computer forensics use of malicious input
DESCRIPTION
Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks. Standard Tool to Break Into Systems. Used for Access Escalation. Very Common. Prototype of an Attack Mode. Beware of User Input. Anonymous FTP should allow access to files selectively. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/1.jpg)
Computer Forensics
Use of Malicious Input
![Page 2: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/2.jpg)
Buffer and Heap Overflow Attacks
Standard Tool to Break Into Systems.
Used for Access Escalation. Very Common. Prototype of an Attack Mode.
![Page 3: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/3.jpg)
Beware of User Input
Anonymous FTP should allow access to files selectively.
One implementation parsed the file name.
Assume /pub/acc is an allowed directory.
Request: get /pub/acc/../../../etc/passwd
![Page 4: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/4.jpg)
Beware of User Input
This implementation only parsed the first part of the string.
Decided access is OK get /pub/acc/../../../etc/passwd
Allowed access to any file. Took several versions before the
security breach was firmly patched.
![Page 5: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/5.jpg)
Morale: Don’t reinvent the wheel.
Other implementations used a sandbox. Community had learned how to get it right.
Parsing input is difficult. Users have an incentive to be inventive.
ALL INPUT IS EVIL
![Page 6: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/6.jpg)
ALL INPUT IS EVIL Canonical Representation Issues
Canonicalization: Translates name to standard representation.
Canonical Filenames Napster Name Filtering. Ordered to restrict access to certain songs. Access was denied based on name of the song. Users bypassed it with uncanonical song names
Deepest Chill Deepest Chi11 Candyman AndymanCay (in pig latin)
![Page 7: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/7.jpg)
ALL INPUT IS EVIL Mac OS X and Apache
Vulnerability HFS+ is case insensitive. Apache uses text-based
configuration files, that are case sensitive, to determine
Disallow access to directory scripts:<Location /scripts>
order deny, allow
deny from all
</Location
![Page 8: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/8.jpg)
ALL INPUT IS EVIL
Denies user request
Allows user request
http://www.mysite.org/scripts/index.html
http://www.mysite.org/SCRIPTS/index.html
![Page 9: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/9.jpg)
ALL INPUT IS EVIL
Sun StarOffice /tmp directory symbolic link vulnerability
Symbolic link: file that points to another file.
Symbolic links do not share access rights with the file they point to.
![Page 10: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/10.jpg)
ALL INPUT IS EVIL
Sun StarOffice creates file /tmp/soffice.tmp with 0777 access mask.
Attacker links /tmp/soffice.tmp to /etc/passwd.
Root runs StarOffice Permissions on /etc/passwd would
get changed to 0777.
![Page 11: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/11.jpg)
Canonicalization Issues
Subsystems cooperate. First subsystem does not
canonicalize input in the way the second one does.
![Page 12: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/12.jpg)
Canonicalization Issues Common when software make decisions
on file names 8.3 representation of file names IIS looks at extensions. Request to ***.asp::$DATA is routed to
asp.dll. But this is a NTFS stream, that sends the ASP source code to the user.
Trailing dots or slashes “secretFile.doc.” is same as “secretFile.doc” for
windows.
![Page 13: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/13.jpg)
Canonicalization Issues \\?\temp\myfile is the same as \temp\myfile Directory traversal ../
AOL 5.0 parental controls: Bypass restriction on URL by adding period to file
name. Secure IIS verifies incoming and outgoing
data Use hexcode: %64elete instead of delete for key
words. Use “%2e%2e/” for “../” Two canonalization issues in Security Software!
![Page 14: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/14.jpg)
Canonicalization Issues
Lines with carriage returns: Assume logging of file access:
Attacker accesses file:
Log entry:
111.11.11.11 Mike 2004-02-19 13:02:12 file.txt
111.11.11.11 Mike 2004-02-19 13:02:12 file.txt
127.0.0. 1 Tom 2004-02-19 13:02:12 secret.doc
file.txt\r\n127.0.0.1\tTom2004-02-19\t13:02:12\tsecret.doc
![Page 15: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/15.jpg)
Canonicalization Issues Escaping: Many ways to represent
a character US-ASCII Hexadecimal escape codes UTF-8 variable width encoding UCS-2 Unicode encoding HTML escape codes
Double Escaping
![Page 16: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/16.jpg)
Canonicalization Issues
Homograph Attacks Characters look the same, but are
not Latin letter “o” Cyrillic character “o” (U+043E)
![Page 17: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/17.jpg)
Morale
Software should not make decisions based on names.
If it has do, enforce name restrictions
Don’t trust relative paths.
