DISE 3033

Computer
Security
Chapter 4. Injection
Attacks & application
confinement

Asma Zubaida.2018
Last week, we looked at …
Attacks
• Buffer overflows
– Stack overflow & return address override
– Off-by-one overflow & frame pointer override
– Heap overflow & data or function pointer corruption

• printf attacks
– If you have the ability to set the format string

• Programming languages with bounds checks &

strong typing
– Use "safe" functions in C/C++
– Java, C# – Python is vulnerable in some areas
• But native methods might be vulnerable

February 20, 2018

Injection attacks
• Injection is rated as the #1 software vulnerability in 2017 by the Open
Web Application Security Project (OWASP)

• Allows an attacker to inject code into a program or query to

– Execute commands
– Modify a database
– Change data on a website

• We looked at buffer overflows and format strings

… but there are other forms too

https://www.owasp.org/index.php/Top_10-2017_Top_10
February 20, 2018
Bad Input: SQL Injection
• Let’s create an SQL query in our program

sprintf(buf,
"SELECT * WHERE user='%s' AND query='%s';",
uname, query);
• You’re careful to limit your queries to a specific user

• But suppose query comes from user input and is:

foo' OR user='root

• The command we create is:

SELECT * WHERE user='paul' AND query='foo' OR user='root';

February 20, 2018

What’s wrong?
• We should have used snprintf to avoid buffer overflow
(but that's not the problem here)
• We didn’t validate our input
– And ended up creating a query that we did not intend to
create!

February 20, 2018

Another example: password validation
• Suppose we’re validating a user’s
password:
sprintf(buf,
”SELECT * from logininfo WHERE username = '%s' AND password = '%s';",
uname, passwd);

• But suppose the user entered this for a password:

The -- is a comment that blocks
' OR 1=1 -- the rest of the query (if there was
more)
• The command we create is:

SELECT * from logininfo WHERE username = paul AND

password = '' OR 1=1 ;
--

1=1 is always true!

February 20, 2018

Opportunities for destructive operations

https://xkcd.com/327/

Most databases support a batched SQL statement: multiple statements

separated by a semicolon
SELECT * FROM students WHERE name = 'Robert';DROP TABLE Students;
--

February 20, 2018

Protection from SQL Injection
• SQL injection attacks are incredibly common because most web
services are front ends to database systems
– Input from web forms becomes part of the command

• Type checking is difficult

– SQL contains too many words and symbols that may be legitimate in other
contexts
– Use escaping for special characters
• Replace single quotes with two single quotes
• Prepend backslashes for embedded potentially dangerous characters (newlines,
returns, nuls
– Escaping is error-prone
• Rules differ for different databases (MySQL, PostgreSQL, dashDB, SQL Server,
…

Don’t create commands with user substrings added into them

February 20, 2018

 Protection from SQL Injection
• Use parameterized SQL queries or stored procedures
– Keeps query consistent: parameter data never becomes part of the query
string

uname = getResourceString("username");
passwd = getResourceString("password");
query = "SELECT * FROM users WHERE username = @0 AND password = @1";
db.Execute(query, uname, passwd);

February 20, 2018

General Rule
• If you invoke any external program, know its parsing rules

• Converting data to statements that get executed is common in some

interpreted languages
– Shell, Perl, PHP, Python

February 20, 2018

 IFS
Shell variable IFS (Internal Field Separator) defines delimiters used in
parsing arguments
– If you can change IFS, you may change how the shell parses data
– The default is space, tab, newline

try1.sh names

#!/bin/bash james password

while read name password; do mary 123456
echo name=\"$name\", password=\"$password\" john qwerty
done patricia
letmein
robert shadow
output jennifer harley
$ ./try1.sh <names
name="james", password="password"
name="mary", password="123456"
name="john", password="qwerty"
name="patricia", password="letmein"
name="robert", password="shadow"
name="jennifer", password="harley"

February 20, 2018

IFS
One small change: IFS=+
try1.sh names

#!/bin/bash james password

IFS=+ mary 123456
while read john qwerty
name patricia
password; letmein
do robert shadow
echo name=\"$name\", password=\"$password\" jennifer harley
output
done
$ ./try1.sh <names
name="james password", password=""
name="mary 123456", password=""
name="john qwerty", password=""
name="patricia letmein", password=""
name="robert shadow", password=""
name="jennifer harley", password=""

February 20, 2018

IFS
It gets tricky for output
try.sh
#!/bin/bash

IFS='+' $ ./try.sh sleepy sneezy grumpy dopey doc

"$@" expansion
echo '"$@" expansion' sleepy sneezy grumpy dopey doc
echo "$@" "$*" expansion
sleepy+sneezy+grumpy+dopey+doc
echo '"$*" expansion'
echo "$*"

You really have to know what you’re dealing with!

