Introduction to computer and network security. Session 2 : Examples of vulnerabilities and attacks pt1

Introduction to computer and network security Session 2 : Examples of vulnerabilities and attacks pt1 Jean Leneutre jean.leneutre@telecom-paristech.fr Tél.: 01 45 81 78 81 Page 1

Outline I- Introduction II- Definitions III- Vulnerabilities and attacks 2. Malicious software Page 2

q Usual sources of security problems Introduction of new functionalities Lack of access control Flaw in the design/implementation/configuration of a protocol Incorrect verification of input syntax or length in a code Incorrect handling of controlled invocation and race condition Page 3

q Introduction of new functionalities New functionalities introduced to ease the use of a system may be harmful from the security point of view Example: Unix sendmail mail transfer agent One of the vulnerabilities exploited by first Internet worm (Morris Worm, 1988) Need: ease the administration of the system by allowing a remote configuration of a sendmail client on a host Functionality: a debug mode activated on a destination host, allowed to include in a mail shell commands that were executed on this host The worm used this mode to spread itself on new machien Correction: correctly configure sendmail on a machine by removing the debug mode Page 4

q Lack of access control Access control mechanisms may be bypassed using some operations that are not controlled (direct access to the memory, covert communication channels ) Example : Unix command at at <time> -f<file>: runs a command at a later tile Effect: copy the file in /usr/spool/atjobs/ Initially read access right to any file in /usr/spool/atjobs/ was set for everybody However the at command does not check whether the user has the read access right on the file before copying it in the spool An attacker was able to read a non executable protected password file «/etc/shadow» by running the at command on this file Correction : declare /usr/spool/atjobs as non readable Page 5

q Flaws in the design/implementation/configuration of a protocol Some choices or errors in the design or implementation of a protocol may introduce security problem Example: «Smurf» attack Attacker spoofs victim IP address and sends an ICMP echo request (ping) to one or several broadcast servers; The server broadcast the request to all hosts on the network; All hosts on the network replies to the victim s IP address; è è Cause a significant traffic leading to a Denial of Service (DoS) on the target Solution: Configure routers not to forward packets directed to broadcast addresses. Page 6

q Flaws in the design/implementation/configuration of a protocol (2) Example : TCP session hijacking TCP 3-way handshake between a client A and a server B A B : SYN, ISNa B A : SYN,ACK, ISNb, ISNa+1 (connection request) (connection granted) A B : ACK, ISNb+1 (acknowledgement) ISNa and ISNb: Initial sequence numbers, 32 bits long ISNa and ISNb are initially randomly picked RFC793: a sequence number is incremented every 4 micro-seconds However in some implementations: incremented only every 128s Suppose an attacker X cannot block messages to server nor observe any message, he can only spoof the IP address of A Attack: X wants to make B believe that he is A Page 7

q Flaws in the design/implementation/configuration of a protocol (3) Example : TCP session hijacking (2) X opens a first session with B and receives ISNb X B : SYN, ISNx B X : SYN,ACK, ISNb, ISNx+1 X B : ACK, ISNb+1 X spoofs the IP adress of A (noted X/A) and starts a new session X/A B : SYN, ISNx B A : SYN, ACK, ISNb, ISNx +1 X does not receive this message X/A B : ACK, ISNb +1 X guesses the value of ISNb using ISSb X also launches a DoS attack on A to prevent him from receiving message 2 X is able to execute commands on server B using A s privileges (but cannot receive the results) Page 8

q Others attacks on TCP/IP SYN Flooding The attacker sends a large number of TCP SYN request on a target (a server) but never acknowledge the answer The target reserves resources for each request until the limit of of half-opened conections is reached All new legitimate requests will be discarded DoS attack Attacks on the DNS (Domain Name System) Links domain names with IP addresses DNS «cache poisoning»: data is introduced into a name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (used for web defacement) Page 9

