Appunti Computer Security

MEMORY IN THE OPPOSITE SIDE

We could flow dynamic memory of the Heap to overwrite the EIP of the current

function to jump where we want.

it is caused by function that write data with no dimension control: strcpy, strcat,

fgets, gets, sprintf, scanf

We could use a debugger of a software trick to get the position of the EIP and

also of the buffer (where we start to flood and we want to return to execute our

code).

To avoid Precision problem we can use NOP (x90) and the start of the buffer

to let us have a bit of extra possibility of jump

Memory must be marked as executable. We can jump to:

- Memory that we control

- Environment Variable - don’t work in remote attack

Built-In, existing function

6.1 Possibile Solution

Defenses at source code

- Using safer libraries or languages with Dynamic memory management

Defenses at compiler level

- Randomize Reordering of Stack Variables

- Canary Mechanism: verify that frame has not been tampered with a code to be checked

- Terminator Canaries (\0) which cannot be copied

- Random Canaries: random sequences of bytes

- Random XOR Canaries

Defenses at Operating Level

- Not Executable stack (data ≠ code) (bypass with already present code)

- Address Space layout Randomization

(l’immagine è al “contrario”)

To exploit against:

- Canary → Leak with FS

- Address Randomization → Leak with FS

- Non Exec Stack → Use library libc to execute system function and get a

shell of Return Oriented Programming

Note that the system function need the parameter to be used loaded typically with a BO and an address

Exploitation with the libc:

We have to know the address of libc, put on the stack “exit”

and after the address of the path used to load the parameter,

that is the buffer used to flow

Exploitation with ENVVAR:

used when the buffer is too small, positioned in

HIGH addresses in the correct order

7. Format String Buffer

Format string is the solution to the problem of allowing a string to be output that includes variables

formatted precisely as dictated by the programmer. printf( user) where the format string, user, is directly

supplied by the (untrusted) user from the CLI argument.

We can scan the stack with %N$x

With %n we can write in the address pointed to “by the argument” the number of chars (B) printed so far

We write using the data written in the current cells as an address to a memory cell

NOTE: %’x’c is a command that we use to write x char on the stream

7.1 How to Write

1) Punt oh the stack the 2 target addresses (16 bit x 2)

2) Use %x to find the lower one (upper = lower+1)

3) use %c and %n to write: in the lower we use , in the upper

%VALUEc %VALUEc

note that with this method we overflow of 2 bytes a 00, using hn instead of n solve the problem

Note that when we have the “The displacement on the stack of the vulnerable function’s argument” we have to pay

attention to the already written (in the same print or added to the var with snprintf) char: offset = char/4

7.2 Essence of the problem

In theory, any function with a unique combination of characteristics is potentially affected: the fact that

parameters are "resolved" at runtime by pulling them from the stack is the real problem.

This can be dangerous because the third parameter

is a format. It is a vulnerability iff s.user is printed

8. Web Application Security

Filtering:

- WhiteListing: safer but difficult to apply

- BlackListing

- Escaping

Cross site scripting is a vulnerability by means of which client-side code can be injected in a page,

Basically there is a dataflow which is not filtered nor validated:

- Stored XSS: The attacker input is stored on the target server in a database. Not targetable attack

- Reflected XSS: (Attacker) Client input is returned to the client (Victim) by the web application in a

response without being stored. Basically there is a dataflow which is not filtered nor validated

- Dom-Based XSS: User input never leaves the victim’s browser. The malicious payload is directly

executed by client-side script. It uses the domain of the site

Cross site request forgery instead uses the victim browser to send data to another site and use victim

session

Theoretically scripting code is in a sandbox so it couldn't be dangerous. Cookie and “same-origin policy”

broke this assumption

BlackListing problem mentioned

- tags

- Space(invio) In the middle

- Null HTML entity in the middle (javasc	ript:alert) or #X0A; 


- old browser with a letter as a logo

8.1 Content Security Policy

The Content Security Policy CSP is meant to limit the provenance of the resources embedded in a

webpage.A W3C specification to inform the browser on what should be trusted. Many directive available:

- script-src load client code only from listed origins

- form-action lists valid endpoints for submission

This is a spec, the implementation is up to the browser! The problem is who manages the policy?

