lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4186E6CF.9000500@immunix.com>
Date: Mon, 01 Nov 2004 17:45:51 -0800
From: Crispin Cowan <crispin@...unix.com>
To: Gunter Ollmann <gunter@...software.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"


I found an instance of this class of vulnerability in 1998 where an 
attacker could inject code into the "locate" database, which would later 
be executed when root tried to do a locate on some path name 
http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html

Mine was not the first such"secondary code injection" attack. It was a 
consequence of exploring a PoC by MiG for a buffer overflow 
vulnerability in bash, where in a tall directory tree would overflow 
bash when you try to cd into that directory and you have the pwd set to 
be part of your prompt. At the time, it did not occur to me that it was 
a special kind of buffer overflow.

Crispin

Gunter Ollmann wrote:

>Hi list,
>
>NGS Software is pleased to make available a new whitepaper about
>second-order code injection attacks.
>
>Abstract:
>"Many forms of code injection targeted at web-based applications (for
>instance cross-site scripting and SQL injection) rely upon the instantaneous
>execution of the embedded code to carry out the attack (e.g. stealing a
>user's current session information or executing a modified SQL query).  In
>some cases it may be possible for an attacker to inject their malicious code
>into a data storage area that may be executed at a later date or time.
>Depending upon the nature of the application and the way the malicious data
>is stored or rendered, the attacker may be able to conduct a second-order
>code injection attack.
>
>A second-order code injection attack can be classified as the process in
>which malicious code is injected into a web-based application and not
>immediately executed, but instead is stored by the application (e.g.
>temporarily cached, logged, stored in a database) and then later retrieved,
>rendered and executed by the victim."
>
>The paper can be accessed from:
>http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf
>
>
>Cheers,
>
>Gunter
>
>------------------------------------------------------
>G u n t e r   O l l m a n n,            MSc(Hons), BSc
>Professional Services Director                        
>                                                      
>Next  Generation  Security  Software  Ltd.            
>First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
>Sutton, Surrey, SM1 4BF, UK   Fax: +44 (0)208 401 0076
>http://www.nextgenss.com      
>------------------------------------------------------  
>
>
>
>  
>

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