q Attacks on security protocols: exemple SSL/TLS Flaw in the pseudo-random number generator Goldberg and Wagner, Dr. Dobb s Journal, Jan. 1996. http://www.ddj.com/documents/s=965/ddj9601h/ Timing attacks Analyzing the answer time to requests of an OpenSSL server, an attacker in the same LAN segment is able to guess the private key of the server Boneh and Brumley, 12th Usenix Security Symposium. http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html Problem in error reports Analyzing differences in the answer time in case of errors, an attacker is able to guess the clear text of an encrypted message Vaudenay & alii, Crypto2003. http://lasecwww.epfl.ch/ php_code/publications/search.php?ref=chvv03 Page 10

q Incorrect verification of input syntax Example: SQL code injection Context: a website processes the connexion of a user by executing the following SQL request, SELECT user_id FROM users WHERE user_name= $name AND user_pwd= $pwd Legitimate requests are in the following form SELECT user_id FROM users WHERE user_name= Bob AND user_pwd= a8gt9p Suppose that there are no verification on the syntax of the user_name, how an attacker knowing a login name but no password could connect himself? Page 11

q Incorrect verification of input syntax Example: SQL code injection (2) An attacker can enter, name = Bob - and any password, the request becomes, SELECT user_id FROM users WHERE user_name= Bob -- AND user_pwd= whatever That is (-- is interpreted as the start of a comment), SELECT user_id FROM users WHERE user_name= Bob Solution: uses the function get_magic_quotes_gpc adding \ before any reserved characters (-,, ) Exercise: find another attack in the case X does not know any login name Page 12

q Incorrect verification of input length Buffer overflow or overrun Anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory Programs written in languages which (for instance C and C++) which do not automatically check that data written to a buffer (array) is within the boundaries of that buffer (and with not built-in protection against accessing or overwriting data in the memory). May be triggered by inputs that are designed to execute code, or alter the way the program operates May result in erratic program behavior, incorrect results, crash, or breach of system security Example: Unix 4BSD finger command (Internet Worm of 1988) Fingerd daemeon: answer to remote finger requests, fingerd uses C function gets, that reads a line of input without performing bound checking With a given message of 356 bits, it was possible to execute a code opening a shell via TCP with the privleges of fingerd Page 13

q Buffer overrun Memory configuration Stack (pile) Higher addresses: contain the return address (specifying the next instruction to be executed), the local variables, the function inputs Heap (tas) Datas / Constants Lower adresses: used for dynamic memory allocation Si la valeur affectée à une variable dépasse la taille du buffer allouée : Code peut causer une erreur d exécution peut permettre à de faire exécuter son code en écrasant la mémoire de la pile jusqu à l adresse de retour du processus en cours d exécution Page 14

q Stack overflow = buffer overrun on the stack Example: C function foo void foo()!!{!!char a[9];!!printf(" enter your login");!!gets(a); /* no bound checking */!!}! Return address Saved Frame pointer Array a Parent routine s stack Ret sfp a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0] Unallocated Stack space Login = leneutre Parent routine s stack Ret sfp /0 e r t u e n e l Unallocated Stack space Stack before Stack after Page 15

q Stack overflow = buffer overrun on the stack (2) Attacker X enters as login = AAAAAAAAAAAAadr_a where adr_a is the address corresponding to the array a Parent routine s stack Ret sfp a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0] Unallocated Stack space Stack before Login = AAAAAAAAAAAAadr_a Buffer overrun! adr_a Parent routine s stack adr_a A A A A A A A A A A A A Unallocated Stack space Stack after When foo() returns it pops the return address off the stack and starts executing instructions from that address Page 16

q Stack overflow = buffer overrun on the stack (3) Attacker X replaces the string AAAAAAAAAAAA with a shellcode (a small code that starts a command shell) Parent routine s stack Ret sfp a[8] a[7] a[6] a[5] a[4] a[3] a[2] a[1] a[0] Unallocated Stack space Stack before Shellcode is executed with the privileges of foo Parent routine s stack adr_a Shellcode Unallocated Stack space Stack after adr_a If foo() is executer with special privileges (superuser), X gains this privilege on the affected machine Page 17

