- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Content-Based Attacks
When client software displays and executes media files that contain malicious data, another form of client-facing attack—called content-based attacks—is enabled. Content-based attacks range from the arcane (embedded malicious postscript that can literally kill a printer by
• |
Table of Contents |
burning it out) to the more obvious (using embedded functionality inside a standard protocol |
|
• |
Index |
to run malicious content).
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
AttackPub Date:Pattern:February 17, 2004File System Function Injection, Content
ISBN: 0-201-78695-8
Based
Pages: 512
A protocol header or snippet of code embedded in a media file is used in a trusted function call when the file is opened by the client. Examples include music files such as MP3, archive files such as ZIP and TAR, and more complex files such as
HowPDFdoesand Psostscriptf ware break?files. CommonHow do attackerstargets formakethis attacksoftwarearebreakMicrosofton purpose?Word andWhy are firewalls,Excel files,intrusionmost oftend tectiondeliveredsystems,as -andmailanattachmentsivirus software. not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
An attacker typically makes use of relative paths in ZIP, RAR, TAR archive, and Expldecompressesiting Softwareto getistoloadparentd withdirectoriesexamples. of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This* FourmustAttack-have bookExamples:may shock youInternet—a d it Explorerwill certainly5educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
1.The "download behavior" in Internet Explorer 5 allows remote attackers to read
arbitrary files via a server-side redirect.
When network security mechanisms do not work
2.The preloader ActiveX control used by Internet Explorer allows remote attackers to read Attack patterns
arbitrary files.
Reverse engineering
3.Internet Explorer 5.01 (and earlier versions) allows a remote attacker to create a
reference to a client window and use a server-side redirect to access local files via that Classic attacks against server software
window. This problem is referred to as server-side page reference redirect.
Surprising attacks against client software
4. Javascript in Internet Explorer 3.x and 4.x; and Netscape 2.x, 3.x, and 4.x allows
remoteTechniquesattackersfor craftingto monitormaliciouser'sinputWeb activities. Web spoofing is one particular form of this attack.[7]
The technical details of buffer overflows
[7] Web spoofing was discovered and publicized in 1997 by Ed Felten and Princeton's Secure
Internet Programming team [Felten et al., 1997]. Unfortunately, this kind of attack is still possible
Rootkits
today. At the heart of the problem is the issue of trusting what client software displays. Attackers
commonly take advantage of misplaced trust in the client. See the reference list or
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break http://www.cs.princeton.edu/sip/pub/spoofing.html for more information.
software.
Backwash Attacks: Leveraging Client-side Buffer
Overflows
Nothing is more forward than directly attacking those who are attacking you. In many cases,
•this philosophyTableisofinstantiatedContents as a series of denial-of-service attacks launched in either
direction• . InIndexstandard scenarios, you can learn what IP address is being used to attack you,
andExploitingthenSoftwareyou canHfollowto Breakup withCodean attack of your own. (Be forewarned, however, that the
legal ramifications of counterattack are drastic.) If the attacker is dumb enough to have open
ByGreg Hoglund,Gary McGraw
services, you may in some cases be able to own their system.
Publisher: Addison Wesley
This has led some security types to consider a rather insidious tactic—creating hostile
Pub Date: February 17, 2004
network services that look like valid targets. The basic idea builds on the idea of honeypots, but goesISBN:one0-201important-78695-8 step further.[8] Because most client software contains buffer
overflowsPages:and512other vulnerabilities, including a capacity to exploit these weaknesses directly
when probed is within the realm of possibility.
[8] For background on honeynets and honeypots, see Honeypots [Spitzner, 2003].
Not surprisingly, of all the code that gets tested and probed in a security situation, client code
How does software break? How do attackers make software break on purpose? Why are is usually ignored. This is one of the reasons that client code ends up with more serious
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? problems than server code. If a vulnerable client attaches to a hostile service, the hostile
What tools can be used to break software? This book provides the answers.
service can attempt to identify the type and version of the client that is connecting. This is a
variety of fingerprinting.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from Once the client is properly identified, the hostile server can issue a response that exploits a
attack, you must first learn how real attacks are really carried out.
buffer overflow (or some other security defect) in the client. Typically this kind of attack is
not designed simply just to crash the client. Attackers using this technique can inject a virus
This must-have book may shock you—and it will certainly educate you.Getting beyond the or backdoor into the original attacker's computer using their own connection against them.
script kiddie treatment found in many hacking books, you will learn about
Obviously, this kind of "backwash attack" is a serious threat to an attacker. Anyone planning
to attack arbitrary systems should assume that a backwash attack can and will happen. Any
Why software exploit will continue to be a serious problem and all client software should be carefully audited before use.
When network security mechanisms do not work
Attack patterns
Reverse engineering
Attack Pattern: Client-side Injection, Buffer Overflow
Classic attacks against server software
Acquire information about the kind of client attaching to your hostile service.
IntentionallySurprisingfeedattacksmaliciousagainstdataclientto thesoftwareclient to exploit it. Possibly install
backdoors.
Techniques for crafting malicious input
The technical details of buffer overflows
* Attack Example: Buffer Overflow in Internet Explorer 4.0 Via EMBED
Rootkits
Tag
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Authors often use <EMBED> tags in HTML documents. For example,
<EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true">
If an attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being
• |
Table of Contents |
directed to exploit a faulty module in the system. There are potentially thousands of different |
|
• |
I dex |
ways data can propagate into a given system, thus these kinds of attacks will continue to be
Exploitingfound in theSoftwarewild.How(Seeto ChapterBreak Code7 for more on buffer overflow attacks.)
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Conclusion
Attacking client programs with intentionally malicious services is a fact of life. If you use standard clients, you should be aware of this kind of attack. This is particularly important if you are using standard clients to probe or attack servers. The idea of exploiting client
• |
Table of Contents |
software does not necessarily require a malicious service to be used. XSS enables indirect |
|
• |
Index |
client exploit that in some senses goes "through" a service.
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.