![Page 18: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/18.jpg)
Data Base Inputs
Don’t trust the user. Data base access over the web lead to
execution of sql code. string sql = “select * from client where name =
‘” + name + “’” Variable name provided by user If name is Schwarz, this executes string sql = “select * from client where name =
‘schwarz’”
![Page 19: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/19.jpg)
Data Base Inputs
User enters: Schwarz’ or 1=1 - -
The sql statement becomes string sql = “select * from client where name =
‘schwarz’ or 1=1 - -”
Selects all clients - - SQL comment, comments out
everything behind.
![Page 20: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/20.jpg)
Buffer Overflow Attacks Stack: push and
pop
![Page 21: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/21.jpg)
Buffer Overflow Attacks
Stack is area of program memory that contains static allocated variables, return addresses, etc.
![Page 22: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/22.jpg)
Buffer Overflow Attack
void foo(const char* input) {
char buf[10]; printf("Hello World\n");
}
int main(int argc, char* argv[])
{
foo(argv[1]); return 0;
}
![Page 23: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/23.jpg)
Buffer Overflow Attack
![Page 24: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/24.jpg)
Buffer Overflow Attack
Works by overwriting the return address to jump somewhere else.
![Page 25: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/25.jpg)
Buffer Overflow Attack
#pragma check_stack(off)
#include <string.h>
#include <stdio.h>
void foo(const char* input) {
char buf[10];
printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
strcpy(buf, input);
printf("%s\n", buf);
printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); }
![Page 26: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/26.jpg)
Buffer Overflow Attackvoid bar(void)
{
printf("Augh! I've been hacked!\n");
}
![Page 27: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/27.jpg)
Buffer Overflow Attackint main(int argc, char* argv[]) {
printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) {
printf("Please supply a string as an argument!\n");
return -1; } foo(argv[1]); return 0;
}
![Page 28: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/28.jpg)
Buffer Overflow AttackChapter05>stackoverrun.exe Hello Address of foo = 00401000 Address of bar = 00401050 My stack looks like: 00000000 00000A28 7FFDF000 0012FEE4 004010BB 0032154D
Hello Now the stack looks like: 6C6C6548 0000006F 7FFDF000 0012FEE4 004010BB 0032154D
![Page 29: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/29.jpg)
Buffer Overflow Attack
![Page 30: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/30.jpg)
Buffer Overflow Attack
![Page 31: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/31.jpg)
Buffer Overflow Attack
![Page 32: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/32.jpg)
Buffer Overflow Attack
![Page 33: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/33.jpg)
Buffer Overflow Attack Fun, but useless. Real attack:
overwrite return address so that code execution jumps into the input given by attacker.
![Page 34: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/34.jpg)
Buffer Overflow Attack
To protect against signatures, structure input Varying stuff execve(/bin/sh) (gives new shell with
program privileges in UNIX) Pointer to execve statement.
![Page 35: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/35.jpg)
Buffer Overflow Attack Finding vulnerabilities
Script-kiddies scan target with automated tool.
Tool creator has detailed analysis of vulnerabilities.
Look for strcpy, gets, getws, memcpy memmove, scanf, …
Alternatively, just cram the application until it crashes.
Crash used to give you locations of registers.
![Page 36: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/36.jpg)
Buffer Overflow Attack
Example: Cram in lots of input of As.
Program crashes, EIP has value 41414141.
Sign of buffer overflow. Now try to feed more specific
input.
![Page 37: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/37.jpg)
Buffer Overflow Attack
![Page 38: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/38.jpg)
Buffer Overflow Attack
Attack signature can be used by IDS.
Vary the NOP commands. Many alternatives.
![Page 39: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/39.jpg)
Buffer Overflow Attack
Protection Make stack non-executable. Use canary birds.
![Page 40: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/40.jpg)
Buffer Overflow Attack
Stack Guard MS Visual Studio
use canaries.
![Page 41: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/41.jpg)
Buffer Overflow Attack
MS OutlookVcard: Virtual business card buffer overflow vulnerability.
IIS 5 Internet Printing Protocol
![Page 42: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/42.jpg)
Heap Overflow Attack These protections do not apply to
heaps, where dynamically allocated memory resides.
Some of this memory contains the addresses of functions that are going to be called.
Harder to find, harder to protect against.
![Page 43: Computer Forensics Use of Malicious Input](https://reader035.vdocuments.us/reader035/viewer/2022081603/56813c84550346895da625c0/html5/thumbnails/43.jpg)
Remember:
People attack computer systems because they can.