3.input validation

8/2/2019 3.Input Validation

1/47

Course 2: Programming Issues,Section 3Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated July 30, 2004Developed thanks to the support of Symantec Corporation,NSF SFS Capacity Building Program (Award Number 0113725)and the Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.


2/47

Course 2 Learning Plan

Buffer Overflows

Format String Vulnerabilities

Code Injection and Input Validation

Cross-site Scripting Vulnerabilities

Links and Race Conditions

Temporary Files and Randomness

Canonicalization and Directory Traversal


3/47

Learning objectives

Understand the definition of code injection

Know how code injection happens

Learn how to perform input validation and cleansing


4/47

Code Injection: Outline

Definition

Defending against code injection

Examples

Input Validation

Dynamic code generation with SQL

Lab: Write a database-supported application


5/47

Code Injection

Goal: trick program into executing an attackerscode by clever input construction that mixes codeand data

Mixed code and data channels have specialcharacters that trigger a context change betweendata and code interpretation

The attacker wants to inject these meta-charactersthrough some clever encoding or manipulation, sosupplied data is interpreted as code


6/47


7/47

Results

Inside the program, the eval statement becomesequivalent to:

eval "ls .;chmod o+r *"

Permissions for file "confidential" after exploit:

% ls -l confidential-rwxr-xr-- 1 pmeunier pmeunierconfidential

Any statement after the ";" would also get executed,because ";" is a command separator.

The data argument for "ls" has become code!


8/47

Other Code Injection by CommandSubstitution

Backtick: execution in a command line bycommand substitution

`command` gets executed before the rest of the

command line

Imagine a malicious script called script1:

mkdir oups

echo oups

etc...

Imagine a program that calls a shell to run grep.

What happens when this is run?

eval "grep `./script1` afile"


9/47

Answer

Script1 is executed

an oups directory is created

The rest of the intended command, grep oups

afile, gets executed


10/47

A Vulnerable Program

int main(int argc, char *argv[], char **envp)

{

char buf [100];

buf[0] = '\0';

snprintf(buf, sizeof(buf), "grep %stext",argv[1]);

system(buf);

exit(0);

}

What happens when this is run?% ./a.out \`./script\`


11/47

Answer

The program calls

system (grep `./script` text);

You can verify by adding "printf( "%s", buf)" to the

program So we could make a.out execute any program we

want

Imagine that we provide the argument remotely

What if a.out runs with root privileges?


12/47

Shell Metacharacters

` to execute something (command substitution)

; is a command (pipeline) separator

| is a pipe

&&

||

# to comment out something Refer to the appropriate man page for all characters

How else can code be injected into a.out?


13/47

Exercise and Discussion

Take the vulnerable code on the previous slides

Can you get it to do something else using commandseparators or meta-characters?

Which meta-characters work best, and how?


14/47

Defending Against Code Injection

Input cleansing and validation

Model the expected input

Discard what doesn't fit (e.g., metacharacters)

Keep track of which data has been cleansed e.g., Perl's taint mode

Keep track of all sources of inputs

Or cleanse as the input is received

Type and range verification, type casts

Separating code from data

Transmit, receive and manipulate data using differentchannels than for code


15/47

Input Cleansing

Key to preventing code injection attacks

Common problem where code is generateddynamically from some data

SQL (database Simple Query Language)

System calls and equivalents in PHP, WindowsCreateProcess, etc...

Environment pollution (already covered in another set ofslides)

HTML may contain JavaScript (Cross-site scriptingvulnerabilities)


16/47

Intuitive Approach

Block or escape all metacharacters

but what are they?

Problems:

Character encodings

octal, hexadecimal, UTF-8, UTF-16...

Obfuscation

Escaped characters that can get interpreted later

Engineered strings such that by blocking acharacter, something else is generated


17/47

Wrong Way to Cleanse and Sanitize

static char bad_chars[] = "/ ;[]&\t";

char * user_data;

char * cp;

/* Get the data */

user_data = getenv("QUERY_STRING");

/* Remove bad characters. WRONG! */

for (cp = user_data; *(cp += strcspn(cp,bad_chars)); /* */)

*cp = '_';

http://www.cert.org/tech_tips/cgi_metacharacters.html


18/47

phf CGI

CVE-1999-0067

strcpy(commandstr, "/usr/local/bin/ph-m ");

escape_shell_cmd(serverstr);strcat(commandstr, serverstr);(...)phfp = popen(commandstr,"r");

What could be the problem? besides the potential buffer overflows


19/47

Black List of Characters

void escape_shell_cmd(char *cmd) {(...)if(ind("&;`'\"|*?~^()[]{}$\\"

,cmd[x]) != -1){(...)

