A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE-2014-6271 AKA “Shellshock” CVE-2014-3704 AKA “Drupalgeddon”

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

CGIWrap CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

Browser Exploitation Framework (BeEF) Lab

Hacking Web Server Defiana Arnaldy, M.Si

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Chapter 6: Hostile Code Guide to Computer Network Security.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Security of Web Technologies: WebObjects Keshava P Subramanya

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Attacking Applications: SQL Injection & Buffer Overflows.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Application Security Testing A practitioner’s rambling advice & musings.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.

Web Applications Testing By Jamie Rougvie Supported by.

The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.

An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Shellshock a.k.a. Bashdoor / Bash bug

Bash shell Code Injection 윤신필립 하승범. 1.What is ShellShock. 2.Background Knowledge. 3.Shellshock CVE Additional vulnerabilities 5.Dangerousness.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Shell Interface Shell Interface Functions Data. Graphical Interface Graphical Interface Command-line Interface Command-line Interface Experiments Private.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.

SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

CGS 3066: Web Programming and Design Spring 2016 Introduction to Server-Side Programming.

Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.

CGS 3066: Web Programming and Design Spring 2017

Javascript worms By Benjamin Mossé SecPro

Shellshock a.k.a. Bashdoor / Bash bug

WEB APPLICATION TESTING

Protecting Memory What is there to protect in memory?

Discussion about 'Shellshock' fixes--Ubuntu and OS X

Pentesting with Powershell

DevOps Database Administration

Mobile Pen Testing w/ drozer

DevOps Database Administration

Web Security Advanced Network Security Peter Reiher August, 2014

Lecture 2 - SQL Injection

Protecting Against Common Web Application Vulnerabilities

Shellshock a.k.a. Bashdoor / Bash bug

SHELLSHOCK ATTACK.

Presentation transcript:

A Tale of Two Bugs

This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”

shellshock “Remotely exploitable bug in bash” Run away, everything I knew is wrong Just saying this blew peoples minds

What is bash? A shell? A language? A command interpreter? When bash is operating as a command interpreter, what does it do? What could a vulnerability be?

bash invocation bash will scan the environment If it finds functions in the environment variables, it will try and parse the function What if there is trailing code after the function definition? env x=‘() { :;}; echo vuln’

Impact Attackers can run arbitrary bash programs These programs run with permissions of the invoker This is a big problem Site defacement Download and exec privilege escalation Start a shell

Mass scans Rob Graham ran mass scans on the Internet Commanded remote systems to ping him Was this ethical? Legal? Discovered “thousands” of vulnerable systems Declared probability for worm “high”

Web servers If a web server uses CGI, and the request handler is a bash script OR a CGI script that invokes bash / a shell using system The attacker can set an environment variable HTTP_USER_AGENT Then bash will execute code found in that environment variable

SSH server User has a “restricted shell” Command to be executed by an ssh command invocation stored in an environment variable SSH_ORIGINAL_COMMAND If this environment variable is attacker controlled (it is, post-auth) then bash will scan it for functions and execute commands

DHCP server DHCP options from clients get stored in environment variables bash is invoked by the DHCP server during registration Join a network with DHCP, set the right options in your DHCP client config, get a shell on the DHCP server

drupalgeddon “SQL injection in a CMS” oh we’ve heard this before

What is SQL injection? At the heart, program injection Concatenate a program (SQL query) with data If the concatenation creates a different program, there is a problem

What can you do with SQL injection? Depends on the application but usually everything Totally compromise an application Inject new content into web pages Add users / roles / etc

What is Drupal? A content management system (CMS) used on a large amount of the Internet Blogs, knowledge management systems, everything

What does the exploit look like? POST /?q=node&destination=node HTTP/1.1" "sucuri.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR )" Payload: name [0%20and%20extractvalue(1, concat(0x5c, (select md5(1122) from information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed& removed=removed&form_build_id=&form_id=user_login_block&op=Log+in

What were the outcomes? Shellshock will probably keep pentesters employed for years The Drupal vulnerability compromised 12 million websites We heard about one a lot more than the other

What can we learn? Don’t listen to hype Consider data Data about attack surface Data about installation base What is the exposure? What is the risk?