q Exercise A small company sell digital photos via internet : Each photo is identified by a number When a client wants to access to a photo using its number he must authenticate himself The access is recorded, and the client will receive a monthly invoice Concretely, when a user has chosen the photo, he executes through his web browser the C-function buy: void buy (const char* login, const char* password, const char* name, const char* number) { } if (authenticate(login, password)==1 { } inform_photo(nom, numero); inform_debit(login); The authenticate function checks whether the password entered by the client is correct Page 18

q Exercise (2) The function inform_photo uses the function show_photo to present the photo to the user void inform_photo (const char* name, const char* number) {!!!!char a[100]= "";!!!!strcat (a, "Mr ");!!!!strcat (a, name);!!!!strcat (a, ", here is your photo. \n");!!!!printf (a);!!!!show_photo(number);!!!}! The function inform_debit uses the function debit to charge the correct number of photos!!!void inform_debit (const char* login) {!!!!debit(login);!!!!printf("we debited 10 Euros from your account. \n");!!!}! Page 19

q Exercise (3) Show that a malicious user may access to photos without paying for them Propose a solution to avoid this attack by modifying only the function inform_photo! Propose a second solution modifying only the function buy Page 20

q Incorrect handling of Controlled Invocations A user wants to execute an operation requiring a secured mode (system mode) The system switches from the normal mode (user mode) to system mode, execute this operation, and switches back to user mode, before giving back the control to the user Potential problem: if a controlled invocation is not correctly handled by the system a user may obtain special privileges Example: Unix login The login window is a system process with superuser privileges When a user logs, the system replaces the current home directory with the user directory Then the system execute the commands in the user configuration files (.cshrc and.login): if the system is still using the superuser privileges then a malicious user could use the previous configuration files as Trojans The uid of the login process must be replaced with the user uid before any execution of a user command Page 21

q Race condition (Situation de compétition) Arises in software where separate processes or threads of execution depend on some shared state or resource Operations upon shared states are critical sections that must be mutually exclusive Potential problem: if critical sections are not correctly handled the shared resource may be corrupted, processes may be blocked, or a process may obtain the privileges of the other process. Example: North American Blackout (power outage) of 2003 Software flaw in the energy management system A race condition existed in the alarm subsystem: under some conditions alerts were not raised to the monitoring technicians, delaying their awareness of the problem. Page 22

q Race condition (2) Example: CTSS (Compatible Time-Sharing System) operating system Each user has his own unique directory WELCOME WELCOME WELCOME When a user edits a file, a file with fixed name SCRATCH is created Hello! The SCRATCH Hello! system is considered as a SCRATCH Cgd8/oip user (with his own SCRATCH) SCRATCH PWD An upgrade Hello! permitted PWD to several Cgd8/oip administrators PWD to connect Cgd8/oip themselves simultaneously on the system account Cgd8/oip Cgd8/oip Cgd8/oip The following sequence of operation copied the password file inside the WELCOME message: admin1 edits the welcome message: SCRATCH:=WELCOME; admin2 edits the password file: admin1 saves the welcome message: SCRATCH:=PWD; WELCOME:= SCRATCH Page 23

q Time-of-check-to-time-of-use (TOCTTOU) A specific case of race condition appearing when there is a change in a system between the checking of a condition (for instance for authentication) and the use of the results of that check Example : Consider a Web application that allows a user to edit pages, and also allows administrators to lock pages to prevent editing. A user requests to edit a page, getting a form by which he can alter its content Before the user submits the form, an administrator locks the page, which should prevent editing However, since the user has already begun editing, when he submits the form, his edits are accepted When the user began editing, his authorization was checked, and he was indeed allowed to edit. The authorization was used later, after he should no longer have been allowed In the early 90's, the mail utility of BSD 4.3 UNIX had an exploitable race condition Page 24