}

Author forgot to list newlines in "if" statement...

Exploit: input newline and the commands youwant executed...


20/47

More Robust Cleansing

{...}static char ok_chars[] =

"1234567890!@%-_=+:,./\

abcdefghijklmnopqrstuvwxyz\ABCDEFGHIJKLMNOPQRSTUVWXYZ";

{...}for (cp = user_data; *(cp +=strspn(cp, ok_chars)); /* */ )

*cp = '_';

http://www.cert.org/tech_tips/cgi_metacharacters.html

a.k.a. White List vs Black List design principle


21/47

Other Input Validation Issues

Range of types

Short vs long integers

Unsigned vs signed

Integer overflows Validate range (e.g., array indexes)

Attacks can make something negative to reach forbiddendata

Attacks can reset a counter to zero

Data structure reference count vs garbage collection

Strings in numerical inputs

e.g., PHP will accept both string and numerical values fora variable, which may allow unexpected attacks

Use typecasts


22/47

Order for Cleansing and Input Validation

1) Resolve all character encoding issues

2) Cleanse

If combinations of characters can produce

metacharacters, you may need to do several passes.Example:

a and b are legal if separated from each other, but ab isconsidered a metacharacter. The character d is notallowed. After you filter out d from adb, you may be

allowing ab through the filter!3) Validate type, range, and format

4) Validate semantics (i.e., meaning of input)


23/47

SQL

SQL uses single and double quotes to switchbetween data and code.

Semi-colons separate SQL statements

Example query:

"UPDATE usersSET prefcolor='red'WHERE uid='joe';"

This command could be sent from a web front-endto a database engine.

The database engine then interprets the command


24/47

Dynamic SQL Generation

Web applications dynamically generate thenecessary database commands by manipulatingstrings

Example query generation: $q = "UPDATE users

SET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";

Where the value of "$INPUT[color]" would beoriginating from the client web browser, through theweb server.

And where the value for "$auth_user" would havebeen stored on the server and verified through

some authentication scheme


25/47

Client Web Browser

Forms in client browsers return values to the webserver through either the POST or GET methods

"GET" results in a url with a "?" before the values of the

form variables are specified: http://www.example.com/script?color=red

The value of "$INPUT[color]" is set to "red" in the script

"GET" urls are convenient to hack, but there isn'tany significant difference in the security of either

"GET" or "POST" methods because the data comesfrom the client web browser regardless and is underthe control of the remote attacker


26/47

The SQL Table

Tables are used to store information in fields(columns) in relation to a key (e.g., "uid")

What other fields could be of interest?

CREATE TABLE users (prefcolor varchar(20),uid VARCHAR(20) NOT NULL,privilege ENUM('normal',

'administrator'),PRIMARY KEY (uid));


27/47

A Malicious SQL Query

What if we could make the web server generate aquery like:

"UPDATE users

SET prefcolor='red',privilege='administrator'WHERE uid='joe';"

Can we engineer the value of "color" given to theweb server so it generates this query?

Note how code and data are mixed in the same channel

Better database interfaces provide separate channels

Java prepared statements

Stored procedures


28/47

Malicious HTTP Request

http://www.example.com/script?color=red',privilege='administrator

The "color" input is then substituted to generate

SQL: $q = "UPDATE users

SET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";

It gives the query we wanted!


29/47

Results

Joe now has administrator privileges.


30/47

Adding Another SQL Query

Let's say Joe wants to run a completely differentquery:

"DELETE FROM users"

This will delete all entries in the table!

How can the value of "color" be engineered?


31/47

Malicious HTTP Request

http://www.example.com/script?color=red'%3Bdelete+from+users%3B

%3B is the url encoding for ";"

What happens when the "color" input is used togenerate SQL?

$q = "UPDATE usersSET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";


32/47

Result

UPDATE users

SET prefcolor='red';

delete from users;

WHERE uid='$auth_user'";

The last line generates an error, but it's already toolate; all entries have been deleted.

The middle query could have been anything


33/47

FAQs

Couldn't the database have a separate account for"Joe" with only the privileges he needs (e.g., nodelete privilege)?

In theory yes, but in practice the management of suchaccounts and privileges, and connecting to the databasewith the correct IDs, adds significant complexity

Most often a database account is created for the entire webapplication, with appropriate limitations (e.g., withoutprivileges to create and drop tables)

A good compromise is to create database accounts for eachclass of user or class of operation, so:

if Joe is a regular user he wouldn't have delete privileges forthe user table

Changing user preferences, as an operation type, doesn'trequire delete privileges


34/47

FAQs

Doesn't SSL protect against this sort of attack?

