3.input validation
TRANSCRIPT
-
8/2/2019 3.Input Validation
1/47
Course 2: Programming Issues,Section 3Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated July 30, 2004Developed thanks to the support of Symantec Corporation,NSF SFS Capacity Building Program (Award Number 0113725)and the Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.
-
8/2/2019 3.Input Validation
2/47
Course 2 Learning Plan
Buffer Overflows
Format String Vulnerabilities
Code Injection and Input Validation
Cross-site Scripting Vulnerabilities
Links and Race Conditions
Temporary Files and Randomness
Canonicalization and Directory Traversal
-
8/2/2019 3.Input Validation
3/47
Learning objectives
Understand the definition of code injection
Know how code injection happens
Learn how to perform input validation and cleansing
-
8/2/2019 3.Input Validation
4/47
Code Injection: Outline
Definition
Defending against code injection
Examples
Input Validation
Dynamic code generation with SQL
Lab: Write a database-supported application
-
8/2/2019 3.Input Validation
5/47
Code Injection
Goal: trick program into executing an attackerscode by clever input construction that mixes codeand data
Mixed code and data channels have specialcharacters that trigger a context change betweendata and code interpretation
The attacker wants to inject these meta-charactersthrough some clever encoding or manipulation, sosupplied data is interpreted as code
-
8/2/2019 3.Input Validation
6/47
-
8/2/2019 3.Input Validation
7/47
Results
Inside the program, the eval statement becomesequivalent to:
eval "ls .;chmod o+r *"
Permissions for file "confidential" after exploit:
% ls -l confidential-rwxr-xr-- 1 pmeunier pmeunierconfidential
Any statement after the ";" would also get executed,because ";" is a command separator.
The data argument for "ls" has become code!
-
8/2/2019 3.Input Validation
8/47
Other Code Injection by CommandSubstitution
Backtick: execution in a command line bycommand substitution
`command` gets executed before the rest of the
command line
Imagine a malicious script called script1:
mkdir oups
echo oups
etc...
Imagine a program that calls a shell to run grep.
What happens when this is run?
eval "grep `./script1` afile"
-
8/2/2019 3.Input Validation
9/47
Answer
Script1 is executed
an oups directory is created
The rest of the intended command, grep oups
afile, gets executed
-
8/2/2019 3.Input Validation
10/47
A Vulnerable Program
int main(int argc, char *argv[], char **envp)
{
char buf [100];
buf[0] = '\0';
snprintf(buf, sizeof(buf), "grep %stext",argv[1]);
system(buf);
exit(0);
}
What happens when this is run?% ./a.out \`./script\`
-
8/2/2019 3.Input Validation
11/47
Answer
The program calls
system (grep `./script` text);
You can verify by adding "printf( "%s", buf)" to the
program So we could make a.out execute any program we
want
Imagine that we provide the argument remotely
What if a.out runs with root privileges?
-
8/2/2019 3.Input Validation
12/47
Shell Metacharacters
` to execute something (command substitution)
; is a command (pipeline) separator
| is a pipe
&&
||
# to comment out something Refer to the appropriate man page for all characters
How else can code be injected into a.out?
-
8/2/2019 3.Input Validation
13/47
Exercise and Discussion
Take the vulnerable code on the previous slides
Can you get it to do something else using commandseparators or meta-characters?
Which meta-characters work best, and how?
-
8/2/2019 3.Input Validation
14/47
Defending Against Code Injection
Input cleansing and validation
Model the expected input
Discard what doesn't fit (e.g., metacharacters)
Keep track of which data has been cleansed e.g., Perl's taint mode
Keep track of all sources of inputs
Or cleanse as the input is received
Type and range verification, type casts
Separating code from data
Transmit, receive and manipulate data using differentchannels than for code
-
8/2/2019 3.Input Validation
15/47
Input Cleansing
Key to preventing code injection attacks
Common problem where code is generateddynamically from some data
SQL (database Simple Query Language)
System calls and equivalents in PHP, WindowsCreateProcess, etc...
