More on injection

Secure Programming

Lecture 5

Out-of-band channels

Suppose that the application does not return error messages and does not return the result of query to the browser


Technique: output results to “out-of-band” channel

  • Network connection
  • File on DB server

In MySQL (if appropriate privilegs): 

SELECT * INTO OUTFILE '/var/www/data.csv' FROM users;

Bypassing filters

Filter function is used by the programmer to “sanitize” user input:

  • accept only characters from a vetted set (whitelisting)
  • remove dangerous characters/keywords (blacklisting)

Sometime it is possible to bypass such filters…

Bypassing filters

Filter: remove tick (')


Goal:
substring(user(),1,1) = 'r'


Bypass:
substring(user(), 1, 1) = char(0x72)

Bypassing filters

Filter: comment symbol is removed


Goal:
' or 1 = 1 #


Bypass:
' or 'a' = 'a

Bypassing filters

Filter: remove SQL keywords (SELECT, etc.)


Bypass techniques:

  • case sensitivity: SeLecT
  • comments: SEL/**/ECT

Bypassing filters

Filter: whitespaces are removed


Goal:
SELECT NOW()


Bypass:
SELECT/**/NOW()

Bypassing filters

Filter: tautology are detected and removed


Goal:
1 = 1


Bypass:
RAND() > 0.0001 (quasi-tautology)

Bypassing filters

Lots more:
Eduardo Vela and David Lindsay, Our Favorite XSS Filters/IDS and how to Attack Them, Blackhat 2009


They show how to bypass filters in ModSecurity, PHPIDS, IE8, and NoScript

Escalating the attacks

We want to leverage SQL injection vulnerability to gain access to underlying system

  • Read files accessible to user running the database process
    LOAD_FILE
  • Write files in directories writeable by user running the database process
    SELECT … INTO DUMPFILE
  • User-defined functions (UDF): dynamically add to database libraries of “useful” function (netcat, exec, etc.)
  • Stored procedures (in MS-SQL: xp_cmdshell)

Tools

Inspecting and manipulating browser requests:


Scripting the browser:


Vulnerability scanners:

Tools

Example of running skipfish: 

skipfish -W /tmp/words.txt -o /tmp/skipfish-output/ \
         http://172.16.48.139/wordpress-3.1/

Command injection

Application constructs shell command using user-provided input without proper sanitization


The attacker can execute shell commands on the targeted system with the privileges of the vulnerable application


Two variants:

  • user input as argument of a single, fixed program:
    exec("nslookup $input")
  • user input passed entirely and directly to shell: exec($input)

Command injection — example

Vulnerable DNS lookup: 

$hostname = $_POST["hostname"];
$command = '/usr/bin/nslookup ' . $hostname;
system($command);

google.com; rm -rf /

Command injection — history

Vulnerability in phf: CVE-1999-0067

Sanitization routine invoked before passing arguments to popen: 

void escape_shell_cmd(char *cmd) {
    register int x,y,l;

    l=strlen(cmd);
    for(x=0;cmd[x];x++) {
        if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
            for(y=l+1;y>x;y--)
                cmd[y] = cmd[y-1];
            l++; /* length has been increased */
            cmd[x] = '\\';
            x++; /* skip the character */
        }
    }
}
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/cgi/cgi-src/phf.c

What about \n?
phf?Qalias=%0A/bin/cat%20/etc/passwd

XPATH injection

Application constructs XPATH query using user-provided input without proper sanitization

  • XPATH query language to programmatically address parts of XML documents

The attacker can discover the structure of the underlying XML data or access data that he should not have access to


Unlike SQL, XPATH is standard
→ no need to account for different backends

XPATH injection example

<app>
    <conf>
        <db>
            <password>secret</password>
        </db>
    </conf>
    <route prefix="/users">
        <target>/var/www/app/users/list.jsp</target>
    </route>
</app>

route = "//route/[@prefix='" + request.getRequestURI() + "']"

/users/']/../conf/db/password['foo

Test it here

Serialization

Process of converting object/data structure into a sequence of bytes in order to store it or transmit it


Goal: reconstruct an equivalent object/structure in another program context


Most languages have libraries to implement serialization

Python serialization

import pickle

class Foo(object):
    def __init__(self):
        self.a = 42

foo = Foo()

with open("foo.pkl", "wb") as f:
    pickle.dump(foo, f)

foo.pkl: 

28 69 5f 5f 6d 61 69 6e  5f 5f 0a 46 6f 6f 0a 70 |(i__main__.Foo.p|
30 0a 28 64 70 31 0a 53  27 61 27 0a 70 32 0a 49 |0.(dp1.S'a'.p2.I|
34 32 0a 73 62 2e                                |42.sb.|
00000026

Python serialization

import pickle
with open("foo.pkl", "rb") as f:
    foo = pickle.load(f)
    print foo.a

Exploiting serialization

Suppose you have an application that receives as input from its users serialized objects and “blindly” deserializes them


Is there a vulnerability here?


