Misclassification
Classification is very important in software. Once a classification decision is made, a whole set of logic executes. Thus, mistakes in classification can be deadly.
•Software reliesTableveryof Contentsheavily on classification. Once a root decision is made, software makes calls• to particularIndex modules and/or runs through large sets of subroutines. A good example of requestExploitingclassificationSoftware H w toandBreakits inherentCode dangers involves the way HTTP servers decide what
kind of file is being requested: Scripts are to be handled by the scripting engine, executables
ByGreg Hoglund,Gary McGraw
by the cgi engine, and regular text files by the regular text file engine. Malicious hackers
figured out a long time ago how to request a file while fooling the Web server into believing
Publisher: Addison Wesley
the file was something else entirely. The most pervasive use of this technique involves
Pub Date: February 17, 2004
stealing binaries of cgi programs, or script files that contain hard-coded passwords and other
ISBN: 0-201-78695-8
interesting logic.
Pages: 512
Attack Pattern: Cause Web Server Misclassification
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
A very famous set of classification problems occurs when a Web server examines
the last few characters of a filename to determine what kind of file it is. There are Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
many ways to take advantage of these kinds of problems—appending certain techniques used by bad guys to break software. If you want to protect your software from
strings to file names, adding dots, and so forth.
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
* Attack Example: Misclassification in NTFS File Streams Specifier
Why software exploit will continue to be a serious problem
One Web server misclassification bug is exercised by appending the string ::$DATA to the
end of a filename. The Web server code looks at the last three characters in the string and
When network security mechanisms do not work
seesATA. As a result, if you request /index.asp::$data, the Web server fails to detect that
what is being requested is an ASP file, and happily returns the contents of the file (revealing
Attack patterns
some logic best left hidden from attackers). The "asp dot" bug is another example of
misclassification. Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Building "Equivalent" Requests
A large number of commands are subject to parsing or filtering. In many cases a filter only con particular way to format a command. The fact is that the same command can usually be encode thousands of different ways. In many cases, an alternative encoding for the command will prod
• |
Table of Contents |
the same results as the original command. Thus, two commands that look different from the log |
|
• |
Index |
perspective of a filter end up producing the same semantic result. In many cases, an alternative
ExploitingcommandSoftwarecan beHowusedtotoBreakattackCodea software system, because the alternative command allows an
perform an operation that would otherwise be blocked.
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
MappingPub Date: Februarythe API17, 2004Layer
ISBN: 0-201-78695-8
A goodPages:approach512 to help identify and map possible alternate encodings involves writing a small that loops through all possible inputs to a given API call. This program can, for example, attem filenames in a variety of ways. For each iteration of the loop, the "mungified" filename can be p API call and the result noted.
The following code snippet loops through many possible values that can be used as a prefix to t
How does software break? How do attackers make software break on purpose? Why are \test.txt. Results of running a program like this can help us to determine which characters ca
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? perform a ../../ (dots and slashes) relative traversal attack.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
int main(intWhy sof wargc,e exploitchar*willargv[])continue to be a serious problem
{ 
When network security mechanisms do not work
Attack patterns
for(unsigned long c=0x01010101;c != -1;c++)
{Reverse engineering
Classic attacks against server software char _filepath[255];
Surprising attacks against client software
sprintf(_filepath, "%c%c%c%c\\test.txt", c >> 24, c >> 16, c >> 8, c&0x
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
try
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.{
FILE *in_file = fopen(_filepath, "r");
if(in_file)
{
printf("checking path %s\n", _filepath);
puts("file opened!");
getchar();
fclose(in_file);
•Table of Contents
•} Index
Exploiting Software How to Break Code
}
ByGreg Hoglund,Gary McGraw
catch(...)
Publisher: Addison Wesley
Pub Date: February 17, 2004
{
ISBN: 0-201-78695-8
Pages: 512
}
}
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. return 0;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Slight (but still automatic) modifications can be made to the string in creative ways. Ultimately,
modified string boils down to an attempt to use different tricks to obtain the same file. For exam
Why software exploit will continue to be a serious problem resulting attempt might try a command like this:
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
sprintf(_filepath, "..%c\\..%c\\..%c\\..%c\\scans2.txt", c, c, c, c);
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
A good way to think about this problem is to think of layers. The API call layer is what the exam
here are mapping. If an engineer has placed any filters in front of the API call, then these filters
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break considered additional layers, wrapping the original set of possibilities. By pondering all the poss
software.
that can be provided at the API layer, we can begin uncovering and exercising any filters that t has in place. If we know that the software definitely uses file API calls, we can try all kinds of fil encoding tricks that we know about. If we get lucky, eventually one set of encoding tricks will w can get our data successfully through the filters and into the API call.
Drawing on the techniques described in Chapter 5, we can list a number of possible escape cod be injected into API calls (many of which help with the filter avoidance problem). If the data are being piped into a shell, for example, we might be able to get control codes to take effect. A pa may write data to a file or a stream that are eventually meant to be viewed on a terminal or in
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Classic attacks against server software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
•Table of Contents
ftp>• cd ...Index
Exploiting Software How to Break Code
250 CWD command successful.
ByGreg Hoglund,Gary McGraw
ftp> pwd
Publisher: Addison Wesley
Pub Date: February 17, 2004
257 "/..." is current directory.
