Common Vulnerabilities and Attacks From genesis to exploitation Max Caceres CORE Security Technologies www.coresecurity.com
Dec 20, 2015
Common Vulnerabilities and Attacks
From genesis to exploitation
Max CaceresCORE Security Technologies
www.coresecurity.com
Common vulnerabilities and attacks: from genesis to exploitation
Intro
Vulnerabilities and Attacks
Network Infrastructure Attacks
Application Attacks
Web Application Attacks
Q & A
AGENDA
A simple glossary of terms
Vulnerability– An error or weakness in design, implementation or operation
Threat– An adversary motivated and capable of exploiting a vulnerability
Attack– The means (sequence of actions) of exploiting a vulnerability
VULNERABILITY / THREAT / ATTACK
A vulnerability enables an attacker to subvert one or more of these security elements
Authentication– Who are you?
Authorization– What can you do?
Auditing– What did you do?
Confidentiality– Data can only be viewed by authorized parties
Integrity– Data is protected from accidental or deliberate modification
Availability– The system or service is available for legitimate users
SECURITY ELEMENTS
The origin of a vulnerability can typically be traced to a coding error or a design decision
Design– Hard-coded or design limitations– Unforeseen conditions– Implicit trust
Implementation– Coding mistakes– Misconfiguration
VULNERABILITY
Attacks can be classified by their impact: what is the attacker trying to achieve
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
ATTACKS BY IMPACT
We will cover the most popular network infrastructure attacks
Sniffing
ARP spoofing
Man in the Middle
SYN flood
Distributed Denial of Service
NETWORK INFRASTRUCTURE ATTACKS
Eavesdropping network traffic– Some link-layer protocols more vulnerable than others (ethernet, 802.11)
Authentication and private information can be viewed LAN access required
– Making the switch “stop switching” (resource starvation)
In certain network configurations, and attacker can eavesdrop on network traffic
SNIFFING
ARP | Who has 192.168.10.10?
ARP | is at de:ad:be:ef
Computer
switch
Computer
Computer Computer
MAC ADDR PORT
00:01:03:02 2
0a:bd:10:21 3
de:ad:be:ef 4
… …
Impersonate a different IP address– Stage a Man-in-the-Middle attack– Gratuitous ARP
IP relies on the ARP protocol to map IP addresses to physical addresses. ARP is not cryptographically sound.
ARP SPOOFING
ARP | Who has 192.168.10.10?
ARP | is at de:ad:be:ef
192.168.10.10 attacker
Server
ARP spoofs SERVER address
Attacker impersonates server– Credentials and private information can be captured
SSL– A warning is generated but, who reads them?
ARP spoofing is used to stage a MitM attack, where the attacker positions himself between the server and the victim to steal his private information
MAN IN THE MIDDLE
Sends response to VICTIMSends requests to ATTACKERvictim
attackerServer
Sends response to ATTACKERSends VICTIM req to SERVER
Keeps many TCP connections in the HALF-OPEN state– Resource starvation
A design weakness in the TCP session establishment sequence allows an attacker to exhaust the server’s memory
SYN FLOOD
SESSION SEQ#
23012:80 2222
12392:25 2223
12493:80 2224
… …
client server
SYN | port 80
SYN | ACK | ISN# 2222
ACK #2222 | port 80 | data
ACK #bbbb| data
Totally consumes the target network’s bandwidth– Resource starvation
Hard to trace– Attackers use compromised machines to launch attack
Several network nodes are used to “fill” the target system’s network
DISTRIBUTED DENIAL OF SERVICE
attacker
attacker
attacker
attacker
victim
attacker
We will cover the most popular application layer attacks
Buffer overflow
User supplied format strings
Integer manipulation
Race conditions
APPLICATION ATTACKS
Buffer overflows, format strings and integer manipulation attacks represent code injection attacks
Take advantage of implementation specifics at the machine code level– Most are C language specific– Attacks are tightly coupled with the target platform
Aimed at redirecting the execution flow of the target process– If the attack fails it will almost always crash the target process
Originate due to mistakes during coding
CODE INJECTION ATTACKS
Code Injection attacks are very dependant on internal memory structures such as the stack or the heap
Stack– Local variables– Function parameters– RETURN ADDRESSES
Heap– Dynamic memory allocation– Linked lists of memory blocks
MEMORY LAYOUT
Top of the stack
Function locals
Saved frame pointer (EBP)
Return address (saved EIP)
Function arguments
…
First block
Second block
Third block
Buffer overflows are the most common code injection vulnerability, often leading to system compromise
Data exceeds the expected size and memory is overwritten– Stack overflows– Heap overflows– Function pointer overwrite (regular function pointers, exception handlers, v-tables)
A simple example:
THE BUFFER OVERFLOW
void not_so_smart_f(char* user_controlled)
{
char not_big_enough[200];
strcpy(not_big_enough, user_controlled);
printf(“The user_controlled string really had %I chars”,
strlen(user_controlled));
}
/* profit */
Attacking a buffer overflow requires precise math but it is not that hard to execute
Attacks are broken in two pieces– Injection. Make the payload available to the target and point execution flow to
payload.– Payload. The code (actions) to be performed after control has been seized.
