Sample slides and handout

Transcription

1 Join the Secure Coding Academy group on LinkedIn and stay informed about our courses!

2 [FOOTER] Sample slides and handout 2016 SCADEMY Secure Coding Academy Confidential. These materials are provided to attendees at Sample slides and handout training on at. The materials may be printed out for the convenience of the participants, however all materials handed over in connection with the training should be used only by the attendees and for the purpose of the training itself. The virtual machine should be deleted upon finishing the training, while the exercises can be kept from it for further reference.

3 [FOOTER] Sample slides and handout Table of Contents Web application vulnerabilities... 4 SQL Injection... 5 Other injection flaws... 7 C/C++ vulnerabilities... 8 Stack overflow... 9

4 Sample slides and handout Gauthier Befahy Web application vulnerabilities 4

5 SQL Injection SQL Injection Very common problem: composing an SQL command via string operations by using external (user) input: String username = ctx.getauthenticatedusername(); String itemname = request.getparameter("itemname"); String query = "SELECT * FROM items WHERE owner = '" + username + "' AND itemname = '" + itemname + "'"; ResultSet rs = stmt.execute(query); This would be the expected query: SELECT * FROM items WHERE owner = 'admin' AND itemname = 'pen' However, if for itemname someone enters name' OR 'a'='a, the SQL command will query each item from the table: SELECT * FROM items WHERE owner = 'whoever' AND itemname = 'name' OR 'a'='a' 4 5

6 SQL Injection exercise Open the example web app cars.com in IE (or use the cars.com bookmark) Select Compact cars In Eclipse, check Browse.java (WebExample workspace) Experiment with URL in the browser Check query snippets in attacker.com/queries.txt Enter admin' # as username Check UserManager.java 5 SQL Injection protection methods Blacklisting: filtering out certain characters or keywords Problem: DROP DRO/**/P Problem: character encoding (e.g. Unicode) And may also filter out legitimate input Input validation Custom solutions JSF validator (only on the presentation level) Prepared statements String query="select * from table WHERE id=" + var; String query="select * from table WHERE id=?"; PreparedStatement preparedstatement=conn.preparestatement(query); preparedstatement.setint(1, Integer.parseInt(var)); 6 6

7 Other injection flaws Command injection String btype = request.getparameter("backuptype"); String cmd = new String( "#pre##budirs#backup.bat "+btype+" & #budirs#cleanup.bat") System.Runtime.getRuntime().exec(cmd); A shell command string composed from user input is used to start other programs with a parameter Expected result e.g. if value backuptype is "FULL": #pre##budir#backup.bat FULL & #budir#cleanup.bat However, if backuptype is "#attack#", the executed command will be: #pre##budir#backup.bat #attack# & #budir#cleanup.bat 8 7

8 C/C++ vulnerabilities The function calling mechanism in C/C++ on x86 Placing arguments (in reversed order) Calling the function (saving return address) Saving the state of the caller (EBP) Allocating space for and initialization of local variables function execution Freeing local variables Restoring caller state Returning to the caller Cleaning up arguments void function(int a, int b) { int i,j,k=3; // } int main(int argc, char* argv[]) { function(1,2); } k (=3) j i saved ebp return address a (=1) b (=2)

9 The local variables and the stack frame Information stored in the stack for a function Local variables Saved base pointer (EBP) Return address Parameters (arguments) Stack frame 0x Mem.addr. 0xFFFFFFFF EBP register is used to point to the actual stack frame But not to the top of the stack (that's ESP) EBP points to where the caller's EBP is saved Local variables are at EBP-x (from ESP to EBP-4) Return address is at EBP+4 Parameters are at EBP+8, EBP+12, 11 Stack overflow 9

10 Buffer overflow on the stack #include <stdio.h> #include <string.h> esp 0x void function(char *input) { int i = 1; int j = 2; The buffer char buffer[8]; can overflow strcpy(buffer,input); printf( %x %x %s\n",i,j,buffer); } ebp buffer[8] (=?) j (=2) i (=1) ebp (=main() s ebp) Return address input (=argv[1]) Stack frame of function() int main(int argc, char* argv[]) { int k=3; function(argv[1]); return 0; } k (=3) ebp (=prev. stack fr.) Return address argc (=1) argv (=cmd line args) Stack frame of main() 0xFFFFFFFF 13 Overwriting the return address No boundary check A long input causes the strcpy(buffer,input) to write over the boundaries of the local buffer Even the return address can be overwritten -> this will be exploitable "abcdefghijklmnopqrstuvwx " esp ebp 0x buffer[8] (=?) j (=2) i (=1) ebp (=main() s ebp) Return address input (=argv[1]) k (=3) ebp (=prev. stack fr.) Return address argc (=1) argv (=cmd line args) Stack frame of function() Stack frame of main() 0xFFFFFFFF 14 10

11 Exploiting stack overflow jumping to arbitrary address By entering a special input we can jump to any place in the code that would be hard to execute otherwise else { B4 EB 0D jmp main+53h (4010C3h) puts("access granted"); B EC push offset xt_z+144h BB E call puts (401358h) C0 83 C4 04 add esp,4... } return 0; } Target is address 0x4010B6 (the "Access granted" branch) Access granted 15 Exercise BOFIntro a simple exploit Let s jump to the code puts("access granted"); without actually knowing the password Overwrite the return address with address of this line Craft an appropriate input string Determine the address of target line >(gdb) disas /m main Address -> input characters (don t forget to switch order because of little endian representation) Execute./BOFIntro with this input! >./BOFIntro abcdefghijklmnopqrst$#bofi_expl# 16 11

12 Thank you! Gauthier Befahy Join the Secure Coding Academy group on LinkedIn and stay informed about our courses! 12