ISBN: 0-201-78695-8
Pages: 512
Equivalent Meta-characters
How does software break? How do attackers make software break on purpose? Why are
Delimiting characters are also special. They are used to separate commands or words in a requ firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
tend to look for delimiters to determine how a command chunks up. When attacking a target AP What tools can be used to break software? This book provides the answers.
commonly used technique involves adding extra commands and causing them to execute. For t
understanding how to encode delimiting characters is of particular interest. A filter may be rem Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
otherwise watching for certain delimiting characters. Spotting a command separator in untruste techniques used by bad guys to break software. If you want to protect your software from
usually a dead giveaway that someone is attempting to insert extra commands. attack, you must first learn how real attacks are really carried out.
Consider the space character used to separate words (as in this sentence). Many software syste This must-have book may shock you—and it will certainly educate you.Getting beyond the
accept the tab character as a replacement for the space. To the program, white space is white s script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack Pattern: Using Slashes in Alternate Encoding
Attack patterns
Reverse engineering
Slash characters provide a particularly interesting case. Directory-driven systems, such as file
systems and databases, typically use the slash character to indicate traversal between
Classic attacks against server software
directories or other container components. For murky historical reasons, PCs (and, as a result,
Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the
Surprising attacks against client software
forward slash. The schizophrenic result is that many MS-based systems are required to
understand both forms of the slash. This gives the attacker many opportunities to discover and
Techniques for crafting malicious input
abuse a number of common filtering problems. The goal of this pattern is to discover server
software that only applies filters to one version, but not the other. The technical details of buffer overflows
Rootkits
* Attack Example: Slashes in Alternate Encodingsepts,
Exploiting Softwareis filled with the tools, and knowledge necessary to break software.
The two following requests are equivalent on most Web servers:
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Surprising attacks against client software
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software which converts in many cases to
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. int main(int argc, char* argv[])
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
{
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. puts("\/ \\ \? \. \| ");
This must-have book may shock you—and it will certainly educate you.Getting beyond the
return 0;
script kiddie treatment found in many hacking books, you will learn about
}
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns produces the output
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
/ \ ? . |
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to with. Given our previous example, we can extend the attack to include other possibilities:
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input example of this idea applied to the Web is
The technical details of buffer overflows
Rootkits
When network security mechanisms do not work
Attack patterns
Reverse engineering
Surprising attacks against client software
Techniques for crafting malicious input
Rootkits
http://[targethost]:8000/somefile/%2E%2E/target.mp3
• Table of Contents
• Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
or using "/%25%25/" instead of "/../".
Publisher: Addison Wesley
Pub Date: February 17, 2004
* AttackISBNExample:0-201-78695URL-8 Encodings in Titan Application Firewall
Pages: 512
The Titan application firewall fails to decode hex-encoded and URL-encoded characters. For exa not filter %2E.
Many other examples of alternate encoding exist. These include ucs-2 unicode, HTML escape co evenHow doessuchsoftwaretrivial changesbreak?involvingHow do attcharacterckers makecase problemssoftware breakand convertingpurpose?spacesWhytoaretab chara
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
All these encoding situations lead to possible encoding fun.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
Attack Pattern: Alternative IP Addresses
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
IP address ranges can be represented using alternative methods. Here are some examples:
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
192.160.0.0/24
Surprising attacks against client software
192.168.0.0/255.255.255.0
Techniques for crafting malicious input
192.168.0.*
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break Classic encoding attacks can be directed against IP numbers as well.
software.
* Attack Example: Dotless IP Addresses in Internet Explorer
Alternate encoding of IP numbers poses problems to filters and other security measures that ne interpret values properly such as ports and IP addresses. URL filtering in general is plagued wit problems. The Microsoft Internet Explorer package allows specification of the IP address in a va number formats.[10] Here are some equivalent ways to request the same Internet Web site:
[10] For more on this issue, go to http://www.securitytracker.com/alerts/2001/Oct/1002531.html.
http://msdn.microsoft.com
http://207.46.239.122
http://3475959674
•Table of Contents
•Index
CombinedExploiting SoftwareAttacksHow to Break Code
ByGreg Hoglund,Gary McGraw
Ultimately, all of the tricks described here can be combined in various ways.
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Attack Pattern: Slashes and URL Encoding Combined
Combine two (or more) encoding tricks.
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
* Attack Example: Combined Encodings CesarFTP
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filterin
attack, you must first learn how real attacks are really carried out.
multiple encoding. The FTP server, CesarFTP, included a Web server component that could be a
a combination of the triple-dot and URL encoding attacks.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about An attacker could provide a URL that included a string like
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
/...%5C/Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
This is an interesting exploit because it involves an aggregation of several tricks—the escape ch
The technical details of buffer overflows encoding, and the triple dot.
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.