Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities

1. Fear the EAR: Discoveringand Mitigating Execution After Redirect VulnerabilitiesAdam Doup, Bryce Boe, Christopher Kruegel, and Giovanni VignaUniversity of California, Santa BarbaraCCS 2011 10/19/11

2. Motivation Everyone uses web applications Web applications are written by humans They have flaws Input sanitization flaws (XSS, SQLi) are mostprevalent Logic flaws are harder to detect than inputsanitization flawsDoup - 10/19/11 3. HTTP RedirectsGET /user/info HTTP/1.1Host: example.comHTTP/1.1 302 MovedLocation: http://example.com/loginGET /login HTTP/1.1Host: example.com Doup - 10/19/11 4. Execution After Redirect: Overview Developer issues a redirect assumingexecution will halt Redirect used as a goto This is how it appears from the browsersperspective However, code continues to executeDoup - 10/19/11 5. Execution After Redirect: Exampleclass TopicsController < ApplicationControllerdef update@topic = Topic.find(params[:id])if not current_user.is_admin?redirect_to(/)[email protected]_attributes(params[:topic])flash[:notice] = Topic updated!endend Doup - 10/19/11 6. EAR History 17 Common Vulnerabilities and Exposures(CVE) Starting in 2007 Difficult to find no consistent category Blog post about Cake PHP 2006 Resulted in a bug filed and documentationchanged Prior work on logic flaws Found EAR in J2EE web application No one recognized it as a systemic logic flawamongst web applications Doup - 10/19/11 7. EAR Security Challenge Attempt to observe familiarity to EARs Added EAR challenge to the 2010 iCTF Results 34 / 72 teams accessed page that redirectedthem and leaked information 12 of the 34 discovered and exploited thevulnerability Conclusion: teams not very familiarDoup - 10/19/11 8. Types of EARs Benign No confidentiality or integrity violated Vulnerable Allows for the unauthorized modification of theapplication state or discloses unauthorizeddataDoup - 10/19/11 9. EAR: Information Leakage Doup - 10/19/11 10. EAR: Nested Exampleclass UsersController < ApplicationController def ensure_adminunless current_user.is_admin? redirect_to(/) returnend end def deleteensure_admin()@user = User.find(params[:id])@user.delete()flash[:notice] = User Deleted endendDoup - 10/19/11 11. Outline Overview of Execution After Redirects EAR Detection Algorithm Results PreventionDoup - 10/19/11 12. EAR Detection: Overview Static source code analysis Attempt to find code that can possibly beexecuted after a redirect Distinguish between benign and vulnerableDoup - 10/19/11 13. EAR Detection: Overview1. Build CFG2. Find redirection methods3. Prune infeasible paths4. Detect EARs5. Classify as vulnerable Doup - 10/19/11 14. EAR Detection: Build Control FlowGraph CFG built using prior work Diamondback Ruby parser by Furr et al. Simplifies Ruby into easier-to-analyze format Compiles Ruby into a subset called Ruby Intermediate Language (RIL) CFG can be incomplete eval Rubys dynamic nature Doup - 10/19/11 15. EAR Detection: Build CFGclass UsersController < ApplicationControllerdef ensure_logged_inunless current_userredirect_to(/) and return trueend@logged_in_users += 1return falseenddef delete_allunless ensure_logged_in()returnUser.delete(:all)endendDoup - 10/19/11 16. EAR Detection: Build CFG _tmp_ = ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 17. EAR Detection: Find RedirectionMethods Find all program paths in the CFG that callthe Ruby on Rails method redirect_to Inter-procedural analysis Methods that call redirect_to are added tointeresting_methods All methods that call an interesting_methodare added to interesting_methods Rinse and repeat until a fixpoint is reachedDoup - 10/19/11 18. EAR Detection: Find Redirect_tmp_ =Methods ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 19. EAR Detection: Prune Infeasible _tmp_ =Paths ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 20. EAR Detection: Detect EARs _tmp_ = ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 21. EAR Detection: Classify as Vulnerable Simple heuristic Name of methods that modify database Search for these on path Doup - 10/19/11 22. Results 18,127 Ruby on Rails projects fromGitHub 1,173 projects contained 3,944 EARs 3,089 Benign EARs 855 Vulnerable EARs Doup - 10/19/11 23. EAR Email Notification 624 project maintainers notified 107 responded 49 confirmed the EAR we reported 26 told us that the app was demo or toy 3 pointed out false positives 6 NOFIX Rest thanked us but did not offer confirmation Doup - 10/19/11 24. Detection Effectiveness Manual verification of all vulnerable EARs 485 True vulnerable (56.7%) 325 False positives (vulnerable) (38.0%) 45 False positives (EARs) (5.3%) Manual verification of 200 random benignEARs 13 False positives (EARs) (6.5%) 0 False negatives (vulnerable)Doup - 10/19/11 25. True Positive Exampleclass BanksController < ApplicationControllerdef redirect_to_loginredirect_to(/login) and returnenddef createif not current_user.is_admin?redirect_to_login() and returnend@bank = Bank.create(params[:bank])endend Doup - 10/19/11 26. False Positive Exampleclass UsersController < ApplicationControllerdef updateif request.get?redirect_to(/users)endif request.post?@user = User.find(params[:id])@user.update_attributes(params[:user])endendend Doup - 10/19/11 27. EAR Detection: Limitations False negatives eval, send False positives Infeasible paths No type analysis Vulnerable EARs Doup - 10/19/11 28. Framework Susceptibility Analyzed 9 web frameworks Rails, Grails, Django, ASP.NET MVC, ZendFramework, CakePHP, CodeIgniter, J2EE,Struts Susceptible Ruby on Rails Grails J2EE StrutsDoup - 10/19/11 29. Prevention Secure design Django, ASP.NET MVC Terminate process or thread ASP.NET, CakePHP, Zend, CodeIgniter Patched Ruby on Rails Exception handlingDoup - 10/19/11 30. Contributions Described a relatively unknown webapplication vulnerability called ExecutionAfter Redirect (EAR) Developed an algorithm to statically detectEARs in Ruby on Rails applications Discovered many vulnerabilities in real-world open-source Ruby on Railsapplications Doup - 10/19/11 31. Questions?Code: http://github.com/adamdoupe/find_ear_railsEmail: [email protected]: @adamdoupeDoup - 10/19/11

Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities

Technology

Transcript of Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities