1 / 38

Input Sanitization

Input Sanitization. COEN 225. All Input is Evil. All input is evil: At least potentially Input can be: (A random collection) Files Web forms Cookies Registry entries Database contents Command line arguments. Environmental variables HTTP requests Named pipes E-mail ….

becky
Download Presentation

Input Sanitization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Input Sanitization COEN 225

  2. All Input is Evil • All input is evil: • At least potentially • Input can be: (A random collection) • Files • Web forms • Cookies • Registry entries • Database contents • Command line arguments • Environmental variables • HTTP requests • Named pipes • E-mail • …

  3. Finding Common Entry Points • Files • Contain data specified by users • Contain data supplied by application • Can be intentionally or unintentionally corrupted • Attacker can also attack file metadata: • Extension • Path • File system attributes • …

  4. Finding Common Entry Points • Sockets • Easy to connect to sockets  need to filter data • Attacker can • Monitor data • Send malformed data to client or to server • Intercept data in the middle of a request and replace it • A.k.a Man in the middle attack

  5. Finding Common Entry Points • HTTP requests • Almost always passes through firewalls • Using webproxy, users have complete control over what is send to the server • Named pipes • See sockets • But programmers might forget how named pipes work and trust input • E.g. SQL Server 2000 vulnerability • See http://www.blakewatts.com/namedpipepaper.html

  6. Finding Common Entry Points • Pluggable Protocol Handler • Example: • http, ftp, https in URL • mailto:tschwarz@scu.edu?subject=WrongPerson • Tell system which application handles data when a hyperlink is clicked • Maliciously crafted link irc://[~900 characters] caused buffer overflow in mIRC protocol handler that allowed arbitrary code execution

  7. Finding Common Entry Points • Programmatic Interfaces • RPC • COM • DCOM • ActiveX • Managed code entry points (Windows) • .NET Remoting

  8. Finding Common Entry Points • SQL • Improperly filtered input strings can lead to execution of powerful SQL commands • Registry • User Interfaces • Win95 machines were used in libraries • Attacker could remove the “Start” button for free entertainment

  9. Finding Common Entry Points • Command line arguments • Attacker provides helpful link with arguments embedded • Example: Cross scripting attacks • Environmental Variables • Can be used by programs to make decisions

  10. Canonicalization • Authentication decision made by one module • Access done by other module

  11. Input Validation • Input – Anything controlled by outsider • user command line input • configuration files that could be manipulated • http requests • packets under consideration by firewall • …

  12. Input Validation • Security Strategies • Black List • List all things that are NOT allowed • List is difficult to create • Adding insecure constructs on a continuous basis means that the previous version was unsafe • Testing is based on known attacks. • List from others might not be trustworthy. • White List • List of things that are allowed • List might be incomplete and disallow good content • Adding exceptions on a continuous basis does not imply security holes in previous versions. • Testing can be based on known attacks. • List from others can be trusted if source can be trusted.

  13. Input Validation • Principle problem • Location of Check  Location of Use • Principle solution • Canonicalization of input • Transform input into a canonical form • Decision is made on input in the same form that program uses

  14. Canonicalization • Two major program errors: • Misunderstanding definition of canonical form • Stopping canonicalization process to early

  15. Canonicalization:Dealing with Metacharacters • Meta-information can be attached • Out-Of-Band • In-Band • Often more readable • Often more compact • Has security implications • Potential for overlappingtrust domains: • There exists a logical boundary between data and metadata • Parser need to identify the difference between data and metadata correctly

  16. Canonicalization:Dealing with Metacharacters • Example: NULL character for termination of strings

  17. Canonicalization:Dealing with Metacharacters • Simplest Vulnerability: • Users can embed metacharacters into input that is not filtered • Instance of second-order injection attack • The attack happens when the metacharacter is evaluated • Example: Password update (next slide)

  18. Canonicalization:Dealing with Metacharacters No input sanitization! use CGI; … verify session details … $new_password = $query->param(′password′); open(IFH,″</opt/passwords.txt″) || die (″$!″); open(OFH,″>/opt/passwords.txt.tmp″) || die (″$!″); while(IFH) { ($user, $pass) = split /:/; if ($user ne $session_username) print OFH ″$user:$pass\n″; else print OFH ″$user:$new_password\n″; } … close( IFH ); close( OFH ); User bob inputs: test\njim:npwd OFH becomes: bob:test jim:npwd Bob just added a new user

  19. Canonicalization:Dealing with Metacharacters • Discovering attacks like this: • Identify code that deals with metacharacter strings • Identify all delimiter characters that are specially handled and put them into a list • Identify filtering performed on input • Eliminate potentially hazardous delimiter characters from list • Remaining characters on list indicate a vulnerability

  20. Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 1 Input string is formatted a number of ways before it becomes a file name. Added to a statically sized buffer and prefixed with \\\\?\\%TEMP%\\

  21. Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 2 Set of delimiter characters that are specially handled: ‘/’ ‘\’ “..” String is passed to Expand EnvironmentStrings( ). Environmental variables are denoted with % characters.

  22. Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 3 Set of delimiter characters that are specially handled: ‘/’ ‘\’ “..” String is passed to Expand EnvironmentStrings( ). Environmental variables are denoted with % characters.

  23. Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 4 Filtering: strrchr searches last occurrence for ‘/’ and ‘\’ and increments past it. strstr searches for “..”

