Who are we? Cesena Security and Network Applications. Why join CeSeNA?

Transcription

1 Unexpected inputs: the danger of data and code injection

2 Who are we? Cesena Security and Network Applications We like computer security and we want to share our knowledge. Founded by Marco Ramilli in Rebuilt by Luca Mella in Now it s an active group, managed by Alessandro Molari, Luca Molari and Giacomo Mantani. Why join CeSeNA? To learn useful, cool stuff. To improve mental and social skills. To have (a lot of) fun! Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?

3 Contact us! Requirement to apply CeSeNA Burning desire for knowledge. Passion for computer security. Be a geeky, techky person. Where to find us IRC: #cesena at irc.freenode.net Website: (trust the certificate) Facebook: G+: Daniele Bellavista [CeSeNA] Code and Data Injection What s CeSeNA?

4 INJECTION VULNERABILITY

5 Injection: same old story SQL injection Introduced by sloppy (PHP) programmers. One of the main vulnerability in 2000s. Still present and exploited! Shellshock vulnerability Discovered in Present since September 1989! In some scenarios, it permits remote code execution. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

6 SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

7 SQLi example Scenario: system containing secret stuff on the database, which can be accessed only by knowing their secret identifier. Objective: obtain all the secrets! SQL Query: exec ( SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d ) If secretid is exec ( SELECT FROM S e c r e t s WHERE S e c I d = ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

8 SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

9 SQLi example Query: exec ( SELECT FROM S e c r e t s WHERE ID = + s e c r e t I d ) Injection if secretid is 0 OR 1=1: exec ( SELECT FROM S e c r e t s WHERE ID = 0 OR 1=1 ) Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

10 A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

11 A shellshock example Request to a CGI page: GET / v u l n e r a b l e. c g i User Agent : M o z i l l a F i r e f o x Response: 200 OK Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

12 A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

13 A shellshock example Request: GET / v u l n e r a b l e. c g i User Agent : ( ) { i g n o r e d ; } ; echo The f o l l o w i n g s e n t e n c e i s f a l s e Response: 200 OK The f o l l o w i n g s e n t e n c e i s f a l s e Hi, I m not v u l n e r a b l e! Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

14 Data and code are confused Untrusted user-supplied inputs Web form fields (yes, even hidden tags). HTTP fields. Shell parameters. No difference between data and code No data type. Semantic checks are performed only on the result. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

15 Sanitization Whitelist allowed character. Drop or escape the rest. Type awareness: parse integers, encode strings, etc.. Use framework or library functions considered secure. Remember: security isn t just a fix. Daniele Bellavista [CeSeNA] Code and Data Injection Injection Vulnerability

16 EXPLOITATION

17 Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

18 Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

19 Bad sanitization: quoting Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + s e c r e t I d + Previous secretid = 0 OR 1=1 won t work! SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1=1 So, just send secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Celebrate Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

20 Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

21 Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

22 Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

23 Bad sanitization: blind escaping Quoted SQL statement: SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) + The previous trick won t work: secretid = 0 OR 1 = 1 SELECT FROM S e c r e t s WHERE S e c I d = 0\ OR \ 1\ =\ 1 However, a similar query without quotes won t be protected! SELECT FROM S e c r e t s WHERE S e c I d = + escapequotes ( s e c r e t I d ) Just try 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

24 Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

25 Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

26 Bad sanitization: string replace Smartest fix ever: SELECT FROM S e c r e t s WHERE S e c I d = + r e p l a c e ( s e c r e t I d, OR, ) If secretid = 0 OR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 1 = 1 What if, secretid = 0 OORR 1=1 SELECT FROM S e c r e t s WHERE S e c I d = 0 OR 1 = 1 Daniele Bellavista [CeSeNA] Code and Data Injection Exploiting Injection

27 IT S YOUR TURN

28 Let s get our hands dirty Go to: Daniele Bellavista [CeSeNA] Code and Data Injection Exercise

29