Information Security CS 526 Lecture 11

1
Information Security CS 526Lecture 11

• Software Vulnerabilities Input Validation Issues

2
Steps in a standard break-in (Getting in)

• Get your foot in the door
• Steal a password file and run dictionary attack
• Sniff passwords off the network, social
  engineering
• Use input vulnerability in network-facing
  programs (e.g., web server, ftp server, mail
  server, browser, etc.)
• Use partial access to gain root (admin) access
• Break some mechanism on the system
• Often involve exploiting vulnerabilities in some
  local programs

3
Steps in a standard break-in (After Getting in)

• Set up some way to return
• Install login program or web server with back
  door
• Cover your tracks
• Disable intrusion detection, virus protection,
  system functions that show list of running
  programs,
• Perform desired attacks
• break into other machines
• taking over the machine

4
Common Software Vulnerabilities

• Input validation
• Buffer overflows
• Format string problems
• Integer overflows
• Failing to handle errors

5
Input Validation

• Sources of input
• Command line arguments
• Environment variables
• Function calls from other modules
• Configuration files
• Network packets
• Sources of input
• Web form input
• Scripting languages with string input

6
Weak Input Validation

• What are some things that the attacker may try to
  achieve?
• Crash programs
• Execute arbitrary code
• setuid or setgid programs
• Obtain sensitive information
• Many web site examples
• Web form input
• Scripting languages with string input

7
Command line

• User can set command line arguments to almost
  anything
• Using execve command
• Do not trust name of the program (it can be sent
  to any value including NULL)
• Do not check for bad things (blacklisting)
• Check for things that are allowed (whitelisting)
• Check all possible inputs

8
Simple example

• void main(int argc, char argv)
• char buf1024
• sprintf(buf,cat s,argv1)
• system (buf)
• Can easily add things to the command by adding

9
Environment variables

• Users can set the environment variables to
  anything
• Using execve
• Has some interesting consequences
• Examples
• LD_LIBRARY_PATH
• PATH
• IFS

10
An example attack

• Assume you have a setuid program that loads
  dynamic libraries
• UNIX searches the environment variable
  LD_LIBRARY_PATH for libraries
• A user can set LD_LIBRARY_PATH to /tmp/attack and
  places his own copy of the libraries here
• Most modern C runtime libraries have fixed this
  by not using the LD_LIBRARY_PATH variable when
  the EUID is not the same as the UID or the EGID
  is not the same as the GID

11
More fun with environment variables

• A setuid program has a system call system(ls)
• The user sets his PATH to be . and places a
  program ls in this directory
• The user can then execute arbitrary code as the
  setuid program
• Solution Reset the PATH variable to be a
  standard form (i.e., /bin/usr/bin)

12
Even more fun

• However, you must also reset the IFS variable
• IFS is the characters that the system considers
  as white space
• If not, the user may add s to the IFS
• system(ls) becomes system(l)
• Place a function l in the directory

13
A Remote Example PHP passthru

• Idea
• PHP passthru(string) executes command
• Pages can construct string from user input
• Put in user input to run your favorite
  command
• Morris Internet worm did something similar using
  
• Example
• passthru(find . print xargs cat grep
  test)
• User input ls /
• Runs find . print xargs cat grep
  ls /

14
Readings for This Lecture
15
Coming Attractions

• September 24
• Buffer overflow (attacks defenses)