network; Ø All hosts on the network replies to the victim’s IP address;
è Cause a significant traffic leading to a Denial of Service (DoS) on the
target
è Solution: Configure routers not to forward packets directed to broadcast
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Flaws in the design/implementation/configuration of a protocol (2)
§
Example : “TCP session hijacking”
Ø TCP 3-way handshake between a client A and a server B
A → B : SYN, ISNa (connection request)
B → A : SYN,ACK, ISNb, ISNa+1 (connection granted)
A → B : ACK, ISNb+1 (acknowledgement)
Ø ISNa and ISNb: Initial sequence numbers, 32 bits long Ø ISNa and ISNb are initially randomly picked
Ø RFC793: a sequence number is incremented every 4 micro-seconds Ø However in some implementations: incremented only every 128s
Ø Suppose an attacker X cannot block messages to server nor observe any
message, he can only spoof the IP address of A
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Flaws in the design/implementation/configuration of a protocol (3)
§
Example : “TCP session hijacking” (2)
Ø X opens a first session with B and receives ISNb
X → B : SYN, ISNx
B → X : SYN,ACK, ISNb, ISNx+1
X → B : ACK, ISNb+1
Ø X spoofs the IP adress of A (noted X/A) and starts a new session
X/A → B : SYN, ISNx’
B → A : SYN, ACK, ISNb’, ISNx’+1 X does not receive this message
X/A → B : ACK, ISNb’+1 X guesses the value of ISNb’
using ISSb
Ø X also launches a DoS attack on A to prevent him from receiving message 2
Ø X is able to execute commands on server B using A’s privileges (but cannot
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q Others attacks on TCP/IP § “SYN Flooding”
Ø The attacker sends a large number of TCP SYN request on a target (a server)
but never acknowledge the answer
Ø The target reserves resources for each request until the limit of of half-opened
conections is reached
Ø All new legitimate requests will be discarded
➡ DoS attack
§ Attacks on the DNS (Domain Name System)
Ø Links domain names with IP addresses
Ø DNS « cache poisoning »: data is introduced into a name server's cache
database, causing the name server to return an incorrect IP address,
q Attacks on security protocols: exemple SSL/TLS § Flaw in the pseudo-random number generator
Ø Goldberg and Wagner, Dr. Dobb’s Journal, Jan. 1996. Ø http://www.ddj.com/documents/s=965/ddj9601h/
§ Timing attacks
Ø Analyzing the answer time to requests of an OpenSSL server,
an attacker in the same LAN segment is able to guess the private key of the server
Ø Boneh and Brumley, 12th Usenix Security Symposium.
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
§ Problem in error reports
§ Analyzing differences in the answer time in case of errors, an
attacker is able to guess the clear text of an encrypted message
§ Vaudenay & alii, Crypto2003. http://lasecwww.epfl.ch/
III- Vulnerabilities and attacks
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Incorrect verification of input syntax
§
Example: SQL code injection
Ø Context: a website processes the connexion of a user by executing the
following SQL request,
SELECT user_id FROM users WHERE user_name=’$name’ AND user_pwd=’$pwd’ Ø Legitimate requests are in the following form
SELECT user_id FROM users WHERE user_name=’Bob’ AND user_pwd=’a8gt9p’ Ø Suppose that there are no verification on the syntax of the user_name, how
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Incorrect verification of input syntax
§
Example: SQL code injection (2)
Ø An attacker can enter, name = Bob’ -–
and any password, the request becomes,
SELECT user_id FROM users WHERE user_name=’Bob’ -- AND user_pwd=’whatever’
That is (-- is interpreted as the start of a comment),
SELECT user_id FROM users WHERE user_name=’Bob’
Ø Solution: uses the function get_magic_quotes_gpc adding \ before any
reserved characters (-, ’, …)
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Incorrect verification of input length
§
Buffer overflow or overrun
Ø Anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory
Ø Programs written in languages which (for instance C and C++) which do
not automatically check that data written to a buffer (array) is within the boundaries of that buffer (and with not built-in protection against
accessing or overwriting data in the memory).
Ø May be triggered by inputs that are designed to execute code, or alter the
way the program operates
Ø May result in erratic program behavior, incorrect results, crash, or breach
of system security
Ø Example: Unix 4BSD finger command (Internet Worm of 1988)
– Fingerd daemeon: answer to remote finger requests,
– fingerd uses C function gets, that reads a line of input without performing
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Buffer overrun
§
Memory configuration
§
Si la valeur affectée à une variable dépasse la taille du buffer allouée :
Ø peut causer une erreur d’exécution
Ø peut permettre à de faire exécuter son code en écrasant la mémoire de la
Stack (pile)
Heap (tas)
Higher addresses: contain the return
address (specifying the next instruction to be executed), the local variables, the function inputs
Lower adresses: used for dynamic memory allocation Datas /
Constants Code
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Stack overflow = buffer overrun on the stack
§ Example: C function foo void foo()! !{ !
!char a[9]; !
!printf(" enter your login"); !
!gets(a); /* no bound checking */!
