Introduction to Information Security Vulnerabilities 1.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Pune Institute of Computer Technology Vijay Gabale Santosh Patil Ashish Deshpande -students of Computer department presents:
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
The OWASP Top 10 and Buffer Overflow Attacks
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Scoring Program Updates & XML upload to the NSRCA web site July 2013.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Maintain – Enhancing Objects with JavaScript Mark Derwin Information Builders Information Builders.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Computer Security and Penetration Testing
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Attacking Applications: SQL Injection & Buffer Overflows.
ENGR 3950U / CSCI 3020U: Operating Systems Description and C Code of Major Functions in Simulated Unix File System. Instructor: Dr. Kamran Sartipi Faculty.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Buffer Overflows Many of the following slides are based on those from
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Core Java Introduction Byju Veedu Ness Technologies httpdownload.oracle.com/javase/tutorial/getStarted/intro/definition.html.
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
Introduction to Perl. What is Perl Perl is an interpreted language. This means you run it through an interpreter, not a compiler. Similar to shell script.
File Systems cs550 Operating Systems David Monismith.
THE C PROGRAMMING ENVIRONMENT. Four parts of C environment  Main menu  Editor status line and edit window  Compiler message window  “Hot Keys” quick.
1 Getting Started with C++ Part 1 Windows. 2 Objective You will be able to create, compile, and run a very simple C++ program on Windows, using Microsoft.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Race conditions and synchronization issues Exploiting UNIX.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
Modules. Modules Modules are the highest level program organization unit, usually correspond to source files and serve as libraries of tools. Each file.
CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
File Operations. FILE PROCESSING For the purposes of the following discussion, reading means copying all or part of an existing file into memory Writing.
CS 201 Lecture 1 (b) Using an IDE Tarik Booker CS 201: Introduction to Programming California State University, Los Angeles.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Let’s look at an example
Mitigation against Buffer Overflow Attacks
Introduction to Information Security
Homework & Class review
Software Security.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Lesson 08: Files Topic: Introduction to Programming, Zybook Ch 7, P4E Ch 7. Slides on website.
Homework & Class review
Software Security Lesson Introduction
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
System and Cyber Security
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

Introduction to Information Security Vulnerabilities 1

2 vulnerability exploit RCE PE ??? PROFIT IDIM DoS corruption injection design timinghuman vulnerability

Buffer Overflow 3 int check(char* password) { int invalid = 1; char buff[10]; if (strlen(password) > 10) return -1; strcpy(buff, password);... } buff invalid \x00 Reorder!

Stack Overflow 4 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET bffff000 shellcode Canaries!

SEH Overflow 5 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET canary SEH Also, brute force Data Execution Prevention!

libc rwxrwx Return To Libc 6 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } Address Space Layout Randomization! buff size EBP RET rwx b7fff000 b7fff200 b7fff100

Use After Free 7 Tab* openTab(char* URL) { Tab tab(); tab.load(URL); return &tab; } Tab* tab = openTab(" tab->body->show(); tabbody var shellcode = "..."; var chunks = new Array(); for (i = 0; i < 1000; i++) chunks[i] = shellcode + ""; tabbody

Double Fetch 8 int f(char* input, int size) { char* buff[1000]; if (size > 1000) return -1; memcpy(buff, input, size);... } int* EBP = (int*) 0xbffff100; while (1) { *(EBP+12) = 0; *(EBP+12) = 1000; }

Double Fetch 9 def main(path): verify_signature(path) execute_file(path) def verify_signature(path): data = open(path, 'rb').read() return sha1(data) == '...' def execute_file(path): data = open(path, 'rb').read() exec data main('file.py') while True: copy('good_file.py', 'file.py') copy('evil_file.py', 'file.py')

Code Injection 10 def dirlist(path): cmd = 'ls %s' % path out = subprocess.check_output(cmd) return out.splitlines() >>> dirlist('/tmp') ['dir/', 'file.txt'] >>> dirlist('/tmp; sh') $

Directory Traversal 11 def getfile(filename): path = '/tmp/' + filename return open(path, 'rb').read() >>> getfile('file.txt') 'Hello, world!\n' >>> getfile('../../etc/passwd') 'root:...'

Putting it all Together 12 /tmp/server.py – receives a name and a text and logs it in /tmp/messages/.txt /tmp/archive.py – compresses /tmp/messages/* into /tmp/archives/.gz once a day This runs under user Which is a sudoer, but we don't know his password

Putting it all Together 13 Send a message with the name../archive.py and some malicious code This code will run later that day, and: Create the /tmp/evil/ directory Put a fake sudo in it, which saves the provided password and calls the real sudo with it Edit the user's ~/.bashrc : PATH="/tmp/evil:$PATH" The next time the users logs in, his PATH will be compromised The next times he runs sudo apt-get install..., we'll get his password

Addendum Vulnerabilities IRL 14

Apple Goto Fail 15 if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; The hash is never completed, and the SSL/TLS encryption is compromised

Stuxnet CPL/LNK 16 Windows supports shortcuts (.LNK files) An.LNK file references: A path An icon Which can come from a.CPL file Which can bundle resources... But is similar to a.DLL file Which can have initialization routines.LNK.CPL

WinRAR File Extension Spoofing 17 The GUI developer needed a place for extra settings The ZIP developer provided the "extra" field The GUI developer put the displayed file name there But there was already a field for that...

Master Key 18 The Java developer validated the APK He loaded its files to a LinkedHashTable and checked their signatures The C developer installed the APK He loaded its file to a LinearHashTable and wrote their data to disk An APK is a ZIP file Which can have multiple entries with the same name... files = LinearHashTable() for file in APK: files[file.name] = file.data … for name in files: write(files[name]) files = LinkedHashTable() for file in APK: files[file.name] = file.data … for name in files: validate(files[file]) APK file.txt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.