Can we serialize an object such that, after deserialization, it forces the execution of code of our choice?


Notice that you cannot “override” methods (e.g., constructor): you're only sending data...

Exploiting Python serialization

Enter the __reduce__ method

  • If provided, at pickling time __reduce__() will be called with no arguments, and it must return either a string or a tuple
  • The contents of this tuple are:
    • A callable object that will be called to create the initial version of the object
    • A tuple of arguments for the callable object. 

class Mal(object):
    def __reduce__(self):
        return (subprocess.Popen, ("/bin/ls",))
Read more on Nelson Elhage's blog

Exploiting PHP serialization

Through the unserialize method:

If the variable being unserialized is an object, after successfully reconstructing the object PHP will automatically attempt to call the __wakeup() member function (if it exists).

and __destruct() when there are no other references to an object


The problem then is finding “useful” classes… Read more in Stefan Esser's presentation

Exploiting Rails serialization

RubyOnRails allows accepts formatted parameters (in addition to regular GET/POST parameters)


In particular, it accepts typed XML parameters 

<?xml version="1.0" encoding="UTF-8"?>
<foo type="integer">1</foo>
<bar type="string">bar</bar>

Supported types include integer, symbol, string, date, time, and...yaml


Remember the security principles?

Exploiting Rails serialization

YAML allows to specify arbitrary ruby objects via the !ruby/hash and !ruby/object syntax


The exploit then consists of finding a class such that, as part of its initializing, leads to the execution of arbitrary code, e.g., via module_eval


Read the following for the details

Defenses

Avoidance, detection, and prevention

Parametrization

Essence of injection attacks: user-provided input changes the structure and semantics of the query Parsing trees From W. Halfond and A. Orso, Preventing SQL Injection Attacks Using AMNESIA, ICSE 2006. Did you read it, right?

Parametrization

Separate variable parameters (“out-of-band”)

  • use placeholders for variable parameters
  • bind parameter to a specific data type before issuing query/command

Parameterized commands

import MySQLdb
conn = MySQLdb.connect()
c = conn.cursor()
c.execute("SELECT * FROM users WHERE user = %s AND pass = %s", (
    input_user, input_pass))

Parameterized commands

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
    if (argc <= 1) {
        fprintf(stderr, "Usage: %s ARG\n", argv[0]);
        return 1;
    }   

    execl("/bin/ls", "ls", argv[1], NULL);

    return 0;
}

Sanitization

Never trust user input


Ensure data is valid and good

  • valid: can be correctly processed (e.g., if you expect XML document as input, check that it is well-formed)
  • good: the expected kind of data (XML document validates a required schema)

Use whitelisting whenever possible


Use standard, built-in functions to perform sanitization (strip_tags, htmlentities, etc.)

Static analysis

Set of techniques to automatically analyze a program without executing it


Useful to answer questions such as:

  • which values can x have at line 23?
  • is there a command injection in the program?
  • does the program always produce valid HTML?

Several different techniques:

  • program analysis
  • model checking

Static analysis

Limitations:

  • Rice's theorem
  • Memory and time constraints

False positives and false negatives


To know more, read
B. Chess and J. West, Secure Programming with Static Analysis

Taint analysis

Data objects partitioned into “tainted” and “untainted”


Detection policy: “tainted objects should not reach certain program locations”


Ingredients:

  • Sources are program locations that generate tainted data
  • Sinks are program locations that should not use tainted data
  • Propagation rules model how program statements affect objects taintedness

Taint analysis

Taint analysis depiction

Challenges

Complex queries built dynamically

Modeling sanitization functions

Accurately tracking inputs spanning multiple application modules and technologies (e.g., input from user stored into DB, read from DB and then used in query)

Intrusion detection systems

Tools that monitor the execution of system to identify when it's under attack Generic architecture of an intrusion detection system


Detection strategies:

  • misuse-based
  • anomaly-based

Image courtesy of W. Robertson, Detecting and Preventing Attacks Against Web Applications

Intrusion detection systems