Embed Size (px)
Citation preview
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecJune 2004 NYC
http://www.owasp.org
Full Trust Asp.Net (in)Security Secure Asp.Net Web Application Development
Dinis Cruz.Net Project [email protected]+44 (0)208 995 3756
2OWASP AppSec 2004
IMPORTANT STUFF
We have Wi-Fi!!! Thanks to STAN GUZIK!!!!
IP: 192.168.1.x (1 and 28 are taken)Gateway and DNS: 192.168.1.1
Portugal – Spain Euro 2004 game starts at 14:45Can be followed at: http://news.bbc.co.uk/sport1/hi/football/euro_2004
/Russia v Greece (is also starting at the same time)
“Toshiba question”
3OWASP AppSec 2004
This presentation
Who am I?DDPlus (Director, Owner) Intense School (Curriculum Development &
Training)CISSP Ltd (CTO and Senior Security Consultant)DBI (Senior Consultant)Desktop Builders (Active Directory Security Expert)
What I will cover in this sessionFull Trust Asp.Net (in)SecuritySecure Asp.net Web Application Development
4OWASP AppSec 2004
Challenge to the JAVA camp
All this relates to JAVA I’m not a JAVA expert (although I can
‘read’, review and audit java code) I never found any of this stuff in JAVA (during
my Java Security Audit projects ) All my conversation with JAVA gurus (some
in this conference) haven’t shown that JAVA can solve these problems
My challenge to you:Prove that JAVA is not vulnerable to thisPort ANSA, SAM’SHE and ANBS to JAVA
5OWASP AppSec 2004
Asp.Net is used in hosting!
6OWASP AppSec 2004
Microsoft Security and the root of all problems
I’m not into bashing Microsoft (what I am talking about are industry wide problems)
Microsoft is part of the problem Microsoft is part of the solution (big part) Microsoft is the best player in the Software world
(they invented it)
in my view…
The root problem is:
INSECURE WEB APPLICATION HOSTING ENVIROMENTS
7OWASP AppSec 2004
My work at OWASP
Donated the first version of ANSA (Asp.Net Security Analyser)
Created (under OWASP) SAM’SHE:
Security Analyser for Microsoft’s Shared Hosting
Environment
See it at http://www.owasp.org/dotnet
Who has used these tools?
8OWASP AppSec 2004
ANSA, ANBS and SAM’SHE
Vision What is done Next steps These tools test the security from the
inside (web hosting environment) Beretta will test the security from the
outside
9OWASP AppSec 2004
ANBS – Asp.Net Baseline Security
ANBS (Tool for Technical Users)
CAMTs (Configuration, Auditing and Monitoring Tools) (Asp.Net Security Analyser)
ANSA (Asp.Net Security Analyser)
Asp.Net Security Analyser (ANSA) is a Windows based online tool that tests a server's security for known security vulnerabilities within an Asp.Net shared hosting environment.
ACSA (Asp CLASSIC Security Analyser)
Asp CLASSIC Security Analyser (ACSA) is the same as ANSA but for Asp CLASSIC
IIS MetabaseExplorer
Port ScannerSecure User and
IIS website manager
ACL Manager
10OWASP AppSec 2004
SAM’SHE (Security Analyzer for Microsoft’s Shared Hosting Environments)
SAM’SHE (Tool for NON-Technical Users*)
* ISPs clients, CTOs, Help Desk Staff
• Security Analyser for Microsoft’s Shared Hosting Environments
• Test the security of IIS servers
• Designed to be 1-click test
• Objective is to raise the awareness of the problems by the ones that matter (the paying clients)
• No ‘exploits’ and ‘dangerous functionality’
11OWASP AppSec 2004
ANSA and SAM’SHE Demos
1) ANSA - Security Analyser.avi……………
2) ANSA - Run tests individually.avi………
3) ANBS - SamShe.avi……………………….