Environment pollution (already covered in another set ofslides)
HTML may contain JavaScript (Cross-site scriptingvulnerabilities)
-
8/2/2019 3.Input Validation
16/47
Intuitive Approach
Block or escape all metacharacters
but what are they?
Problems:
Character encodings
octal, hexadecimal, UTF-8, UTF-16...
Obfuscation
Escaped characters that can get interpreted later
Engineered strings such that by blocking acharacter, something else is generated
-
8/2/2019 3.Input Validation
17/47
Wrong Way to Cleanse and Sanitize
static char bad_chars[] = "/ ;[]&\t";
char * user_data;
char * cp;
/* Get the data */
user_data = getenv("QUERY_STRING");
/* Remove bad characters. WRONG! */
for (cp = user_data; *(cp += strcspn(cp,bad_chars)); /* */)
*cp = '_';
http://www.cert.org/tech_tips/cgi_metacharacters.html
-
8/2/2019 3.Input Validation
18/47
phf CGI
CVE-1999-0067
strcpy(commandstr, "/usr/local/bin/ph-m ");
escape_shell_cmd(serverstr);strcat(commandstr, serverstr);(...)phfp = popen(commandstr,"r");
What could be the problem? besides the potential buffer overflows
-
8/2/2019 3.Input Validation
19/47
Black List of Characters
void escape_shell_cmd(char *cmd) {(...)if(ind("&;`'\"|*?~^()[]{}$\\"
,cmd[x]) != -1){(...)
}
Author forgot to list newlines in "if" statement...
Exploit: input newline and the commands youwant executed...
-
8/2/2019 3.Input Validation
20/47
More Robust Cleansing
{...}static char ok_chars[] =
"1234567890!@%-_=+:,./\
abcdefghijklmnopqrstuvwxyz\ABCDEFGHIJKLMNOPQRSTUVWXYZ";
{...}for (cp = user_data; *(cp +=strspn(cp, ok_chars)); /* */ )
*cp = '_';
http://www.cert.org/tech_tips/cgi_metacharacters.html
a.k.a. White List vs Black List design principle
-
8/2/2019 3.Input Validation
21/47
Other Input Validation Issues
Range of types
Short vs long integers
Unsigned vs signed
Integer overflows Validate range (e.g., array indexes)
Attacks can make something negative to reach forbiddendata
Attacks can reset a counter to zero
Data structure reference count vs garbage collection
Strings in numerical inputs
e.g., PHP will accept both string and numerical values fora variable, which may allow unexpected attacks
Use typecasts
-
8/2/2019 3.Input Validation
22/47
Order for Cleansing and Input Validation
1) Resolve all character encoding issues
2) Cleanse
If combinations of characters can produce
metacharacters, you may need to do several passes.Example:
a and b are legal if separated from each other, but ab isconsidered a metacharacter. The character d is notallowed. After you filter out d from adb, you may be
allowing ab through the filter!3) Validate type, range, and format
4) Validate semantics (i.e., meaning of input)
-
8/2/2019 3.Input Validation
23/47
SQL
SQL uses single and double quotes to switchbetween data and code.
Semi-colons separate SQL statements
Example query:
"UPDATE usersSET prefcolor='red'WHERE uid='joe';"
This command could be sent from a web front-endto a database engine.
The database engine then interprets the command
-
8/2/2019 3.Input Validation
24/47
Dynamic SQL Generation
Web applications dynamically generate thenecessary database commands by manipulatingstrings
Example query generation: $q = "UPDATE users
SET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";
Where the value of "$INPUT[color]" would beoriginating from the client web browser, through theweb server.
And where the value for "$auth_user" would havebeen stored on the server and verified through
some authentication scheme
-
8/2/2019 3.Input Validation
25/47
Client Web Browser
Forms in client browsers return values to the webserver through either the POST or GET methods
"GET" results in a url with a "?" before the values of the
form variables are specified: http://www.example.com/script?color=red
The value of "$INPUT[color]" is set to "red" in the script
"GET" urls are convenient to hack, but there isn'tany significant difference in the security of either
"GET" or "POST" methods because the data comesfrom the client web browser regardless and is underthe control of the remote attacker
-
8/2/2019 3.Input Validation
26/47
The SQL Table
Tables are used to store information in fields(columns) in relation to a key (e.g., "uid")
What other fields could be of interest?
