Toolchain

Not much is needed to read code, less source.php will do the job. But there are quite some things which help a lot to understand much quicker what’s going on.

Pretty simple, right!

int
main(int argc, char *argv[])
{
                        /* Important!!    *
  if (argc > 1)          * Please note:   *
    for (;;)             * This code is   *
      puts(argv[1]);     * NOT optimized  *
  else                   * in any way.    */
    for (;;)
      puts("y");
}

Wait a minute!

int
main(int argc, char *argv[])
{
                        /* Important!!    *
  if (argc > 1)          * Please note:   *
    for (;;)             * This code is   *
      puts(argv[1]);     * NOT optimized  *
  else                   * in any way.    */
    for (;;)
      puts("y");
}

Syntax Highlighting

A very simple, yet quite effective measure to understand code faster.

Editor/IDE

grep et al.

Being able to search within a codebase is essential for an audit.

Besides grep there are more specialized tools:

• ack
• OpenGrok
• Understand IDE

Just to name a few.

grep et al.

Even tough simple text base search might suffice in a lot of cases some IDE-like features are really nice to have:

• Cross referencing
• Control Flow Graphs
• Highlighting features

SCM tools

• Turning Black Box into a source code audit
• Alexa 1M analysis by Internetwache

Static analyzers

There are a lot of static code analyzers out there. They might help a lot to get to some bugs faster. They won’t be covered here for obvious reasons.

Intro

• Read it, over and over again.

• Ask your peers if unsure
• Think aloud (use with care)
• Üben, üben, üben! (Practice, practice, practice!)

Intro

Common Pitfalls:

• Validations
• Logic
• Assumptions about the environment
• Assumptions about the interfaces
• Assumptions about called library methods

Intro

Your job is to think about things the developer didn’t have time to think about.

Code Comments

Being able to read the code comments is actually a huge benefit. Even if you’re able to perfectly decompile e.g. a .jar file you won’t get the comments from the original source code.

Code Quality

Starter

Have a look here:

src/first/StringStuff.java

Starter

while (true) {
  s = readLine();
  if (s != null) {
    s = s.trim();
  }
  if (s == null || s.length() < 1) {
    continue;
  }
  if (s.contains("a")) {
    return true;
  } else {
    return false;
  }
}

What’s wrong with this code?

Starter

Let’s dissect

while (true) {        // For ever(!)
  s = readLine();     // Read a line

  if (s == null || s.length() < 1) {
    continue;  // Next loop iteration if empty line
  }
  if (s.contains("a")) {  
    return true;      // if "a" is in string
  } else {
    return false;     // otherwise
  }
}

Starter

private String readLine() throws IOException {
  return readLine(new StringBuffer());
}

Note the new StringBuffer()

Starter

private String readLine(StringBuffer sb) throws IOException {
  boolean finished;
  do {
    int value = read();
    finished = (value == -1 || value == 10);
    if (!finished) {
      sb.append((char) value);
    }
  } while (!finished);
  return sb.toString(); // Return value is always a String
}

Starter - “Exploit”

java StringStuff /etc/passwd

is just fine.

An empty file will result in an endless loop:

touch lol
java StringStuff lol

Injections

Quite a lot of issue are based on some kind of injection. So for instance:

• XSS
• SQL Injections
• Directory Traversals
• Command Injections
• … you name it

Injections

Injections can be seen as a form of in-band signaling. An attacker is able to alter some semantics within the underlying operation. This is possible, as some attacker controlled input is injected in a way which allows those semantical changes.

A very basic example:

"SELECT password FROM users WHERE username = " + request.getParameter("user");

Remote root any1?

Just have a look here

Injections

The general injection pattern:

Some user controlled variable is ending up (being injected) in an operation which subsequently will do something beyond its intended purpose.

Most prominent and easy to spot root cause is string concatenation.

Simple SQL Injection

<?php
$id = $_GET['p_id'];
$query  = "SELECT name FROM products WHERE id=" . $id . ";" ;
$result = pg_query($conn, $query);
?>

<?php
$id = $_GET['p_id'];
$query  = "SELECT name FROM products WHERE id=" . $id . ";" ;
$result = pg_query($conn, $query);
?>

Go

sql := "SELECT * FROM products WHERE name LIKE '%" + prod + "%'"
Db.Exec(sql)

Java (JDBC)

Statement stmt = con.createStatement();
ResultSet rset = stmt.executeQuery("SELECT * FROM products WHERE column = '" + columnValue + "';");

C#

SqlCommand cmd = new SqlCommand("SELECT column FROM table WHERE column = '" + columnValue + "';");
cmd.ExecuteNonQuery();