Suppose a program wants to send mail. It might call:

FILE *fp = popen("/usr/bin/mail –s subject user", "w")
If IFS is set to "/" then the shell will try to execute usr bin mail…
An attacker needs to plant a program named “usr” anywhere in the search path
February 20, 2018
Other environment variables
• PATH: search path for commands
– If untrusted directories are in the search path before trusted ones (/bin,
/usr/bin), you might execute a command there.
• Users sometimes place the current directory (.) at the start of their search path
• What if the command is a booby-trap?
– If shell scripts use commands, they’re vulnerable to the user’s path settings
– Use absolute paths in commands or set PATH explicitly in a script

• ENV, BASH_ENV
– Set to a file name that some shells execute when a shell starts

February 20, 2018

Other environment variables
LD_LIBRARY_PATH
– Search path for shared libraries
– If you change this, you can replace parts of the C library by custom versions
• Redefine system calls, printf, whatever…

LD_PRELOAD
– Forces a list of libraries to be loaded for a program, even if the program does
not ask for them
– If we preload our libraries, they get used instead of standard ones

You won’t get root access with this but you can change the behavior of
programs
– Change random numbers, key generation, time-related functions in
games
– List files or network connections that a program does
– Modify features or behavior of a program

February 20, 2018

Example of LD_PRELOAD
random.c

#include <time.h> $ gcc -o random random.c

#include <stdio.h> $ ./random
#include <stdlib.h> 9
57
int
main(int argc, char 13
**argv) 1
{ 83
int i; 86
45
srand(time(NULL)); 63
for (i=0; i < 10; i++) 51
printf("%d\n",
rand()%100); 5
return 0;
}

February 20, 2018

Let’s create a replacement for rand()
rand.c
int rand() {
return 42;
}

$ gcc -shared -fPIC rand.c -o newrandom.so # compile

$ export LD_PRELOAD=$PWD/newrandom.so # preload
$ ./random
42
42
42
42
42 We didn’t have to recompile random!
42
42
42
42
42

February 20, 2018

App-level access control: filenames
• If we allow users to supply filenames, we need to check them

• App admin may specify acceptable pathnames & directories

• Parsing is tricky
– Particularly if wildcards are permitted (*, ?)
– And if subdirectories are permitted

February 20, 2018

Application-Specific Syntax: Unicode
Here’s what Microsoft IIS did
• Checked URLs to make sure the request did not use ../ to
get outside the inetpub web folder
– Prevents
http://www.poopybrain.com/scripts/../../winnt/system32/cmd.exe

• Then it passed the URL through a decode routine to

decode extended Unicode characters
• Then it processed the web request

What went wrong?

February 20, 2018

Application-Specific Syntax: Unicode
• What’s the problem?
– / could be encoded as unicode %c0%af

• UTF-8
– If the first bit is a 0, we have a one-byte ASCII character
• Range 0..127
/ = 47 = 0x2f = 0010 0111

– If the first bit is 1, we have a multi-byte character

• If the leading bits are 110, we have a 2-byte character
• If the leading bits are 1110, we have a 3-byte character, and so on…
– 2-byte Unicode is in the form 110a bcde 10fg hijk
• 11 bits for the character # (codepoint), range 0 .. 2047
• C0 = 1100 0000, AF = 1010 1111 which represents 0x2f = 47
– Technically, two-byte characters should not process # < 128
• … but programmers are sloppy … and we want the code to be fast

February 20, 2018

Application-Specific Syntax:
25
Unicode
• Parsing ignored %c0%af as / because it shouldn’t have been
one
• So intruders could use IIS to access ANY file in the system

• IIS ran under an IUSR account

– Anonymous account used by IIS to access the system
– IUSER is a member of Everyone and Users groups
– Has access to execute most system files,
including cmd.exe and command.com

• A malicious user had the ability to execute any commands on the

web server
– Delete files, create new network connections

February 20, 2018

More Unicode issues
Unicode represents virtually all the worlds glyphs
•Some symbols look the same (or similar) but have different values
– / = solidus (slash) = U+002F
– ⁄ = fraction slash = U+2044
– ⁄ = division slash = U+2215
– ̷ = combining short solidus overlay = U+0337
– ̸ = combining long solidus overlay = U+0338
– / = fullwidth solidus = U+FF0F

•Like the slash, other characters may have multiple representations

– á = U+00C1 = U+0041,U+0301

•Comparison rules have to be application dependent

Yuck!

February 20, 2018

Paul ≠ ΡаυI

February 20, 2018

Homograph (Homoglyph) Attacks
• Some characters may look alike:
– 1 (one), l (L), I (i)
– 0 (zero), O

• Homograph attack = deception

– paypal.com vs. paypaI.com (I instead of L)

• It got worse with internationalized domain names (IDN)

– wіkіреdіа.org
• Cyrillic a (U+0430), e (U+435), p (U+0440)
• Belarusian-Ukrainian i (U+0456)
– Paypal
• Cyrillic P, a, y, p, a; ASCII l

Check out the Homoglyph Attack Generator at https://

www.irongeek.com/homoglyph-attack-generator.php
https://en.wikipedia.org/wiki/IDN_homograph_attack
February 20, 2018
Summary
• Better OSes and strict access controls would be nice
– A secure OS will make it easy to write security-sensitive programs
– Enforce principle of least privilege
– Validate user inputs … and try to avoid using user input in commands

• Minimize chances of errors

– Eliminate unnecessary interactions (files, users, network, devices)
– User per-process or per-user /tmp
– Avoid error-prone system calls and libraries
• Or study the detailed behavior and past exploits
• Minimize comprehension mistakes
– Specify the operating environment & all inputs
• And validate it at runtime
– PATH, LD_LIBRARY_PATH, user input, …
• Don’t make user input a part of executed commands

February 20, 2018

 The end

TUTORIAL

https://www.hacksplaining.com/exercises/sql-injectio
n

CS 419 © 2018 Paul February 20, 2018

Krzyzanowski