No

But what if you authenticate users with a

username/password over SSL? Then, if the userdoes SQL injection, the server admins will knowwho perpetrated the crime, right?

Not necessarily; only if you have sufficient auditlogging.


35/47

Other SQL Injection Methods

Let's say you've blocked single quotes, doublequotes and semi-colons.

What else can go wrong?

How about "\"?

If attacker can inject backslashes, then escaped quotescould get ignored by the database


36/47

PHP-Nuke SQL injectionCAN-2002-1242

iDefense advisory dated Oct. 31, 2002

Malicious url:

modules.php?name=Your_Account&op=saveuser&uid=2&

bio=%5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,+pass=md5(1)/*

%5c is the encoding for \


37/47

Let's Look at the SQL

UPDATE nuke_usersSET name = '', email = '',

femail = '', url = 'http://',pass = 'xxxxx', bio = '\',user_avatar = '',user_icq = '',user_msnm = '',newsletter = ',pass=md5(1)/*' WHERE uid='2'

Notice how bio would be set according to the text in red?

'' (two single quotes) make the database insert a single quote inthe field, effectively the same as \'

Notice how the comment field, /*, is used to comment out the

"WHERE" clause for the uid? This means that the query applies to

all users!


38/47

What Happened?

All passwords were changed to the value returnedby the function "md5(1)"

Constant: "c4ca4238a0b923820dcc509a6f75849b"

Attacker can now login as anyone


39/47

Lab

MySQL is available on your system

The next slide shows how to set it up

Perl with MySQL database interface is also

available A slide after the MySQL slide gives a starter script

Lab Objective: Make a Perl script that takes inputfrom the command line or a web form, and updates

a MySQL table. See how the attacks we discussed work

Note: MySQL doesn't execute multiple statements separatedby ";" (other databases do)

Can you make your script resistant to the code injection

attacks we discussed?


40/47

MySQL

Start a root shell

Click on the Knoppix CD icon (penguin, second to right)

Type "mysqld_safe &"

Type "mysql -u root"

Create the database

Type "create database ci;"

Type "use ci;"

Note: This is not a recommended setup for a realMySQL installation. However, the MySQL usertables are read-only on the Knoppix CD, so we'lluse the MySQL user "root" without a password (!)


41/47

Table Creation

Type the table creation statement (same as on aprior slide)

CREATE TABLE users (

prefcolor varchar(20),uid VARCHAR(20) NOT NULL,privilege ENUM('normal',

'administrator'),PRIMARY KEY (uid)

);


42/47

Perl

Type the script on the next page or download itfromhttp://www.cerias.purdue.edu/homes/pmeunier/sym

antec/unit3/myperl.pl chmod u+x myperl.pl

Run it

Verify (in the terminal where you started mysql) that

there is now a new user entry for "Joe" Type "SELECT * FROM users;"


43/47

Starter Perl script

#!/usr/bin/perl -Tw

use DBI;

my $serverName = "localhost";

my $serverPort = "3306";

my $serverUser = "root";

my $serverPass = "";

my $serverDb = "ci";

my $serverTabl = "user";

my ($dbh, $sth, @row);

$dbh = DBI->connect("DBI:mysql:database=$serverDb;

host=$serverName;port=$serverPort",$serverUser,$serverPass);

$sth = $dbh->prepare("INSERT INTO users (uid, prefcolor, privilege)

VALUES ('joe', 'peach', 'normal')

");

$sth->execute;

$sth->finish;


44/47

Fake CGI From Command Line

Change the perl script to take input from thecommand line and perform the query on slide 24

$sth = $dbh->prepare("

UPDATE users set prefcolor ='$ARGV[0]'WHERE userid = '$ARGV[1]'

");

For bonus points, take input from a web page

Your can inspire yourself from the tutorial athttp://www.linuxplanet.com/linuxplanet/tutorials/1046/4/


45/47

Questions or Comments?


46/47

About These Slides

You are free to copy, distribute, display, and perform the work; and to

make derivative works, under the following conditions.

You must give the original author and other contributors credit

The work will be used for personal or non-commercial educational usesonly, and not for commercial activities and purposes

For any reuse or distribution, you must make clear to others the terms of

use for this work

Derivative works must retain and be subject to the same conditions, and

contain a note identifying the new contributor(s) and date of modification

For other uses please contact the Purdue Office of Technology

Commercialization.

Developed thanks to the support of SymantecCorporation


47/47

Pascal [email protected]:Jared Robinson, Alan Krassowski, Craig Ozancin, Tim

Brown, Wes Higaki, Melissa Dark, Chris Clifton, GustavoRodriguez-Rivera

3.input validation

Documents