Data normalization weaknesses

@d0znppVolgaCTF, 03/09/2013

Intro

• Researcher, bug-hunter, CEO

• Web application security in depth

• @d0znpp personal twitter

• lab.onsec.ru our blog (@ONsec_lab)

What is normalization?

• Transferring and storing data are always accompanied by their formatting

• First normalization than formatting

• Encoding (different charsets)

• Truncation (limited sizes)

• Trims

• Canonizations

• ...

Data normalization or input validation weaknesses?

Web application basics

• Client-Server model

• Client is browser (Chrome, Safari, IE, FF)

• Server is web server software (Nginx, Apache)

• Application server (FastCGI, Tomcat)

• Database storage (SQL or noSQL)

Web application example. Depth #1

Browser WebServer

Database

AppServerHTTP FCGI SQL

Web application example. Depth #2

Browser WebServer

Database

AppServerHTTP FCGI SQL

Operation System

File System

FS driver

Web application example. Depth #3

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Protocol level normalization

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Protocol level normalization

• Urlencoding - what could be simpler?

• %22 to «

• %23 to #

• %25 to %

• Double url-encoding is basic bypass for many input validators, right?

2+ urlencodingWhy not?!

Browser Frontend BackendHTTP FCGI

OS

BalancerHTTP

%252527 %2527 %27

Inputvalidator

Protocol level normalization

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Protocol level normalization

• HTTP parameter pollution

• https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

• ?id=1&id=2 id=1,2

• HTTP parameter contamination

• http://netsec.rs/files/Http%20Parameter%20Contamination%20-%20Ivan%20Markovic%20NSS.pdf

• ?load[file ?load_file

Protocol level normalization

• Something new?

• Why only parameters?

• Let’s try to fuzz smth else! :)

• GET{F}/{F}HTTP.1.1

• {F} = 0x09, 0x0b, 0x0c, 0x0d, 0x32

• Apache/2.2.22 (Unix)

• GET / bla-bla bla bla bla ehohoh

Valid packet!

File paths normalization

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Filesystem names canonization

• Path Traversal

• /../../../../../../etc/passwd

• Normalization

• http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

• http://onsec.ru/onsec.whitepaper-02.eng.pdf

Filesystem names canonization

• Normalization

• /etc/passwd//////////////////////////////////.php

• C:\boot.<<

• C:\boot’‘ini

• C:\boot.in>

Database storing normalization

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Database storing normalization

• Encodings

• Client encoding

• Storing encoding

• Trim

• Size limited truncation

Database storing normalization

• VARCHAR or BLOB ?

• What size limit of CREATE TABLE t1 (login TEXT) ?

• INSERT INTO logins VALUES (:id, :login, :password)

• $login = « admin aa»

Application layer normalization

Browser WebServer

Database

AppServerHTTP FCGI SQL

OS

File System

FS driverNetwork layer

Application layer normalization

• SSRF bible. Cheatsheet

• https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/#

• PHP fsockopen() url parsing tricks

Application layer normalization

• Port overwriting, formatting

• localhost:81

• localhost:+81AAAAA

• localhost: 00081 AAA

IT IS ENCODING !!!

Multibyte encodings

• One byte for one char

• More bytes for one char !

• á

• 0xE1

• 0xC3A1 UTF-8 C-form

• 0x61CC81 UTF-8 D-form

addslashes() bypass

• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

• ’ to \’

• Replace 0x27 byte to 0x5c27

• But what about multibyte?

• 0xbf5c - valid char for GBK encoding

• 0xbf5c27 -> 0xbf5c 0x27

addslashes() bypass

• http://kuza55.blogspot.ru/2007/06/mysql-injection-encoding-attacks.html

• Find all encodings where 0x5c is valid second byte at any char

• big5, [A1-F9]

• sjis, [81-9F], [E0-FC]

• gbk, [81-FE]

• cp932, [81-9F], [E0-FC]

Homework! escapeshellarg/cmd()

• Note that:

• PHP use SH by default at system(), not BASH

• SH have no multibyte encoding

• escapeshellarg cut bytes 0x80-0xFF

But... escapeshellarg()

• http://lab.onsec.ru/2013/03/breaking-escapeshellarg-news.html

• for shell no differences between

• ls -la

• ls ‘’-la’’

• ls ‘-la’

• unzip ‘-d/var/www’ - escaped, but arg!

PHP string encodinghttp://www.php.net/manual/language.types.string.php#language.types.string.details

• String will be encoded in whatever fashion it is encoded in the script file

• If Zend Multibyte is enabled, the script may be written in an arbitrary encoding (which is explicity declared or is detected) and then converted to a certain internal encoding, which is then the encoding that will be used for the string literals

• State-dependent encodings where the same byte values can be used in initial and non-initial shift states may be problematic

Multibyte problems• Lengths in chars or bytes?

• State-dependent encodings

• 0x0102 char

• 0x0203 char

• 0x01020203 two chars

• But what about case when 0x0202 is valid char also?

• Try to find 0x0202 in this string ;)

Thanks for attention!

d0znpp@ONsec.ru@d0znpp@ONsec_lablab.onsec.ru