CREATE TABLE users (prefcolor varchar(20),uid VARCHAR(20) NOT NULL,privilege ENUM('normal',
'administrator'),PRIMARY KEY (uid));
-
8/2/2019 3.Input Validation
27/47
A Malicious SQL Query
What if we could make the web server generate aquery like:
"UPDATE users
SET prefcolor='red',privilege='administrator'WHERE uid='joe';"
Can we engineer the value of "color" given to theweb server so it generates this query?
Note how code and data are mixed in the same channel
Better database interfaces provide separate channels
Java prepared statements
Stored procedures
-
8/2/2019 3.Input Validation
28/47
Malicious HTTP Request
http://www.example.com/script?color=red',privilege='administrator
The "color" input is then substituted to generate
SQL: $q = "UPDATE users
SET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";
It gives the query we wanted!
-
8/2/2019 3.Input Validation
29/47
Results
Joe now has administrator privileges.
-
8/2/2019 3.Input Validation
30/47
Adding Another SQL Query
Let's say Joe wants to run a completely differentquery:
"DELETE FROM users"
This will delete all entries in the table!
How can the value of "color" be engineered?
-
8/2/2019 3.Input Validation
31/47
Malicious HTTP Request
http://www.example.com/script?color=red'%3Bdelete+from+users%3B
%3B is the url encoding for ";"
What happens when the "color" input is used togenerate SQL?
$q = "UPDATE usersSET prefcolor='$INPUT[color]'WHERE uid='$auth_user'";
-
8/2/2019 3.Input Validation
32/47
Result
UPDATE users
SET prefcolor='red';
delete from users;
WHERE uid='$auth_user'";
The last line generates an error, but it's already toolate; all entries have been deleted.
The middle query could have been anything
-
8/2/2019 3.Input Validation
33/47
FAQs
Couldn't the database have a separate account for"Joe" with only the privileges he needs (e.g., nodelete privilege)?
In theory yes, but in practice the management of suchaccounts and privileges, and connecting to the databasewith the correct IDs, adds significant complexity
Most often a database account is created for the entire webapplication, with appropriate limitations (e.g., withoutprivileges to create and drop tables)
A good compromise is to create database accounts for eachclass of user or class of operation, so:
if Joe is a regular user he wouldn't have delete privileges forthe user table
Changing user preferences, as an operation type, doesn'trequire delete privileges
-
8/2/2019 3.Input Validation
34/47
FAQs
Doesn't SSL protect against this sort of attack?
No
But what if you authenticate users with a
username/password over SSL? Then, if the userdoes SQL injection, the server admins will knowwho perpetrated the crime, right?
Not necessarily; only if you have sufficient auditlogging.
-
8/2/2019 3.Input Validation
35/47
Other SQL Injection Methods
Let's say you've blocked single quotes, doublequotes and semi-colons.
What else can go wrong?
How about "\"?
If attacker can inject backslashes, then escaped quotescould get ignored by the database
-
8/2/2019 3.Input Validation
36/47
PHP-Nuke SQL injectionCAN-2002-1242
iDefense advisory dated Oct. 31, 2002
Malicious url:
modules.php?name=Your_Account&op=saveuser&uid=2&
bio=%5c&EditedMessage=no&pass=xxxxx&vpass=xxxxx&newsletter=,+pass=md5(1)/*
%5c is the encoding for \
-
8/2/2019 3.Input Validation
37/47
Let's Look at the SQL
UPDATE nuke_usersSET name = '', email = '',
femail = '', url = 'http://',pass = 'xxxxx', bio = '\',user_avatar = '',user_icq = '',user_msnm = '',newsletter = ',pass=md5(1)/*' WHERE uid='2'
Notice how bio would be set according to the text in red?
