Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security Vulnerabilities 1.

Similar presentations


Presentation on theme: "Introduction to Information Security Vulnerabilities 1."— Presentation transcript:

1 Introduction to Information Security Vulnerabilities 1

2 2 vulnerability exploit RCE PE ??? PROFIT IDIM DoS corruption injection design timinghuman vulnerability

3 Buffer Overflow 3 int check(char* password) { int invalid = 1; char buff[10]; if (strlen(password) > 10) return -1; strcpy(buff, password);... } buff invalid \x00 Reorder!

4 Stack Overflow 4 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET bffff000 shellcode Canaries!

5 SEH Overflow 5 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET canary SEH Also, brute force Data Execution Prevention!

6 libc rwxrwx Return To Libc 6 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } Address Space Layout Randomization! buff size EBP RET rwx b7fff000 b7fff200 b7fff100

7 Use After Free 7 Tab* openTab(char* URL) { Tab tab(); tab.load(URL); return &tab; } Tab* tab = openTab("www.google.com"); tab->body->show(); tabbody var shellcode = "..."; var chunks = new Array(); for (i = 0; i < 1000; i++) chunks[i] = shellcode + ""; tabbody

8 Double Fetch 8 int f(char* input, int size) { char* buff[1000]; if (size > 1000) return -1; memcpy(buff, input, size);... } int* EBP = (int*) 0xbffff100; while (1) { *(EBP+12) = 0; *(EBP+12) = 1000; }

9 Double Fetch 9 def main(path): verify_signature(path) execute_file(path) def verify_signature(path): data = open(path, 'rb').read() return sha1(data) == '...' def execute_file(path): data = open(path, 'rb').read() exec data main('file.py') while True: copy('good_file.py', 'file.py') copy('evil_file.py', 'file.py')

10 Code Injection 10 def dirlist(path): cmd = 'ls %s' % path out = subprocess.check_output(cmd) return out.splitlines() >>> dirlist('/tmp') ['dir/', 'file.txt'] >>> dirlist('/tmp; sh') $

11 Directory Traversal 11 def getfile(filename): path = '/tmp/' + filename return open(path, 'rb').read() >>> getfile('file.txt') 'Hello, world!\n' >>> getfile('../../etc/passwd') 'root:...'

12 Putting it all Together 12 /tmp/server.py – receives a name and a text and logs it in /tmp/messages/.txt /tmp/archive.py – compresses /tmp/messages/* into /tmp/archives/.gz once a day This runs under user Which is a sudoer, but we don't know his password

13 Putting it all Together 13 Send a message with the name../archive.py and some malicious code This code will run later that day, and: Create the /tmp/evil/ directory Put a fake sudo in it, which saves the provided password and calls the real sudo with it Edit the user's ~/.bashrc : PATH="/tmp/evil:$PATH" The next time the users logs in, his PATH will be compromised The next times he runs sudo apt-get install..., we'll get his password

14 Addendum Vulnerabilities IRL 14

15 Apple Goto Fail 15 if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; The hash is never completed, and the SSL/TLS encryption is compromised

16 Stuxnet CPL/LNK 16 Windows supports shortcuts (.LNK files) An.LNK file references: A path An icon Which can come from a.CPL file Which can bundle resources... But is similar to a.DLL file Which can have initialization routines.LNK.CPL

17 WinRAR File Extension Spoofing 17 The GUI developer needed a place for extra settings The ZIP developer provided the "extra" field The GUI developer put the displayed file name there But there was already a field for that...

18 Master Key 18 The Java developer validated the APK He loaded its files to a LinkedHashTable and checked their signatures The C developer installed the APK He loaded its file to a LinearHashTable and wrote their data to disk An APK is a ZIP file Which can have multiple entries with the same name... files = LinearHashTable() for file in APK: files[file.name] = file.data … for name in files: write(files[name]) files = LinkedHashTable() for file in APK: files[file.name] = file.data … for name in files: validate(files[file]) APK file.txt


Download ppt "Introduction to Information Security Vulnerabilities 1."

Similar presentations


Ads by Google