4) ANBS - XML database and Metabase explorer.avi……………………………………
12OWASP AppSec 2004
Current SAM’SHE tests (1/2)
WMI(.Aspx) WMI Enabled WMI.Enabled.List.Anonymous.Account.Details WMI.Enabled.Create.Processes WMI.Enabled.List.UserNames WMI.Enabled.List.Process WMI.Enabled.List.Services WMI.Enabled.Read.System.LogFiles WMI.Enabled.Read.Application.Log WMI.Enabled.List.Logical.Disks WMI.Enabled.List.Network.Shares
WSH(.aspx) WSH.Enabled WSH.Enabled.Create.Processes
Machine.Config (.Aspx) Read.Machine.Config.file
Win32 (.Aspx) win32.CreateProcess.WinExec
13OWASP AppSec 2004
Current SAM’SHE tests (2/2)
Metabase (.Aspx) Read.Metabase.file Read.Metabase.Backup.files AfterRevertToSelf.Read.Main.AnonymousAccountDetails AfterRevertToSelf.Read.Websites.AnonymousAccountDetails
RevertToSelf (.Aspx) RevertToSelf.Reflection RevertToSelf.Win32 RevertToSelf.AfterRevert.ChangeIdentity RevertToSelf.AfterRevert.CheckIfRevertedToSystem RevertToSelf.AfterRevert.CreateProcess
TokenHandles (.aspx) TokenHandles.List TokenHandles.SystemToken
WSH (.Asp) ASPCLASSIC.WSH.Enabled ASPCLASSIC.WSH.Enabled.Create.Processes
14OWASP AppSec 2004
Shared hosting environments (examples of)
INTERNET
SCENARIO A(SME dedicated)
SCENARIO B(SME dedicated)
SCENARIO C(SME Shared)
SCENARIO D(Big Development team)
1x Administrator (also the developer
and content manager)
DedicatedWeb Server
1x Developer, or content manager
1x Administrator
DedicatedWeb Server
3x Developer, or content manager
1x Administrator
Shared Web Server
5 Administrator
Dedicated SharedWeb Server
(hosting different internal websites)
10x Marketing
10x product dev.
10x Web designers
15OWASP AppSec 2004
Definition: What is a secure Web Application Hosting Environment?
Is an environment that (very partial list):
The hosting server is securely built and: only exposes to the Internet’s Anonymous users the WWW, FTP and HTTPS ports don’t have any software installed apart from the necessary to run the WWW, FTP
and HTTPS services (i.e. most of the ‘system32’ directory should not be there) the server is only able to respond to inbound connections (for example web
requests or terminal service sessions) and NOT be able to initiate any un-solicited outbound connections
only accepts administrative access from pre-defined sub-nets and via secure channels (for ex: VPN or SSL)
… and doesn’t allow authenticated users (i.e. clients) to: see secure sensitive information about the server such as:
user accounts or security groups services running current connections system information (operating system, disk space available) the IIS Metabase (which provides details about the other websites hosted in
the same server) execute commands on the server / create processes on the server browse on directories outside the assigned web space (i.e. from another
website) see files outside the assigned web space (i.e. from another website) create TCP connections to unauthorized IPs / Ports
16OWASP AppSec 2004
Admin vs User privileges
Administrate the server, for example: Create new users and manage security groups Install software (require admin priv.)
Execute programs (*.exe, *.com) Read metadata from hosted websites Read data from other co-hosted websites (.Net
assemblies, connection strings, etc…) Impersonate other users (grab other user’s
security tokens)
The Administrator can:
The Developer, or content manager can:
Edit its own website data (i.e. folder that store its data) Execute Asp.Net within a Sandbox (so that the Asp.Net
script CANNOT access dangerous resources)
Full TrustASP.NET
allows this!
17OWASP AppSec 2004
Full Trust Asp.Net
Mode where all .Net CAS (Code Access Security) features are disabled or easily bypassed
Full Trust Asp.Net is too powerful and dangerous But (in web applications) everybody (including
most ISPs) runs their web applications with Full Trust
90% (or 99.9%) of Asp.Net web applications are designed to run with Full Trust
This makes all shared web application hosting environments (and servers) two hits away from full compromise (hit 1: the web app, hit 2: the server)
18OWASP AppSec 2004
Full Trust Asp.Net: What makes it worse?
