Computer Forensics Use of Malicious Input

Computer Forensics

Use of Malicious Input

Buffer and Heap Overflow Attacks

Standard Tool to Break Into Systems.

Used for Access Escalation. Very Common. Prototype of an Attack Mode.

Beware of User Input

Anonymous FTP should allow access to files selectively.

One implementation parsed the file name.

Assume /pub/acc is an allowed directory.

Request: get /pub/acc/../../../etc/passwd

Beware of User Input

This implementation only parsed the first part of the string.

Decided access is OK get /pub/acc/../../../etc/passwd

Allowed access to any file. Took several versions before the

security breach was firmly patched.

Morale: Don’t reinvent the wheel.

Other implementations used a sandbox. Community had learned how to get it right.

Parsing input is difficult. Users have an incentive to be inventive.

ALL INPUT IS EVIL

ALL INPUT IS EVIL Canonical Representation Issues

Canonicalization: Translates name to standard representation.

Canonical Filenames Napster Name Filtering. Ordered to restrict access to certain songs. Access was denied based on name of the song. Users bypassed it with uncanonical song names

Deepest Chill Deepest Chi11 Candyman AndymanCay (in pig latin)

ALL INPUT IS EVIL Mac OS X and Apache

Vulnerability HFS+ is case insensitive. Apache uses text-based

configuration files, that are case sensitive, to determine

Disallow access to directory scripts:<Location /scripts>

order deny, allow

deny from all

</Location

ALL INPUT IS EVIL

Denies user request

Allows user request

http://www.mysite.org/scripts/index.html

http://www.mysite.org/SCRIPTS/index.html

ALL INPUT IS EVIL

Sun StarOffice /tmp directory symbolic link vulnerability

Symbolic link: file that points to another file.

Symbolic links do not share access rights with the file they point to.

ALL INPUT IS EVIL

Sun StarOffice creates file /tmp/soffice.tmp with 0777 access mask.

Attacker links /tmp/soffice.tmp to /etc/passwd.

Root runs StarOffice Permissions on /etc/passwd would

get changed to 0777.

Canonicalization Issues

Subsystems cooperate. First subsystem does not

canonicalize input in the way the second one does.

Canonicalization Issues Common when software make decisions

on file names 8.3 representation of file names IIS looks at extensions. Request to ***.asp::$DATA is routed to

asp.dll. But this is a NTFS stream, that sends the ASP source code to the user.

Trailing dots or slashes “secretFile.doc.” is same as “secretFile.doc” for

windows.

Canonicalization Issues \\?\temp\myfile is the same as \temp\myfile Directory traversal ../

AOL 5.0 parental controls: Bypass restriction on URL by adding period to file

name. Secure IIS verifies incoming and outgoing

data Use hexcode: %64elete instead of delete for key

words. Use “%2e%2e/” for “../” Two canonalization issues in Security Software!


Lines with carriage returns: Assume logging of file access:

Attacker accesses file:

Log entry:

111.11.11.11 Mike 2004-02-19 13:02:12 file.txt

111.11.11.11 Mike 2004-02-19 13:02:12 file.txt

127.0.0. 1 Tom 2004-02-19 13:02:12 secret.doc

file.txt\r\n127.0.0.1\tTom2004-02-19\t13:02:12\tsecret.doc

Canonicalization Issues Escaping: Many ways to represent

a character US-ASCII Hexadecimal escape codes UTF-8 variable width encoding UCS-2 Unicode encoding HTML escape codes

Double Escaping


Homograph Attacks Characters look the same, but are

not Latin letter “o” Cyrillic character “o” (U+043E)

Morale

Software should not make decisions based on names.

If it has do, enforce name restrictions

Don’t trust relative paths.

Data Base Inputs

Don’t trust the user. Data base access over the web lead to

execution of sql code. string sql = “select * from client where name =

‘” + name + “’” Variable name provided by user If name is Schwarz, this executes string sql = “select * from client where name =

‘schwarz’”

Data Base Inputs

User enters: Schwarz’ or 1=1 - -

The sql statement becomes string sql = “select * from client where name =

‘schwarz’ or 1=1 - -”

Selects all clients - - SQL comment, comments out

everything behind.

Buffer Overflow Attacks Stack: push and

pop

Buffer Overflow Attacks

Stack is area of program memory that contains static allocated variables, return addresses, etc.

Buffer Overflow Attack

void foo(const char* input) {

char buf[10]; printf("Hello World\n");

}

int main(int argc, char* argv[])

{

foo(argv[1]); return 0;

}


Works by overwriting the return address to jump somewhere else.


#pragma check_stack(off)

#include <string.h>

#include <stdio.h>

void foo(const char* input) {

char buf[10];

printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

strcpy(buf, input);

printf("%s\n", buf);

printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); }

Buffer Overflow Attackvoid bar(void)

{

printf("Augh! I've been hacked!\n");

}

Buffer Overflow Attackint main(int argc, char* argv[]) {

printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) {

printf("Please supply a string as an argument!\n");

return -1; } foo(argv[1]); return 0;

}

Buffer Overflow AttackChapter05>stackoverrun.exe Hello Address of foo = 00401000 Address of bar = 00401050 My stack looks like: 00000000 00000A28 7FFDF000 0012FEE4 004010BB 0032154D

Hello Now the stack looks like: 6C6C6548 0000006F 7FFDF000 0012FEE4 004010BB 0032154D

Buffer Overflow Attack Fun, but useless. Real attack:

overwrite return address so that code execution jumps into the input given by attacker.


To protect against signatures, structure input Varying stuff execve(/bin/sh) (gives new shell with

program privileges in UNIX) Pointer to execve statement.

Buffer Overflow Attack Finding vulnerabilities

Script-kiddies scan target with automated tool.

Tool creator has detailed analysis of vulnerabilities.

Look for strcpy, gets, getws, memcpy memmove, scanf, …

Alternatively, just cram the application until it crashes.

Crash used to give you locations of registers.


Example: Cram in lots of input of As.

Program crashes, EIP has value 41414141.

Sign of buffer overflow. Now try to feed more specific

input.


Attack signature can be used by IDS.

Vary the NOP commands. Many alternatives.


Protection Make stack non-executable. Use canary birds.


Stack Guard MS Visual Studio

use canaries.


MS OutlookVcard: Virtual business card buffer overflow vulnerability.

IIS 5 Internet Printing Protocol

Heap Overflow Attack These protections do not apply to

heaps, where dynamically allocated memory resides.

Some of this memory contains the addresses of functions that are going to be called.

Harder to find, harder to protect against.

Remember:

People attack computer systems because they can.

Computer Forensics Use of Malicious Input

Documents

Transcript of Computer Forensics Use of Malicious Input