'' (two single quotes) make the database insert a single quote inthe field, effectively the same as \'
Notice how the comment field, /*, is used to comment out the
"WHERE" clause for the uid? This means that the query applies to
all users!
-
8/2/2019 3.Input Validation
38/47
What Happened?
All passwords were changed to the value returnedby the function "md5(1)"
Constant: "c4ca4238a0b923820dcc509a6f75849b"
Attacker can now login as anyone
-
8/2/2019 3.Input Validation
39/47
Lab
MySQL is available on your system
The next slide shows how to set it up
Perl with MySQL database interface is also
available A slide after the MySQL slide gives a starter script
Lab Objective: Make a Perl script that takes inputfrom the command line or a web form, and updates
a MySQL table. See how the attacks we discussed work
Note: MySQL doesn't execute multiple statements separatedby ";" (other databases do)
Can you make your script resistant to the code injection
attacks we discussed?
-
8/2/2019 3.Input Validation
40/47
MySQL
Start a root shell
Click on the Knoppix CD icon (penguin, second to right)
Type "mysqld_safe &"
Type "mysql -u root"
Create the database
Type "create database ci;"
Type "use ci;"
Note: This is not a recommended setup for a realMySQL installation. However, the MySQL usertables are read-only on the Knoppix CD, so we'lluse the MySQL user "root" without a password (!)
-
8/2/2019 3.Input Validation
41/47
Table Creation
Type the table creation statement (same as on aprior slide)
CREATE TABLE users (
prefcolor varchar(20),uid VARCHAR(20) NOT NULL,privilege ENUM('normal',
'administrator'),PRIMARY KEY (uid)
);
-
8/2/2019 3.Input Validation
42/47
Perl
Type the script on the next page or download itfromhttp://www.cerias.purdue.edu/homes/pmeunier/sym
antec/unit3/myperl.pl chmod u+x myperl.pl
Run it
Verify (in the terminal where you started mysql) that
there is now a new user entry for "Joe" Type "SELECT * FROM users;"
-
8/2/2019 3.Input Validation
43/47
Starter Perl script
#!/usr/bin/perl -Tw
use DBI;
my $serverName = "localhost";
my $serverPort = "3306";
my $serverUser = "root";
my $serverPass = "";
my $serverDb = "ci";
my $serverTabl = "user";
my ($dbh, $sth, @row);
$dbh = DBI->connect("DBI:mysql:database=$serverDb;
host=$serverName;port=$serverPort",$serverUser,$serverPass);
$sth = $dbh->prepare("INSERT INTO users (uid, prefcolor, privilege)
VALUES ('joe', 'peach', 'normal')
");
$sth->execute;
$sth->finish;
-
8/2/2019 3.Input Validation
44/47
Fake CGI From Command Line
Change the perl script to take input from thecommand line and perform the query on slide 24
$sth = $dbh->prepare("
UPDATE users set prefcolor ='$ARGV[0]'WHERE userid = '$ARGV[1]'
");
For bonus points, take input from a web page
Your can inspire yourself from the tutorial athttp://www.linuxplanet.com/linuxplanet/tutorials/1046/4/
-
8/2/2019 3.Input Validation
45/47
Questions or Comments?
-
8/2/2019 3.Input Validation
46/47
About These Slides
You are free to copy, distribute, display, and perform the work; and to
make derivative works, under the following conditions.
You must give the original author and other contributors credit
The work will be used for personal or non-commercial educational usesonly, and not for commercial activities and purposes
For any reuse or distribution, you must make clear to others the terms of
use for this work
Derivative works must retain and be subject to the same conditions, and
contain a note identifying the new contributor(s) and date of modification
For other uses please contact the Purdue Office of Technology
Commercialization.
Developed thanks to the support of SymantecCorporation
-
8/2/2019 3.Input Validation
47/47
Pascal [email protected]:Jared Robinson, Alan Krassowski, Craig Ozancin, Tim
Brown, Wes Higaki, Melissa Dark, Chris Clifton, GustavoRodriguez-Rivera