There are barely any (official) acknowledgments of the problem (Microsoft, ISPs and Web Application Developer)
There is barely any documentation about these problems on the dozens of published Asp.Net security books
The clients are not aware (the ISPs clients and the end users)
If malicious activity is happening right now it will not be disclosed by the affected parties (there are some rare exceptions).
19OWASP AppSec 2004
Full Trust Asp.Net vulnerabilities (incomplete list)
RevertToSelf Metabase (WMI, ADSI, ABO) Metabase after RevertToSelf Unmanaged code (do what ever you want with
the IIS process) Reflection (access private members of reflected
assemblies; execute the entire .Net API) Asp.Net Temporary Files Security Token Vulnerability Bypass CAS (ADSI LDAP, ADSI WinNT, WMI, WSH, raw TCP
packets and much more … )
DEMO “IIS Security Token Vulnerability.avi” (video)
20OWASP AppSec 2004
Full Trust Asp.Net: The Solution
Create standards to measure the quality of ‘a secure hosting environment’
Create tools to test, fix and monitor hosting security Create tools to develop Web Applications in Partially
Trusted environments Raise the client’s, developer’s, end user’s and
government’s awareness of the problem Secure coding using CAS (Code Access Security)
implementing role and code based security NOTE: this solutions must be backward compatible
since there are already 100,000s of web applications developed on Asp.Net
TRAIN, TRAIN, TRAIN, TRAIN, TRAIN, TRAIN developers
DOCUMENT, DOCUMENT, DOCUMENT how to do all this
21OWASP AppSec 2004
Full Trust .Net: Why it is used?
Asp.Net Partial Trust environments:Can’t call Unmanaged CodeCan’t create COM objects Can’t use OLEdb or ODBCMost core .Net assemblies don’t have the
APTCA (Allow Partially Trusted Callers Attribute)
All local code is executed with Full Trust (in .Net and Asp.Net)
In Office 2003, Macros (now .Net assemblies) require Full Trust
22OWASP AppSec 2004
Not the developer but the environment
Making the developer the SOLE responsible entity for producing secure applications is not realistic Developers are focused of features, they are paid for
features and they are fired for features Developers only get security budget (time and
resources) after security incidents Secure coding is a journey, NOT a destination Secure Web Application Environments is the
DESTINATION Multi-Layer defence system, i.e. Defence-in-Depth
“.Net Framework book story” & “Euro 2004 website”
23OWASP AppSec 2004
What is needed: Real-Time SandBoxing
Web Application
CODE
WHAT DO I NEED TO RUN?
• .Net Assemblies or COM objects
• File (Path and ACLs)
• Registry (Path and ACLs)
• TCP ports
• etc..
SANDBOX
Web Server
Web Application
CODE
Requested (or allocated)
resources
Security Engine
Local Security Policies
User privileges
24OWASP AppSec 2004
What is needed: Custom SandBoxing
SANDBOX
Web Application
CODE
WHAT DO I NEED TO RUN?
• .Net Assemblies or COM objects
• File (Path and ACLs)
• Registry (Path and ACLs)
• TCP ports
• etc..
User privileges
Web Server
Web Application
CODE
allocated resources
25OWASP AppSec 2004
What is needed: TOOLS
Tools to create ‘Real-Time Sandboxes’ Tools to create ‘Custom Sandboxes’ Tools evaluate the security of Sandboxes (ANBS) Tools to evaluate the security of Applications
(Beretta) Tools to develop Web Applications for these
SandBoxes
In essence: ‘Tools to Create Secure Hosting Environments’ , which:
Allow the SysAdmins to make conscious choice ‘Force’ the developers to ‘describe the resources they need’ Give buyers ‘metrics’
26OWASP AppSec 2004
What we have today: .Net’s CAS
27OWASP AppSec 2004
Partially Trust Asp.Net: Today
There are two ways to create partial trust Web Applications
Publish Full Trust Code to the GAC Development scope is small since only the required
functionality is required Manual process that requires code review before
each publishCreate ‘Wrapper Assemblies’ for functionality
that requires Full Trust One-time development process (and GAC publishing) Big Development scope since one needs to cover for
most developer’s needs Security bugs can be dangerous
28OWASP AppSec 2004
Full Trust Asp.Net: What is the Risk?
