Archive for December, 2006

Signed bit-fields

jm December 28th, 2006

6.7.2 of the C standard indicates that:

Each of the comma-separated sets designates the same type, except that for bit-fields, it is implementation-defined whether the specifier int designates the same type as signed int or the same type as unsigned int.

So, when you have a bit-field of type int, it’s implementation-defined whether that bit-field is actually treated as a signed integer variable. Based on our limited testing, it appears that mainstream implementations do treat it as a signed integer, which is pretty interesting.

Continue Reading »

SQL Injection/Truncation in Stored Procedures

mark December 27th, 2006

SQL injection vulnerabilities have plagued applications for many years. When a dynamic SQL query is constructed with any sort of user-controllable input, there exists the potential for an attacker to perform arbitrary SQL queries, which might lead to sensitive information disclosure or modification. Developers wanting to protect their applications from these kinds of attacks have typically instituted filtering of user data for SQL metacharacters, moved their database query code into stored procedures, or replaced their dynamic SQL statements with prepared SQL. Prepared SQL statements are precompiled SQL queries that accept user-defined parameters without allowing for SQL injection attacks to occur. Since the SQL query is compiled beforehand, the user’s data is never parsed by the SQL parser, and thus isn’t capable of triggering metacharacter attacks.
Continue Reading »

Stored Procedure SQL Injection Cheat Sheet

jm December 26th, 2006

One thing we’ve been finding increasingly over the last year or so is a lot more instances of SQL injection within stored procedures. In order to set the stage for Mark’s SQL Truncation post, we’re presenting a brief cheat-sheet on how to audit for these issues.
Continue Reading »

Updates and Reviews

blog December 24th, 2006

We’ve added some new content to the Vault: Chapter 17 - Web Applications, Chapter 9 - UNIX 1: Privileges and Files, and Chapter 1 - Software Vulnerability Fundamentals. We’ve also updated the Suggestions page based on some initial reader feedback, and there are a few new Errata entries. We’ve also got some original content we’re working on for a few new blog posts that should show up in the next two weeks.

Initial reviews have started coming in, and so far they’re pretty positive. Stephen Northcutt posted a review in the SANS Technology Institute Leadership Laboratory, which made our moms proud. Emmett Dulaney, of UnixReview.com, also posted a positive review. Dave Aitel liked our book, and Halvar lent his support. Chris Rohlf gave us a positive review on his EM_386 blog, and the OpenBSD guys added us to their Books page. There are also several reviews on the Amazon page for the book, including write-ups from J. Ferguson, W. Boudville, Robert C. Seacord (author of the excellent Secure Coding in C and C++), Dave Maynor, and Marisa Mack. Marisa’s is hilarious, with choice quotes such as:

[…] You might notice that many of the reviews posted here are exceedingly informative and written by very well-respected security industry leaders. This is not one of those reviews. But I’ve found this book extremely valuable, and I’m an order of magnitude hotter than those other guys. […]

The Vault

jm December 20th, 2006

We’ve added a new section to the site: The Vault. The goal is to have a web page for each chapter that collects all of the links and external references, and contains a mirror of the vulnerable source trees behind the real-world examples. We’ll also add further discussion and pointers to resources that you should find useful. It takes a bit of time to write these up, so you can probably expect them to be populated over the next two months or so. Currently, we have pages for Chapter 5 - Memory Corruption, Chapter 6 - C Language Issues, Chapter 14 - Network Protocols, and Chapter 15 - Firewalls. Enjoy!

Fun With Impersonation

justin December 19th, 2006

Here’s our first "Spot the Vuln" challenge. I originally put this together for a post to Matasano’s blog, but work got pretty hectic and I had to let it slip for a bit. Now I finally have a little breathing room, so I thought this would be a good place to post it.

The below function is a thread spawned from a named pipe server in Windows. The io parameter is an open named pipe handle returned from a call to ConnectNamedPipe(); data has been read from the pipe, so impersonation shouldn’t fail. 

int tclient(HANDLE io) {
     int hr = 0;
     STARTUPINFO si;
     PROCESS_INFORMATION pi;

     HANDLE hProc = GetCurrentProcess();

     if(!ImpersonateNamedPipeClient(io)) return GetLastError();

     ZeroMemory(&si, sizeof(si));
     si.dwFlags = STARTF_USESTDHANDLES;
     si.cb = sizeof(si);
     DuplicateHandle(hProc, io, hProc, &si.hStdInput, GENERIC_READ, TRUE, 0);
     DuplicateHandle(hProc, io, hProc, &si.hStdOutput, GENERIC_WRITE, TRUE, 0);
     DuplicateHandle(hProc, io, hProc, &si.hStdError, GENERIC_WRITE, TRUE, 0);
     CloseHandle(io);

     CreateProcess(NULL, SHELL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

     CloseHandle(si.hStdInput);
     CloseHandle(si.hStdOutput);
     CloseHandle(si.hStdError);

     hr = RevertToSelf();

     if (pi.hProcess != NULL) WaitForSingleObject(pi.hProcess, INFINITE);

     return hr;
}

This post is open for comments, but we will be moderating first because we don’t want to spoil the fun for everyone.

Spreekt u Nederlands?

jm December 15th, 2006

Check out this presentation by Ilja van Sprundel: Unusual Bugs.

Also, check out Ilja’s blog.

First Post

mark December 9th, 2006

Hi There!

Well, the blog is officially underway so I thought I should make an introductory post since John and Justin have already made several. I am Mark Dowd, one of the co-authors of "The Art of Software Security Assessment." We decided to make this web page for supporting material that readers of the book (and other interested parties) might find useful. Here we will post errata, along with code auditing challenges and little tips that we come across in our travels. New stuff that we put on here will likely go into a second edition. Feel free to send us any questions/comments/suggestions for how we could improve this page or stuff you would like to see in the book that we didn’t cover the first time around. Enjoy!

HANDLE with care

justin December 5th, 2006

I made a very poorly conceived last minute change to the description of object handles on page 632; this mistake can be blamed primarily on a lack of sleep and a broken test environment.  Basically, I wrote that you can use NtQuerySystemInformation() to retrieve unnamed object handles with weak permissions. The truth is that permissions don’t apply when duplicating open handles, which I explained properly elsewhere in the chapter.  The crux of this error is really that I failed to address the PROCESS_DUP_HANDLE permission and how it prevents exactly that attack vector.

Essentially, duplicating handles between processes requires PROCESS_DUP_HANDLE permissions for both the source and destination processes; otherwise the call to DuplicateHandle() will fail with access denied.  This is important to note because having PROCESS_DUP_HANDLE permission for another process allows you to duplicate that process’ pseudo-handle for itself. The resulting handle grants full rights to the target process, including arbitrary manipulation of memory.

In the end, I think we’ve all learned a really valuable lesson about trusting judgment calls when under the influence of deadlines.

Copy editors are scary

jm December 5th, 2006

We were blessed with an excellent copy-editor, and we have no idea how she kept her sanity. That said, there were a few things that we should have vetoed her on, but we didn’t. Mostly because we didn’t know any better due to it being our first book. Also, editing this book was a Sisyphean task and we had to pick our battles. Anyway, here’s a quick list of stuff we know is a little off:

"twos complement" - This should be "two’s complement."

"UNIX" - We wrote those chapters referring to it as "Unix." We should have stuck to that.

"Web" - It should be capitalized based on context.

- Next »