Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security Vulnerabilities 1.

Published byMaximillian Gilbert Modified over 7 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security Vulnerabilities 1."— Presentation transcript:

1 Introduction to Information Security Vulnerabilities 1

2 2 vulnerability exploit RCE PE ??? PROFIT IDIM DoS corruption injection design timinghuman vulnerability

3 Buffer Overflow 3 int check(char* password) { int invalid = 1; char buff[10]; if (strlen(password) > 10) return -1; strcpy(buff, password);... } buff invalid \x00 Reorder!

4 Stack Overflow 4 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET bffff000 shellcode Canaries!

5 SEH Overflow 5 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } buff size EBP RET canary SEH Also, brute force Data Execution Prevention!

6 libc rwxrwx Return To Libc 6 int receive(int sock) { int size; char buff[100]; if (recv(sock, &size, 1, 0) < 0) return -1; if (recv(sock, buff, size, 0) < 0) return -1;... } Address Space Layout Randomization! buff size EBP RET rwx b7fff000 b7fff200 b7fff100

7 Use After Free 7 Tab* openTab(char* URL) { Tab tab(); tab.load(URL); return &tab; } Tab* tab = openTab("www.google.com"); tab->body->show(); tabbody var shellcode = "..."; var chunks = new Array(); for (i = 0; i < 1000; i++) chunks[i] = shellcode + ""; tabbody

8 Double Fetch 8 int f(char* input, int size) { char* buff[1000]; if (size > 1000) return -1; memcpy(buff, input, size);... } int* EBP = (int*) 0xbffff100; while (1) { *(EBP+12) = 0; *(EBP+12) = 1000; }

9 Double Fetch 9 def main(path): verify_signature(path) execute_file(path) def verify_signature(path): data = open(path, 'rb').read() return sha1(data) == '...' def execute_file(path): data = open(path, 'rb').read() exec data main('file.py') while True: copy('good_file.py', 'file.py') copy('evil_file.py', 'file.py')

10 Code Injection 10 def dirlist(path): cmd = 'ls %s' % path out = subprocess.check_output(cmd) return out.splitlines() >>> dirlist('/tmp') ['dir/', 'file.txt'] >>> dirlist('/tmp; sh') $

11 Directory Traversal 11 def getfile(filename): path = '/tmp/' + filename return open(path, 'rb').read() >>> getfile('file.txt') 'Hello, world!\n' >>> getfile('../../etc/passwd') 'root:...'

12 Putting it all Together 12 /tmp/server.py – receives a name and a text and logs it in /tmp/messages/.txt /tmp/archive.py – compresses /tmp/messages/* into /tmp/archives/.gz once a day This runs under user Which is a sudoer, but we don't know his password

13 Putting it all Together 13 Send a message with the name../archive.py and some malicious code This code will run later that day, and: Create the /tmp/evil/ directory Put a fake sudo in it, which saves the provided password and calls the real sudo with it Edit the user's ~/.bashrc : PATH="/tmp/evil:$PATH" The next time the users logs in, his PATH will be compromised The next times he runs sudo apt-get install..., we'll get his password

14 Addendum Vulnerabilities IRL 14

15 Apple Goto Fail 15 if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; The hash is never completed, and the SSL/TLS encryption is compromised

16 Stuxnet CPL/LNK 16 Windows supports shortcuts (.LNK files) An.LNK file references: A path An icon Which can come from a.CPL file Which can bundle resources... But is similar to a.DLL file Which can have initialization routines.LNK.CPL

17 WinRAR File Extension Spoofing 17 The GUI developer needed a place for extra settings The ZIP developer provided the "extra" field The GUI developer put the displayed file name there But there was already a field for that...

18 Master Key 18 The Java developer validated the APK He loaded its files to a LinkedHashTable and checked their signatures The C developer installed the APK He loaded its file to a LinearHashTable and wrote their data to disk An APK is a ZIP file Which can have multiple entries with the same name... files = LinearHashTable() for file in APK: files[file.name] = file.data … for name in files: write(files[name]) files = LinkedHashTable() for file in APK: files[file.name] = file.data … for name in files: validate(files[file]) APK file.txt

Download ppt "Introduction to Information Security Vulnerabilities 1."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Pune Institute of Computer Technology Vijay Gabale Santosh Patil Ashish Deshpande -students of Computer department presents:

Pune Institute of Computer Technology Vijay Gabale Santosh Patil Ashish Deshpande -students of Computer department presents:
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.

The OWASP Foundation Risks of Insecure Communication High likelihood of attack Open wifi, munipical wifi, malicious ISP Easy to exploit.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.

Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.

One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
The OWASP Top 10 and Buffer Overflow Attacks

The OWASP Top 10 and Buffer Overflow Attacks
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Scoring Program Updates & XML upload to the NSRCA web site July 2013.

Scoring Program Updates & XML upload to the NSRCA web site July 2013.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Similar presentations

Ads by Google