history of some vulnerabilities and exploit techniques
Post on 02-Nov-2014
587 Views
Preview:
DESCRIPTION
TRANSCRIPT
History of some Vulnerabilities
.. And exploit techniques
whoami
Peter Magnussonomegapoint.se
History of some VulnerabilitiesIntro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting
- intro -
History of some Vulnerabilities & Exploit techniques
This is just a tribute. Couldn't remember The Greatest Song in the World, no, no.
This is a tribute, oh, to The Greatest Song in the World
Tenacious D – Tributehttp://www.youtube.com/watch?v=_lK4cX5xGiQ
• Defenders practicing STFUNDA
• Limited shared knowledgeSecret closed mailing lists etc
• Often pointless/boringVendor/CERT style info
• Attackers practicing STFUAttackers not Bragging
What we know we don't know
1970-1988 1988-1994 1994-2009 2009-
Dark Ages Golden Days Cloudy days
1970-1988 1988-1994 1994-2009 2009-
Dark Ages Golden Days Cloudy days
securitydigest.org – liberating archives from old closed mailing lists (I haven't had nearly as much time to read this stuff as I would like to)
1970-1988 1988-1994 1994-2009 2009-
Early Days, .mil
1970-1988 1988-1994 1994-2009 2009-
CERT & vendors: "A potential security vulnerability has been identified in X where, under certain circumstances, user privileges can be expanded via Y
Morris Worm
1970-1988 1988-1994 1994-2009 2009-
Golden days! Bugtraq, Full Disclosure etc takes off
1998 – 2000 : It is not just OS/utilities any more…
1970-1988 1988-1994 1994-2009 2009-
No Free Bugs, APTs, Crimeware, 0-days, Spearphising
1970-1988 1988-1994 1994-2009 2009-
CERT & vendors: "A potential security vulnerability has been identified in X where, under certain circumstances, user privileges can be expanded via Y
Golden days! Bugtraq, Full Disclosure etc takes off
No Free Bugs, APTs, Crimeware, 0days galore
Morris Worm
Early Days
Great Historical Resources
• http://seclab.cs.ucdavis.edu/projects/history/CD/– Computer security as a discipline was first studied in the early 1970s, although the issues had influenced
the development of many earlier systems such as the Atlas system and MULTICS. Unfortunately, many of the early seminal papers are often overlooked as developers (and sometimes researchers) rediscover problems and solutions, leading to wasted time and development effort.
• http://securitydigest.org/– This site is dedicated to preserving the history of early computer security digests and mailing lists,
specifically those prior to the mid 1990's. This includes the Unix 'Security Mailing List', through to the Zardoz 'Security Digest' to the Core 'Security List', i.e. those preceeding BugTraq. These forums are a valuable insight into the embryonic development of the field of computer security, especially as it relates to the Internet, and the development of the Doctrine of Disclosure.
• http://seclists.org/– Any hacker will tell you that the latest news and exploits are not found on any web site—not even
Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq.
History of some Vulnerabilities
.. And exploit techniques
History of some VulnerabilitiesIntro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting
- Lessons from 1974 -
History of some Vulnerabilities & Exploit techniques
1974 – Kager, Schell, USAF
USAF were amazing at computer security in the 1970ies!!!
- Lessons from 1988 -
History of some Vulnerabilities & Exploit techniques
Morris Worm was BIG! in 1988
• Infected most of internet– Cross compiled for two main targets
• Exploited Buffer Overflow• Exploited DEBUG backdoor in sendmail• Exploited cracking weak passwords
• Basically, it was amazing & threatening.
1988 reactions to the Morris Worm
"So I've decided to take my work back underground, To stop it falling into the wrong hands. "
– Prodigy, Music for the Jilted Generation, 1994http://www.youtube.com/watch?v=kJ6jApzrExY
1988 #1. Create Restricted Mailing List
With the old security mailing list the only requirement was an OK from the root of the system (other than home computers). I would like to suggest that there would be a
trusted group of people to start the mailing list (mabye start with phage@purdue). People would need someone who was on the
list already to vouch for them, an OK from the person's home root, and that their name be circulated to the mailing list to see if anyone objects. I am suggesting these additional requirements because I know of people (now in
retrospect) that shouldn't have been on the old list who would not qualify with these additional requirements. I would also suggest that there are no aliases (i.e. postmaster@moby.foo.bar) but mail would be sent to individuals only.