If Risk = Vulnerabilities * Impact * Probability
In Full Trust Asp.Net:Vulnerabilities = 99% (VERY HIGH) Impact = 80% (High)Probability = 0.01% (Very Low)
So the Risk is 0.99 * 0.8 * 0.01 Which is = 0.00792 (i.e. 0.792%) which is
either LOW RISK or NO RISK
29OWASP AppSec 2004
We have been very lucky
(comparatively) Very low level of damage causeHow many bankruptcies caused by attacks?How serious business loss caused by attacks?How many deaths caused by attacks?How many WARs caused by attacks?
Most virus are very harmless (if fact they are very healthy to the industry)
No major ISPs have been attacked
30OWASP AppSec 2004
Simple ISP attack scenario (executed slowly…….. with patience……)
1. Attacker buys a Asp.Net shared hosting account ($20/month or trial account) in a major ISP (more that 10,000 hosted accounts and with +300,000 unique visitors a day)
2. Because the account allows Full Trust Asp.Net the attacker:1. Compromises the server (gain root access)2. Compromises all surrounding servers (gain root access)3. Compromises all ISP’s servers, desktops, PDAs, Printers, Scanners,
Cell Phones, Email System, Customer Database, Financial System, etc…
3. Scan the ‘compromised items’ for valuable data: Databases, Personal details, SSL certificates, etc…
4. Install Root-Kits, backdoors and Zombies on all (or the more relevant) ‘compromised items’ (can you find a RootKit in device’s memory? NICs, Sound Cards, Graphic Cards, etc…)
5. Infect all websites (or the ones with higher traffic) with an un-patched IE vulnerability which allows remote command execution with local privileges
6. Exploit visitor’s computers7. Blackmail data owners (threat with information disclosure)8. Blackmail ISP (threat with internal DDoS)
31OWASP AppSec 2004
Paths to the first ‘root’ (real life example 1/3)
“Because the account allows Full Trust Asp.Net the attacker: Compromises the server (gain root access)”
ISP A:
50,000 websites (50 web servers) IIS 5.0 in low process* (all user ASP Classic pages run with
SYSTEM privileges) Active directory controls all user accounts, and website
isolation (each website has a unique anonymous user) Servers are built automatically using installation script which
automatically configures everything and registers server in AD
AD’s admin password used to register server AD’s admin password hard-coded into the install script which
is saved in a local (Administrator ACLed) folder Since the ASP Classic scripts run under SYSTEM, you can
write a script that reads the install script GAME OVER
* An Asp.Net variation of this example occurs if Asp.Net is configured in Machine.Config or the Application Pool used to run under SYSTEM
32OWASP AppSec 2004
Paths to the first ‘root’ (real life example 2/3)
“Because the account allows Full Trust Asp.Net the attacker: Compromises the server (gain root access)”
ISP B: Poor ACLing allows the attacker to read most files on the
system All websites are configured automatically using an Asp.Net web
application This Web Application needs admin rights over the SQL server
(to create databases) Web Application is executed from the ‘Shared server’ SQL connection string is stored in web.config (including sa’s
password) sa password provides FULL access to SQL server (all SQL
servers since the password is reused) , including the ISP’s customer database
sa password allows the execution of commands on the SQL SERVER with SYSTEM privileges
GAME OVER
33OWASP AppSec 2004
Paths to the first ‘root’ (real life example 3/3)
“Because the account allows Full Trust Asp.Net the attacker: Compromises the server (gain root access)”
ISP C:
Full Asp.Net allows the upload and execution of EXEs Upload a DCOM exploit to server Execute it (from the inside) and gain root access (how many
networks can survive an internal attack?) GAME OVER
And much more…..
34OWASP AppSec 2004
ISP’s Shared Hosting environmentsmust be the Benchmark!
