| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Nov 2004 22:04:38 -0000 From: "Gunter Ollmann (NGS)" <gunter@...software.com> To: <bugtraq@...urityfocus.com>, "'Crispin Cowan'" <crispin@...unix.com> Subject: RE: New Whitepaper - "Second-order Code Injection Attacks" Cool. I make no claims that this a previously "undiscovered" security flaw. I myself have been exploiting these kinds of flaws in web-based applications for many years as well. However, the purpose of the paper is two fold. [Classification] -- Firstly, the paper attempts to classify the second-order code injection attacks, and differentiate between other immediate effects of code injection into web applications. Hopefully making it a little easier for professional pentesters to explain the significance of their findings. [Awareness] -- Secondly, too many organisations that I come across don't really understand what code injection is - everything is either cross-site scripting or SQL injection. I believe it is important to clearly differentiate between the code injection attacks - and to explain their significance within a corporate environment. What gets me is that to properly assess the security of any modern web-based application now days, to properly check for second-order code injection attacks, security teams must also have access to and assess the supporting applications as well -- ranging from the customer-support applications reviewing client account details, through to centralised log analysis and management tools. In way too many client pentesting reports I've written over the years, the exploitation of backend systems/processes through second-order code injection attacks were far more damaging to their corporate security than a bit of cross-site scripting and session hijacking on their exposed web application. Cheers, Gunter > -----Original Message----- > From: Crispin Cowan [mailto:crispin@...unix.com] > Sent: 02 November 2004 01:46 > To: Gunter Ollmann > Cc: bugtraq@...urityfocus.com > Subject: Re: New Whitepaper - "Second-order Code Injection Attacks" > > I found an instance of this class of vulnerability in 1998 where an > attacker could inject code into the "locate" > database, which would later be executed when root tried to do a locate > on some path name > http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html > > Mine was not the first such"secondary code injection" attack. > It was a consequence of exploring a PoC by MiG for a buffer overflow > vulnerability in bash, where in a tall directory tree would overflow > bash when you try to cd into that directory and you have the pwd set > to be part of your prompt. > At the time, it did not occur to me that it was a special kind of > buffer overflow. > > Crispin > > Gunter Ollmann wrote: > > >Hi list, > > > >NGS Software is pleased to make available a new whitepaper about > >second-order code injection attacks. > > > >Abstract: > >"Many forms of code injection targeted at web-based > applications (for > >instance cross-site scripting and SQL injection) rely upon the > >instantaneous execution of the embedded code to carry out the attack > >(e.g. stealing a user's current session information or executing a > >modified SQL query). In some cases it may be possible for > an attacker > >to inject their malicious code into a data storage area that > may be executed at a later date or time. > >Depending upon the nature of the application and the way the > malicious > >data is stored or rendered, the attacker may be able to conduct a > >second-order code injection attack. > > > >A second-order code injection attack can be classified as > the process > >in which malicious code is injected into a web-based application and > >not immediately executed, but instead is stored by the > application (e.g. > >temporarily cached, logged, stored in a database) and then later > >retrieved, rendered and executed by the victim." > > > >The paper can be accessed from: > >http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf > > > > > >Cheers, > > > >Gunter > > > >------------------------------------------------------ > >G u n t e r O l l m a n n, MSc(Hons), BSc > >Professional Services Director > > > >Next Generation Security Software Ltd. > >First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089 > >Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076 > >http://www.nextgenss.com > >------------------------------------------------------ > > > > > > > > > > > > -- > Crispin Cowan, Ph.D. http://immunix.com/~crispin/ > CTO, Immunix http://immunix.com > > >
Powered by blists - more mailing lists