HTTP Header == Method GET and SET (link above)

8.2 SQL injection

There must be a data flow from a user-controlled HTTP variable​to a SQL query​, without appropriate

filtering and validation​. If this happens, the SQL structure of the query can be modified​.

if we want data from another table we can use the command UNION ALL, that merges the contents of

different tables. It will work only if tune umber and the data types of the column is the same

Blind Injections: Some SQL queries, such as the login query we saw, do not display returned values

but we can manage to use some software effect to leak some information

Trick For bind injection like stuff% →. SELECT * FROM User WHERE username=’ikiga1’AND password LIKE a%

Trick for insert → we can add multiple tuple insert into table (c1,c2) values (x,y)(a,b)

Also Pay attention to the RACE CONDITION during the transaction

To avoid this:

- Input Sanctification (escaping) or filtering

- Using prepared statements (“username = ? → ?= string placeholder, not code )

- if no access to the code we can limit the privilege on DIFFERENT tables of the DB

8.2 URL Parameter Tampering

In this case the URL contains some information in clear, for example query’s parameters.

i.e. Parameter Tamping PatientID=stuff or Directory/Path Traversal (../)

8.3 Cookies

“cookies”: client side information storage; reliable mechanism to keep stateful information to avoid HTTP

stateless nature.

Cookies are pieces of information the server sends to the client, this information is stored on the client by

the web browser. Every time the user will connect to the service the server will retrieve the cookies and

check (on server’s side) it: if the session already exists it will be kept, no new session is created.

If a cookie is stolen the attacker will be able to impersonate the person they stole the cookie to

Not good to use cookies for session creation and identification. If done, set an expiration period. Also

sensible data should be encrypted (or hashed).

Since HTTP is stateless, hijacking can occur:

- By stealing a cookie with an XSS attack

- By brute forcing a weak session ID

8.4 Cross-Site Request Forgery (CSRF)

Forces an user to execute unwanted actions (state-changing action) on a web application in which he or

she is currently authenticated with ambient credentials. This attack exploits ambient credentials and the

fact that every session requires cookies to be sent. The key concept is that cookies are used for session

management: all the requests originating by the browser come with user’s cookies

To Avoid this problems:

- CSRF can be mitigated using CSRF token, i.e. random challenge tokens associated to users’

sessions (unique, not guessable)

- Don’t send session cookies at all for requests originating from different websites: don’t send

cookies for any cross-site usage.

Note that all this kind of attacks work on the SAME website using the defined function i.e. POST (or

javascript snipper embedded or injected)

9. Network Protocol Attacks

Hosts are uniquely identified by addresses. Each layer has its own addressing structure: MAC address

(for ethernet, data link layer), IP address (internet layer) and port (transport layer).

MAC addresses are related to hardware IPs are related to networks. MAC Addresses handle the

physical connection from computer to computer while IP Addresses handle the logical routable

connection from both computer to computer AND network to network.

Typical Attacks:

- DoS (against availability) : Denial of Service

- Sniffing (against confidentiality): abusive reading of network packets

- Spoofing (against integrity and authenticity): forging network packets

9.1 DOS

Ping Of death: Pathological ICMP echo request that exploits a memory error in the protocol

implementation. Some machine when receive a Malformed Ping Crashes

Ping smurf: uses regular ping packets, but the source IP address is spoofed to the target address, and the

the amplifier

destination is the broadcast address of a network, so that the network acts as bot on a dDos.

factor is the dimension of the network

TearDrop: Exploit vulnerabilities in the TCP reassembly. Fragmented packets with overlapping offsets.

While reassembling, kernel can hang/crash.

Land Attack: in old windows version if scrIP=desIP and SYN flag set → loop and clause aTCP/IP stack

Flooding: if flooding attack we have to find a way to do a simple operation client side that is

computationally costly in the server side (“have a positive multiplicator”)

- SYN FLOOD attack: exploiting the 3 way handshake, where the server has to store a SYN for

the client. High volume of requests can flood the queue and drop legitime requests.

A mitigation is the Syn-cookies: it discard the SYN but set a session

DDoS: flow the network from multiple machine (distributed DOS)

- Botnet: network of compromised computers, called bots

- C&C: dedicated command-and-control infrastructure of the attacker

Dos attack need an amplification factor in server computational cost to the request to work

TCP, thanks to the 3-way handshake is immune from dos attack, because the amplification factor is

“delayed” to the 4th messages

9.2 Sniffing

Normally, a network interface card (NIC) intercepts and passes to the OS only the packets directed to

that host's IP. Promiscuous mode: the NIC passess to the OS any packet read off of the wire

2 kind of packages distribution:

- Hubs broadcast traffic to every host

- Switches selectively relay traffic to the wire corresponding to the correct NIC (ARP address

based). Switches use CAM tables to know which MAC addresses are on which ports. It is a

mitigation for sniffing

The ARP maps 32-bits IPv4 addresses to 48-bits hardware, or MAC, addresses. To send the message

the receiver’s MAC must be known, otherwise ARP is necessary. If I know the IP (typically of the inte