ISPs should be examples of ‘best practices’
Everything is ‘shared hosting’ (unless you trust everybody and everything)
ISPs should be judged on their Hosting environments (i.e. how good is their sandbox?)
This process (securing ISPs and creating Sandboxes) can be used to create ‘metrics’ and TONS of documentation on how to create partially trusted Code
The users must be educated about these issues so that they use their ‘buying power’ to demand secure services
Then SECURITY becomes a BRAND VALUE (“OS economist story”)
35OWASP AppSec 2004
‘Security Decisions’ and ‘Project Man-hours’
Manufacturer
Security Consultants(Local, 3rd party, open community)
Developers
Manufacturer
Security Consultants(Local, 3rd party, open community)
Developers
Security Decisions
Project man-hours
36OWASP AppSec 2004
‘Writing Secure Code’ 5 day Security Course
Developed by Intense School (www.IntenseSchool.com)
Based on the Microsoft’s ‘Writing Secure Code 2nd Edition’
Michael Howard and David LeBlanc are actively participating in the project (weekly meetings, material review and new material development)
I’m working on a DEMO application which will be used on all practical exercises
DEMO: “SQL Injection” DEMO: “Buffer OverRun”
37OWASP AppSec 2004
Happy Fathers day & What wakes me up in the morning…..
38OWASP AppSec 2004
Links to my stuff about ‘Full Trust Asp.Net’ Security Guides and WhitePapers
"Secure Shared Hosting with IIS 5.0 Version 0.95.doc" "Security vulnerabilities in ASP.NET V0.60.doc" Undocumented ASP.NET Security V0.89.doc (110 page document)
Technical Articles Developer.com
ASP.NET's Hidden Dangers Malware: Is Your Workstation at Risk?
DevelopersDex.com An 'Asp.Net' accident waiting to happen Microsoft must deliver 'secure environments' not tools to write 'secure code' Asp.Net.Vulnerability
: Full Trust (current security problems and possible solutions) Newsgroups
'Asp.Net Security' forum in www.asp.net Thread: Idea to solve the current shared hosting ‘Full trust’ issue. Thread: FSO in ‘Medium trust’ environments Thread: examples of 'Medium' or 'high' trust Asp.Net applications Thread: When will Microsoft take Asp.Net Security seriously
39OWASP AppSec 2004
Some more links to Asp.Net CAS resources Improving Web Application Security: Threats and Countermeasures – by
far the best book (and online resource) on this subject (includes real examples of ‘assembly wrapping’ and ‘GAC publishing’). But even this book doesn’t really explain the dangers of Full Trust.
Beware of Fully Trusted Code (Keith Brown) – explains how all CAS security features can be bypassed on a Full Trust environment
FindAPTC (Keith Brown) – “…. I wrote this to point out how infeasible it is today to write locally installed code that doesn't run with full trust …”
Writing managed code for semi-trusted environment (by Ivan Medvedev, 2003) – interesting but of not much real live use
ASP.NET Websites running under Partial Trust and third party controls – describes the problem of partial trust in ISPs but doesn’t provide a real solution
Code Access Security (CAS) and Design Patterns - very good explanation of CAS but its Partial Trust example is about creating a custom policy
Code Access Security (CAS) – "Guilty until proven Innocent" (Partially Trusted Code) - has just been published (17 June 2004) and provides more details on how to write partial trust .Net applications (the contradictions and ‘loop-holes’ existent in this article are a good example of how complicated (if not impossible) it is to write meaning Partially Trusted Applications)
A Google search for full trust Asp.Net , partial Trust Asp.Net and partially trusted Asp.Net shows how little information is available today
40OWASP AppSec 2004
I need your help with my OWASP .Net projects!
In Testing In Deploying In Creating new Vulnerability tests In Working on the new modules In Documenting In Creating Asp.Net applications in
Partially Trusted environments
The first step to participate is to
JOIN the OWASP-DotNet MAILING LIST
41OWASP AppSec 2004
Questions?
Any Questions
Thank you very much….
