Content-Based Attacks

When client software displays and executes media files that contain malicious data, another form of client-facing attack—called content-based attacks—is enabled. Content-based attacks range from the arcane (embedded malicious postscript that can literally kill a printer by

to run malicious content).

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

AttackPub Date:Pattern:February 17, 2004File System Function Injection, Content

ISBN: 0-201-78695-8

Based

Pages: 512

A protocol header or snippet of code embedded in a media file is used in a trusted function call when the file is opened by the client. Examples include music files such as MP3, archive files such as ZIP and TAR, and more complex files such as

HowPDFdoesand Psostscriptf ware break?files. CommonHow do attackerstargets formakethis attacksoftwarearebreakMicrosofton purpose?Word andWhy are firewalls,Excel files,intrusionmost oftend tectiondeliveredsystems,as -andmailanattachmentsivirus software. not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

An attacker typically makes use of relative paths in ZIP, RAR, TAR archive, and Expldecompressesiting Softwareto getistoloadparentd withdirectoriesexamples. of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This* FourmustAttack-have bookExamples:may shock youInternet—a d it Explorerwill certainly5educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

1.The "download behavior" in Internet Explorer 5 allows remote attackers to read

arbitrary files via a server-side redirect.

When network security mechanisms do not work

2.The preloader ActiveX control used by Internet Explorer allows remote attackers to read Attack patterns

arbitrary files.

Reverse engineering

3.Internet Explorer 5.01 (and earlier versions) allows a remote attacker to create a

reference to a client window and use a server-side redirect to access local files via that Classic attacks against server software

window. This problem is referred to as server-side page reference redirect.

Surprising attacks against client software

4. Javascript in Internet Explorer 3.x and 4.x; and Netscape 2.x, 3.x, and 4.x allows

remoteTechniquesattackersfor craftingto monitormaliciouser'sinputWeb activities. Web spoofing is one particular form of this attack.[7]

The technical details of buffer overflows

[7] Web spoofing was discovered and publicized in 1997 by Ed Felten and Princeton's Secure

Internet Programming team [Felten et al., 1997]. Unfortunately, this kind of attack is still possible

Rootkits

today. At the heart of the problem is the issue of trusting what client software displays. Attackers

commonly take advantage of misplaced trust in the client. See the reference list or

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break http://www.cs.princeton.edu/sip/pub/spoofing.html for more information.

software.

Backwash Attacks: Leveraging Client-side Buffer

Overflows

Nothing is more forward than directly attacking those who are attacking you. In many cases,

•this philosophyTableisofinstantiatedContents as a series of denial-of-service attacks launched in either

direction• . InIndexstandard scenarios, you can learn what IP address is being used to attack you,

andExploitingthenSoftwareyou canHfollowto Breakup withCodean attack of your own. (Be forewarned, however, that the

legal ramifications of counterattack are drastic.) If the attacker is dumb enough to have open

ByGreg Hoglund,Gary McGraw

services, you may in some cases be able to own their system.

Publisher: Addison Wesley

This has led some security types to consider a rather insidious tactic—creating hostile

Pub Date: February 17, 2004

network services that look like valid targets. The basic idea builds on the idea of honeypots, but goesISBN:one0-201important-78695-8 step further.[8] Because most client software contains buffer

overflowsPages:and512other vulnerabilities, including a capacity to exploit these weaknesses directly

when probed is within the realm of possibility.

[8] For background on honeynets and honeypots, see Honeypots [Spitzner, 2003].

Not surprisingly, of all the code that gets tested and probed in a security situation, client code

How does software break? How do attackers make software break on purpose? Why are is usually ignored. This is one of the reasons that client code ends up with more serious

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? problems than server code. If a vulnerable client attaches to a hostile service, the hostile

What tools can be used to break software? This book provides the answers.

service can attempt to identify the type and version of the client that is connecting. This is a

variety of fingerprinting.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from Once the client is properly identified, the hostile server can issue a response that exploits a

attack, you must first learn how real attacks are really carried out.

buffer overflow (or some other security defect) in the client. Typically this kind of attack is

not designed simply just to crash the client. Attackers using this technique can inject a virus

This must-have book may shock you—and it will certainly educate you.Getting beyond the or backdoor into the original attacker's computer using their own connection against them.

script kiddie treatment found in many hacking books, you will learn about

Obviously, this kind of "backwash attack" is a serious threat to an attacker. Anyone planning

to attack arbitrary systems should assume that a backwash attack can and will happen. Any

Why software exploit will continue to be a serious problem and all client software should be carefully audited before use.

When network security mechanisms do not work

Attack patterns

Reverse engineering

Attack Pattern: Client-side Injection, Buffer Overflow

Classic attacks against server software

Acquire information about the kind of client attaching to your hostile service.

IntentionallySurprisingfeedattacksmaliciousagainstdataclientto thesoftwareclient to exploit it. Possibly install

backdoors.

Techniques for crafting malicious input

The technical details of buffer overflows

* Attack Example: Buffer Overflow in Internet Explorer 4.0 Via EMBED

Rootkits

Tag

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Authors often use <EMBED> tags in HTML documents. For example,

<EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true">

If an attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being

ways data can propagate into a given system, thus these kinds of attacks will continue to be

Exploitingfound in theSoftwarewild.How(Seeto ChapterBreak Code7 for more on buffer overflow attacks.)

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Conclusion

Attacking client programs with intentionally malicious services is a fact of life. If you use standard clients, you should be aware of this kind of attack. This is particularly important if you are using standard clients to probe or attack servers. The idea of exploiting client

client exploit that in some senses goes "through" a service.

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.