A simple example: the stack overflow attack
From the real world: MS DCOM overflow The Blaster Worm
BUFFER OVERFLOW | ATTACK
Top of the stack
not_big_enough (200 bytes)
Saved frame pointer (EBP)
Return address (saved EIP)
user_controlled*
Attack
Payload (pad to 200 bytes)
xxxx
New return address (payload address)
payload
xxxx
Payload address
Format string vulnerabilities are very easy to pinpoint and exploit
A user-controlled variable is used to format a specified buffer– C specific– printf() family of functions
A simple example:
USER SUPPLIED FORMAT STRINGS
void not_so_smart_f2(char* user_controlled)
{
char big_enough[200];
snprintf(big_enough, sizeof(big_enough)-1,
user_controlled, “not_so_smart_f2”);
irrelevant_computation();
}
/* profit */
A format string attack takes advantage of the vulnerability to write arbitrary memory addresses
Attacks are similar to a buffer overflow (separate injection + payload) The vulnerability can sometimes be used to read memory
From the real world: WU-FTPD format string
FORMAT STRING | ATTACK
Top of the stack
…
Saved return address (EIP)
pointer to “not_so_smart_f2”
user_controlled*
sizeof(big_enough)-1
big_enough*
big_enough (200 bytes)
Saved frame pointer (EBP)
Saved return address (&main)
Some “useful” format strings– %x. Prints the hexadecimal value of the
argument– %20x. Pads the output of “%x” with 20 space
characters to the left– %n. Stores the number of written characters
into the specified pointer
Integer errors are a serious coding mistake that can often go unseen
Data exceeds the expected size and memory is overwritten– Integer overflows and underflows– Signed vs Unsigned integers
A simple example:
INTEGER MANIPULATION
void not_so_smart_f3(char* user_controlled)
{
unsigned char len = strlen(user_controlled);
if(len < 255) {
char* new_str = malloc(len+1);
strcpy(new_str, user_controlled);
}
irrelevant_computation();
}
/* profit */
Another simple example:
From the real world: Apache Chunked Encoding Slapper worm
INTEGER MANIPULATION (2)
void not_so_smart_f4(char* user_controlled)
{
int len = strlen(user_controlled);
if(len < 254) {
char new_str[256];
strcpy(new_str, user_controlled);
}
irrelevant_computation();
}
/* profit */
Race condition vulnerabilities typically arise when checking for a given privilege and exercising that privilege are not an atomic operation
Coding mistake / Design issues Enough time to introduce changes exists between a privilege check is made
and a privilege operation is performed
A simple example:
From the real world: Linux kmod ptrace race condition
RACE CONDITIONS
void not_so_smart_f5()
/* running as root */
{
if(access(“/tmp/the_log_file”, W_OK) == 0) {
fd = open(“/tmp/the_log_file”, O_WRONLY | O_APPEND);
…
}
}
/* profit */
We will cover the most popular attacks against web applications
Session Management
SQL Injection
Cross Site Scripting
Parameter manipulation
WEB APPLICATION ATTACKS
Managing sessions securely is critical for web applications
HTTP protocol lacks the session concept– Based on isolated HTTP requests and responses– Client requests a URL, server sends the respective response
Applications need to identify multiple requests coming from the same user during the same session
– Shopping cart
Typically solved with cookies– Advantages
» Can be per-session only or browser can cache them» Browser makes cookies available only to the originating domain
– Disadvantages» User can modify them (as with everything else in an HTTP request)» Sometimes they are a proxy for authentication (replay attacks)
SESSION MANAGEMENT
A Cross Site Scripting vulnerability enables an attacker to insert arbitrary HTML code into the webpage received by the client
Lack of input validation An attacker can inject arbitrary HTML and script code into the webpage
received by the user A simple example
– Set username to “<SCRIPT>alert(‘PROFIT!’)</SCRIPT>”
Typically aimed at stealing cookies used for authentication
CROSS SITE SCRIPTING
Badly_written_CGI_script()
{
username = Request[‘user’]
output(“<html><body><h1>Good morning “ + username + “!</h1></html”)
}
SQL Injection attacks provide a direct interface into the database in the backend
Lack of input validation An attacker can execute arbitrary SQL statements in a backend database
A simple example
– Set username to “’; DROP TABLE audit_trail --”
Query ends up being:“SELECT * FROM users WHERE name =‘’; DROP TABLE audit_trail --’”
SQL INJECTION
Badly_written_CGI_script()
{
username = Request[‘user’]
query(“SELECT * FROM users WHERE name =‘” + username + “’”)
}
It is always a bad thing to trust parameters that the user can manipulate
Lack of input validation The application uses parameters embedded in the request to track session
information– HTTP Headers– Cookies– Hidden form fields
The attacker has complete control of the HTTP request A simple example
PARAMETER MANIPULATION
<HTML><HEAD><TITLE>Don’t do this at home</TITLE><HEAD>
<BODY>
<P>CLICK TO CONTINUE!
<FORM ACTION=/next>
<INPUT TYPE=HIDDEN NAME=“ADMIN” VALUE=“NO”>
<INPUT TYPE=SUBMIT VALUE=“NEXT”>
</FORM></BODY></HTML>
Some references for more vulnerability and attack information
Vulnerabilities– Bugtraq (http://www.securityfocus.com)– CERT (http://cert.org)– CVE (http://cve.mitre.org)– OWASP (http://www.owasp.org)
Attacks– http://www.packetstormsecurity.org/– http://community.corest.com/~juliano/
REFERENCES