  24. Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 5 However, ‘%’ remains Client can supply a number of environmental variables such as QUERY_STRING In addition, something like ..\..\..\any\pathname\file.txt supplied in QUERY_STRING allows client to write to arbitrary locations in the file system

  25. Canonicalization:Dealing with Metacharacters • NULL character injection • NULL characters are necessary to terminate strings when calling C routines from OS and many APIs • Perl and other languages do not use NULL for termination • Example: • Perl application programmer tests that file name ends in “.txt” • Attack inputs sequence “%00” in CGI input • Decoded as NUL character • Can be used to cut-off filename, including extension open(FH, ″>$username.txt″) || die(″$!″); print FH $data; close(FH);

  26. Canonicalization:Dealing with Metacharacters: NULL • NUL metacharacter is used to end C-strings, but not Perl, Java, PHP, … • This is a canonicalization issue: • C-based modules canonicalize strings differently than the no-C/no-Unix world • Issues arise when strings cross boundaries between these worlds

  27. Canonicalization:Dealing with Metacharacters: NULL • Possible results: • Memory corruption because strlen returns a different value • Truncation of strings  False decisions • Especially for FILE NAMES B O B . T X T \0 B O B \0 . T X T \0

  28. Path Metacharacters • Windows File Names: • C:\\WINDOWS\system32\calc.exe • Optional device • Followed by path • NOT UNIQUE • C:\\WINDOWS\system32\drivers\..\calc.exe • calc.exe • .\calc.exe • ..\calc.exe • \\?\WINDOWS\systems32\calc.exe • File system uses file canonicalization • But the system is less than canonical

  29. Path Metacharacters • Issues: • File squatting (in Windows) • Need to use CreateFile carefully in order to • Not open an existing file that sits in the canonical path of the file name • CreateFile canonicalization • eliminates any directory traversal components before validating whether each path segment exists • C:\nonexistent\path\..\..\blah.txt accesses C:\blah.txt • File-like Objects • CreateFile can open objects that are treated like files but are not files: • \\host\object • type\name • Device Files • Reside in the file hierarchy • But are canonicalized differently • COM!-9, LPT1-9, CON, CONIN$, CONOUT$, PRN, AUX, CLOCK$, NUL • Programmers are often not aware of the rules

  30. Path Metacharacters • CreateFile() (Windows) idiosyncrasies • Strips out trailing spaces in file names • Example attack • Programmer attaches “.txt” to a user-provided name • Attacker provides “helloworld.exe “ with trailing space • The trailing space with following .txt is stripped out • Case Sensitivity • Windows filenames are not case sensitive, UNIX and HFS filenames are • DOS 8.3 • Short file name is created by the file system if the file name is too long. • File can be referred to by the short file name • Use \\?\ before file name to disable DOS filename parsing • Insure that files are normal files by checking for FILE_ATTRIBUTE_NORMAL, or face access to named pipes, … • Alternative Data Streams are created with an “:” separator

  31. Path Metacharacters • Registry keys • Naming similar to files • Similar issues • Worthy of its own presentation

  32. Canonicalization:Dealing with Metacharacters • Shell Metacharacter Injection • Attack vector • User controls input to an argument for execve(), popen(), … • Dangerous shell characters • ; | & < > ` ! - * / ? ( ) . [space] [ ] “\t” ^ ~ \ “\\” quotes “\r” “\n” $

  33. Canonicalization:Dealing with Metacharacters • SQL Injection attack • Attack vector: • User controls part of the SQL query string

  34. CanonicalizationMeta Character Filtering • Three basic options • Detect erroneous input and reject what appears to be an attack • Detect and strip dangerous characters • Detect and encode dangerous characters with a metacharacter escape sequence

  35. CanonicalizationMeta Character Filtering • Eliminating Metacharacters • Whitelisting: Allow only good strings if($input_data =~ /[^A-Za-z0-9_ ]/) { exit; } • Whitelisting: Strip away anything that is not good $input_data =~ s/ /[^A-Za-z0-9]/g • Stripping is vulnerable to mistakes • Blacklisting: Make decisions based on dangerous characters (not recommended)

  36. CanonicalizationMeta Character Filtering • Escaping Metacharacters • Non-destructive: metacharacters are preserved in string • Goal: Receiving module receives a safe string • Attack vectors: • Metacharacter evasion • Encoded metacharacter can be used to avoid other filtering

  37. CanonicalizationMeta Character Filtering • Escaping Metacharacters • Filtering does not detect encoded metacharacters • Example: ..%2F..%2Fetc%2Fpasswd • Double Encoding Attacks dXNlcj1wYXNzd2QmaG9tZWRpcj0uLiUyNSUzMiU0Ni4uJTL1JTMyJTQ Base 64 Decoder user=passwd&homedir=..%25%32%46..%25%32%46etc Hexadecimal Decoder pass 1 user=passwd&homedir=..%2F..%2Fetc Hexadecimal Decoder pass 1 user=passwd&homedir=../../etc

  38. CanonicalizationMeta Character Filtering • Character Sets • Example vulnerabilities • Wide characters (unicode) C-style strings are terminated with a 16 NULL, normal character strings with an 8 NULL • Homographic attacks • Different characters look the same • “Microsoft”  “Microsoft” in Unicode • one ‘o’ is cyrillic • String length calculations need to take character set into account (wide characters vs. normal characters)

More Related