November 12, 2012

Attacking Back-End ComponentsChapter 10

Back-end Components?

✤ Mail Services

✤ Operating System

✤ XML and SOAP

✤ HTTP Requests

How do we attack? Injection

✤ Useful encodes: Dot - %2e, Slash - %2f, Backslash - %5c,& - %26, Equals - %3d, CRLF - %0d%0a,null terminator - %00

✤ Also consider unicode, UTF-8, and double URL style encodings that may not be handled.

How do we defend?

✤User-input validation

✤Don’t pass through user input unnecessarily and certainly without validation

Mail: Email Header Manipulation

✤ Simple to check for possibility with using “%0aBcc: me@yahoo.com” tacked on to our address in the From field. If you receive a bcc, your input is getting sent straight through to a server. (Also %0d%0a).

✤ Interesting, but Bcc’ing people with our form input isn’t the most useful ability.

Mail: SMTP Command Injection✤ From=daf@wahh-mail.com&Subject=Site+feedback%0d%0afoo%0d%0a%2e%0d

%0aMAIL+FROM:+mail@wahh-viagra.com%0d%0aRCPT+TO:+john@wahh-mail .com%0d%0aDATA%0d%0aFrom:+mail@wahh-viagra.com%0d%0aTo:+john@wahh-mail .com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo

✤ MAIL FROM: daf@wahh-mail.comRCPT TO: feedback@wahh-app.comDATAFrom: daf@wahh-mail.comTo: feedback@wahh-app.com Subject: Site+feedback foo.MAIL FROM: mail@wahh-viagra.comRCPT TO: john@wahh-mail.comDATAFrom: mail@wahh-viagra.comTo: john@wahh-mail.com Subject: Cheap V1AGR4 Blah.foo .

✤ (textbook p400)

Mail: Preventing

✤ Rigorous validation of user-supplied data that will go to email

✤ Addresses should pass regex testing which should reject newlines (among other invalid chars in email addresses)

✤ The subject should not contain newlines and be of reasonable length

✤ If the contents are being directly transmitted to SMTP, you should reject any inputs that have a “.” on a line by itself.

Mail & OS: Tip

✤ TIP: Functions to send email to application support personnel are frequently regarded as peripheral and may not be subject to the same security standards or testing as the main application functionality. Also, because they involve interfacing to an unusual back-end component, they are often implemented via a direct call to the relevant operating system command. Hence, in addition to probing for SMTP injection, you should closely review all e-mail-related functionality for OS command injection flaws. (textbook p. 401)

OS: Let’s look at the passwd file #!/usr/bin/env perl

use strict;use CGI qw(:standard escapeHTML);print header, start_html(“”);print “<pre>”;my $command = “du -h --exclude php* /var/www/html”;# Append user supplied “dir” parameter value to our command$command= $command.param(“dir”);$command=`$command`;

print “$command\n”;

print end_html;

✤ AHA!http://server/foo.cgi?dir=/public|%20cat%20/etc/passwd

OS: Seems to simple?

✤ These type of command injection has been found many times in commercial products

✤ HP OpenView was recently found to have one at URL:

http://target:3443/OvCgi/connectedNodes.ovpl?node=a| [command] |

✤ Fortunately, attackers are still limited to running commands at the web server’s (hopefully) restricted permissions, but that is more than we want them to be able to do!

OS: Where to Look

✤ When mapping your application (as described in Chapter 4), you should already have pinpointed places where the application interacts with the operating system by filesystem or process calls.

✤ You want to probe the places where these interactions happen in order to find possible injection paths.

✤ In testing for vulnerabilities, consider various metacharacters:& | ; ` > < && ||

✤ ping is a great tool to try to run, because even if you cannot retrieve its output directly, you can tell it is running by the delay

OS: Preventing

✤ Best case: restrict use input to a whitelisted set of values

✤ Otherwise, restrict user input characters as much as possible

✤ See if you can accomplish whatever you are doing with language or platform features rather than direct OS interaction

✤ If you must run OS commands in your application, see if your platform has a function that can execute them in a limited interpreter rather than one allowing for chaining and redirection

Filesystem: File Found

✤ Filesystem interactions are found where the server retrieves a file from the file system or includes a file from the file system

✤ It is very straightforward to see where the server accesses the file system and this could occur during whitebox testing (monitor IO)

✤ Don’t forget to try “\” also if it might be a windows server, because they are sometimes unfiltered when “/” is handled properly

Filesystem: Path Travesal

✤ http://server.net/GetFile.php?name=csce813.jpg

✤ http://server.net/GetFile.php?name=../../../../../etc/passwd

✤ The attacker can read and possibly write files with the same (hopefully user limited) permissions of the web server

✤ An attacker might be able to find and read OS related files or server configuration files that can be exploited for more access or just gain access to your application source code to look for bugs

Filesystem: Avoiding Path Tr.

✤ Chroot’ing the webserver fixes the most glaring problems

✤ There is generally no good reason to pass end user input directly through to a filesystem call, but if you must you can whitelist the files to be accessed and filter out any problematic characters

✤ These type of attacks don’t tend to happen by mistake. Your application would be best logging it, emailing an admin, paging another admin, and terminating the user’s account (if they had one)

Filesystem: Includes

✤ First: Don’t include a file which has been specified via user input

✤ Second: PHP allows you to include files from a remote path. If you must use PHP, don’t let this be taken advantage of in your application

✤ File includes can be manipulated through path traversal attacks if they are based upon user input

✤ Finally, don’t interact with the OS and filesystem, the mail server, or any other backend component with user input that has not at the very least been run through a set of validation tests that would make the folks at the Transportation Safety Administration blush.

This is about database, but...

✤ http://xkcd.com/327/

XML & SOAP & HTTP Param

✤ XML

✤ SOAP

✤ HTTP Backend, HPI & HPP

✤ These were in this chapter also!