1988 - #2. Security Repository
The are a number of sites who don't have source, yet they want holes fixes. For some problems, it is easy enough to patch a binary with adb, but for other problems that is not
enough. I would suggest a ftp site on the Internet that would keep binaries to patched programs. I would suggest Sun-3, Sun-4, and Vaxen binaries. Possibly other machines (i.e. Pyramid, Sequent, Encore, HP) if there seems to be enough of an interest.
1988 - #3. Get Vendors Involved
There should be at least one rep. from each major UNIX box vendor who would be responsible for get fixes into release software. This doesn't seem to be much of a priority with vendors right now. I think we should collectively
scream bloody murder until the see a bit more responsiveness from our friends.
1988 - #4. Hole List
I think it *might* be a good idea to develop a list of security holes that should be checked. This list should have a very limited circulation. This list should not live on the same machine as the security mailing list of the archives. It should be mailed from a system other than it's home (otherwise that machine become a prime spot for breaking). On the other hand, having such a list might be too risky.
What went wrong?
• 1970: USAF sats computer security cannot be solved by secrecy
• -1988: Secret mailing lists with secrecy!• 1988-: More secrecy!– BAD: Focus on secrecy rather than information– BAD: Everything seems adhoc, eg no search for
known vulns in products.– Good: stated need for vendors, patches,
checklists.
1994: FULL DISCLOSURE
Secrecy didn't work Vendors weren't proactive
Because the past had been repeated20 years later, implementing 1974 advice
History of some Vulnerabilities
.. And exploit techniques
History of some VulnerabilitiesIntro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting
- Buffer Overflows -
History of some Vulnerabilities & Exploit techniques
Buffer Overflow
1972 1988 1996 2001 now
Computer Security Technology Planning Study:
"The code performing this function does not check the
source and destination addresses properly,
permitting portions of the monitor to be overlaid by the
user. This can be used to inject code into the monitor that will permit the user to seize control of the machine."
Buffer Overflow
1972 1988 1996 2001 now
Morris Worm
Buffer Overflow in fingerd (gets) used to exploits
VAX unix.
Exploit payload executed /bin/sh
Buffer Overflow
1972 1988 1996 2001 now
Smashing the Stack For Fun and Profit
The first big easily understood guide on how to exploit.
Covered the popular Intel x86 machine code.Now everyone learned buffer overflows!
Buffer Overflow
1972 1988 1996 2001 now
Code Red & other Windows Worms
Buffer Overflows hits Windows hard.
Again and again.
Bill Gates posts Trustworthy Computing Memo in January 2002
Buffer Overflow
1972 1988 1996 2001 now
Mitigation Wars Buffer Overflows partially mitigated in many modern operating systems (except embedded software which often is without
mitigations). Advanced exploits circumvents mitigations. Most application developers do .NET and Java which are mitigated.
Offense: heap spraying, Info leaks, ROP, …
Defense: Stack Canaries, SafeSEH/SEHOP, DEP, ASLR, ROPGuard
Buffer Overflows
1972First
Documented (?)
Computer Security
Technology PS
1988
Rediscovered
VAX exploit
Morris Worm
1995
Rediscovered
Intel X86 exploits
Smashing the Stack for Fun
and Profit
2001Massive
exploitation
Windows worms
Trustworthy Computing
Memo
2013Mitigation
Wars
ASLR, NX, …
Infoleaks, ROP, Spraying
History of some Vulnerabilities
.. And exploit techniques
History of some VulnerabilitiesIntro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting
- Injections -
History of some Vulnerabilities & Exploit techniques
Injection
2000JavaScript Injection
(XSS)
Georgi Guninski security advisory #1, 2000
[…] But the following JavaScript is executed: <IMGLOWSRC="javascript:alert('Javascript is executed')">
[…] for example displaying a fake login screen
[…] also possible to read user's messages, to send messages from user's name and doing other mischief.