!}! Parent routine’s stack Ret sfp Return address Saved Frame pointer
Login = leneutre
a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0]
Unallocated Stack space Array a Parent routine’s stack Ret sfp /0 e r t u e n e l Unallocated Stack space
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Stack overflow = buffer overrun on the stack (2)
§ Attacker X enters as login = AAAAAAAAAAAAadr_a where adr_a is the
address corresponding to the array a
Parent routine’s
stack
Ret sfp
Stack before adr_a
Login = AAAAAAAAAAAAadr_a
Buffer overrun ! a[8] a[7] a[6]
a[5] a[4] a[3] a[2] a[1] a[0]
Unallocated Stack space Parent routine’s stack adr_a Stack after A A A A A A A A A Unallocated Stack space A A A
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Stack overflow = buffer overrun on the stack (3)
§ Attacker X replaces the string AAAAAAAAAAAA with a shellcode (a small code
that starts a command shell)
§ If foo() is executer with special privileges (superuser), X gains this privilege on
Parent routine’s
stack
Ret sfp
Stack before adr_a
Shellcode is executed with the privileges of foo
a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0]
Unallocated Stack space Parent routine’s stack adr_a Stack after Unallocated Stack space Shellcode
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Exercise
§
A small company sell digital photos via internet :
Ø Each photo is identified by a number
Ø When a client wants to access to a photo using its number he must
authenticate himself
Ø The access is recorded, and the client will receive a monthly invoice Ø Concretely, when a user has chosen the photo, he executes through his
web browser the C-function buy:
void buy (const char* login, const char* password,
const char* name, const char* number) { if (authenticate(login, password)==1 {
inform_photo(nom, numero); inform_debit(login);
} }
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Exercise (2)
Ø The function inform_photo uses the function show_photo to
present the photo to the user
void inform_photo (const char* name, const char* number) {!
! ! !char a[100]= "";!
! ! !strcat (a, "Mr ");!
! ! !strcat (a, name);!
! ! !strcat (a, ", here is your photo. \n");!
! ! !printf (a);!
! ! !show_photo(number);!
! !}!
Ø The function inform_debit uses the function debit to charge the
correct number of photos!
! !void inform_debit (const char* login) {!
! ! !debit(login);!
! ! !printf("We debited 10 Euros from your account. \n");!
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Exercise (3)
Ø
Show that a malicious user may access to photos without paying
for them
Ø
Propose a solution to avoid this attack by modifying only the
function
inform_photo
!
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Incorrect handling of “Controlled Invocations”
Ø A user wants to execute an operation requiring a secured mode (system
mode)
Ø The system switches from the normal mode (user mode) to system
mode, execute this operation, and switches back to user mode, before giving back the control to the user
Ø Potential problem: if a controlled invocation is not correctly handled by
the system a user may obtain special privileges
§
Example: Unix login
Ø The login window is a system process with superuser privileges
Ø When a user logs, the system replaces the current ”home directory” with
the user directory
Ø Then the system execute the commands in the user configuration files
(.cshrc and .login): if the system is still using the “superuser” privileges then a malicious user could use the previous configuration files as
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Race condition (Situation de compétition)
§
Arises in software where separate processes or threads of execution
depend on some shared state or resource
§
Operations upon shared states are critical sections that must be
mutually exclusive
§
Potential problem: if critical sections are not correctly handled the
shared resource may be corrupted, processes may be blocked, or a
process may obtain the privileges of the other process.
§
Example:
Ø North American Blackout (power outage) of 2003 Ø Software flaw in the energy management system
Ø A race condition existed in the alarm subsystem: under some conditions
alerts were not raised to the monitoring technicians, delaying their awareness of the problem.
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Race condition (2)
§
Example:
Ø CTSS (Compatible Time-Sharing System) operating system
– Each user has his own unique directory
– When a user edits a file, a file with fixed name SCRATCH is created
– The system is considered as a user (with his own SCRATCH)
– An upgrade permitted to several administrators to connect
themselves simultaneously on the system account
Ø The following sequence of operation copied the password file inside the
WELCOME message:
admin1 edits the welcome message: SCRATCH:=WELCOME; admin2 edits the password file: SCRATCH:=PWD;
Hello! WELCOME Cgd8/oip PWD Hello! SCRATCH Hello! WELCOME Cgd8/oip PWD Cgd8/oip SCRATCH Cgd8/oip WELCOME Cgd8/oip PWD Cgd8/oip SCRATCH
III- Vulnerabilities and attacks
1. Common Vulnerabilities
q
Time-of-check-to-time-of-use (TOCTTOU)
§
A specific case of race condition appearing when there is a change
in a system between the
checking
of a condition (for instance for
authentication) and the
use
of the results of that check
§
Example :
Ø Consider a Web application that allows a user to edit pages, and also
allows administrators to lock pages to prevent editing.
Ø A user requests to edit a page, getting a form by which he can alter its
content
Ø Before the user submits the form, an administrator locks the page,
which should prevent editing
Ø However, since the user has already begun editing, when he submits
the form, his edits are accepted
Ø When the user began editing, his authorization was checked, and he
was indeed allowed to edit. The authorization was used later, after he should no longer have been allowed