[…] It is also possible to get the cookie from Hotmail, which is dangerous.
Injection
1998
SQL Injection
RFP: NT Web Technology
Vulnerabilities
2000JavaScript
Injection (XSS)
"And I didn't invent SQL injection.
I may have been one of the first to publicly explain it in tutorial fashion, but it existed for as long as SQL itself existed; it was just that few people saw the
security implications of it. But that may be because SQL wasn't ubiquitous
like it is today, so it had limited impact in limited circles."
http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/
Injection
1994Major domo os command
injection
1998
SQL Injection
RFP: NT Web Technology
Vulnerabilities
2000JavaScript
Injection (XSS)
Injection
1988(Sendmail
DEBUG feature/backdoo
r)
1994Major domo os
command injection
1998
SQL Injection
RFP: NT Web Technology
Vulnerabilities
2000JavaScript
Injection (XSS)
Injection
1985
Unquoted shell…
1988(Sendmail
DEBUG feature/backdoo
r)
1994Major domo os
command injection
1998
SQL Injection
RFP: NT Web Technology
Vulnerabilities
2000JavaScript
Injection (XSS)
History of some Vulnerabilities
.. And exploit techniques
History of some VulnerabilitiesIntro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting
- XSS Cross Site Scripting -
History of some Vulnerabilities & Exploit techniques
XSS Cross Site Scripting
1995JavaScript introduced
Same Origin Policy
XSS Cross Site Scripting
1995JavaScript introduced
Same Origin Policy
199xBrowser
vulnerability research
(Guniniski et al)
Silly XSS-ish abuse of Guestbooks
and similar
XSS Cross Site Scripting
1995JavaScript introduced
Same Origin Policy
199xBrowser
vulnerability research
(Guniniski et al)
Silly XSS-ish abuse of Guestbooks
and similar
2000Guniniski: JavaScript Injection in
hotmail
Microsoft: Cross Site Scripting
(Michael Barrett, Marvin Simkin
and Toby Barrick ~1999?)
CERT: Malicious HTML Tags
Embedded …
XSS Cross Site Scripting
1995JavaScript introduced
Same Origin Policy
199xBrowser
vulnerability research
(Guniniski et al)
Silly XSS-ish abuse of Guestbooks
and similar
2000Guniniski: JavaScript Injection in
hotmail
Microsoft: Cross Site Scripting
(Michael Barrett, Marvin Simkin
and Toby Barrick ~1999?)
CERT: Malicious HTML Tags
Embedded …
2002Larholm: IIS
allows universal CrossSite Scripting
(2005 Klein: DOM Based XSS)
XSS Cross Site Scripting
1995JavaScript introduced
Same Origin Policy
199xBrowser
vulnerability research
(Guniniski et al)
Silly XSS-ish abuse of Guestbooks
and similar
2000Guniniski: JavaScript Injection in
hotmail
Microsoft: Cross Site Scripting
(Michael Barrett, Marvin Simkin
and Toby Barrick ~1999?)
CERT: Malicious HTML Tags
Embedded …
2002Larholm: IIS
allows universal CrossSite Scripting
(2005 Klein: DOM Based XSS)
2010Content Security
Policy
History of some Vulnerabilities
.. And exploit techniques
RANT
What infosec guys do best?
<rant></rant>
• Security pros are brilliant at not knowing what security knew 10-20 years ago. – Security by secrecy have not worked very well– Dealing with trust & "need to know" on an internet
scale is hard.• Security wasted 20+ years in addressing the insane
level of Buffer overflow problems.• Vendors aren't doing enough has been said since
at least 1988. SDL is bringing some change since 2003 !
<rant></rant>
• Easy to rant about the past. – What about today?
• AppSec – YOU make the software, no vendor.– That's a big change.
• What contemporary fails will people rant about in 2043?
TAKE AWAY
What you might consider learning from this exercise
Secrecy suck
Take Away
Try to avoid wasting 20 years of knowledge again
Take Away
Don't be the next "vendor" claimed to do nothing preemptively. Work on reducing your
vulnerabilities.
Take Away
FIN
.. And exploit techniques
top related