PHP

<?php
$query = “SELECT * FROM guestbook WHERE title LIKE ‘ .$_REQUEST[‘search’];
$result = mysql_query($query, $conn);

Python

db.engine.execute("SELECT * FROM table WHERE column = '%s';" % columnValue)

Ruby

Guess how it looks :)

Rails ORM specific hints

What is injected here?

def grep(query, options={})
  ref = options[:ref] ? options[:ref] : "HEAD"
  args = [{}, '-I', '-i', '-c', query, ref, '--']
  args << options[:path] if options[:path]
  result = @git.grep(*args).split("\n")
  result.map do |line|
    branch_and_name, _, count = line.rpartition(":")
    branch, _, name = branch_and_name.partition(':')
    {:name => name, :count => count}
  end
end

Arguments!

-O [<pager>], –open-files-in-pager [<pager>] Open the matching files in the pager (not the output of grep). If the pager happens to be “less” or “vi”, and the user specified only one pattern, the first file is positioned at the first match automatically.

Argument Injection Example

• PHP via CGI generic argument injection

Argument Injection Example

PHP’s mail()

bool mail(
    string $to,
    string $subject,
    string $message [,
    string $additional_headers [,
    string $additional_parameters ]]
)

Argument Injection Example

When PHP is configured to invoke a local MTA $additional_parameters will be sanitized by escapeshellcmd().

➡️ Arguments to the MTA can be still injected.

Further reading

Hands on Injections

• Read this code

• Vulnerable .deb package here

Recap / Generalization

Let’s think about the Injections from a high-level perspective.

Recap / Generalization

• IPO - a rather universal engineering pattern:
  • Input ➡️ Processing ➡️ Output

User input

• Have a look at this .go file
  • Any thoughts about the code?
• The example is shamelessly stolen from here

ZIP / Archive Files

• Lesser known fact about ZIP (also other archive formats) files:
  • The filename entry is just a string
  • It can contain the $PATH_SEPARATOR (‘/’ on Unix, ‘\’ on Windows)
    
  • Tool: e.g. evilarc

ZIP / Archive Files

Turns out, this got quite some hype

ZIP / Archive Files

• Another fun thing to put into a .zip:
  • A symbolic link

User Input

def password_reset
  @user = User.where(token: params[:token]).first
  if @user
    session[params[:token]] = @user.id
  else
    user_id = session[params[:token]]
    @user = User.find(user_id) if user_id
  end
[...]

source

Logic issues

Even simple boolean logic is hard, trust me 😂!

def check
  fullpath = request.path_info
  hmaced = "#{params[:email]}/#{params[:expire]}/"
  email = Base64.urlsafe_decode64 params[:email]
  expire = params[:expire].to_i
  digest = OpenSSL::Digest.new('sha512')
  hmac = OpenSSL::HMAC.hexdigest(digest, File.read("secret"), hmaced)
  t = Time.now()
  time_left = Time.at(expire) > t
  if not hmac == params[:hmac] and not time_left
   return false
  end
  return [email,expire]
end

“Leftovers”

Gitrob

There’s stuff to be found in code repositories which isn’t code, but still that stuff might introduce security issues.

Generally speaking

Every language has some specific pitfalls/ways to shoot yourself in the foot.

PHP: Type Juggling

if (empty($_POST['code']) ||
substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10))    

Example taken from here

Further reading: Greg’s Presentation

PHP: Type Juggling

$token = sha1($_POST['user']+uniqId());

uniqid() :Gets a prefixed unique identifier based on the current time in microseconds.

+ operator is for Numbers:

php > echo("admin" + "1337wtf");
1337

PHP: Type Juggling

RTFM here and here

Ruby

require 'sinatra'

post '/ping' do
    if params['host'] =~ /^(\d{1,3}\.){3}(\d){1,3}$/
        return `ping -c 4 #{params['host']}`
    end
    return "Invalid IP address"
end

Ruby

The usual RegEx Anchors ^ and $ are multiline by default.

Which means:

/^[a-zA-Z]$/ matches perfectly on the following input:

hallo
!@#$WTF**

Indirections (Ruby example)

send(string [, args…]) → obj

method_missing(symbol [, *args] ) → result

More on that later during this training.

Indirections (Java example)

Reflect.java a very basic example:

Class<?> inclass = Class.forName(args[0]); 
Method inmeth = inclass.getMethod(args[1], String.class);
String instr = args[2];
System.out.println(inmeth.invoke(inclass,instr));

Timing Attacks

“Remote Timing Attacks are Practical” - are they?

Timing Attacks

• Especially when validating MACs, passwords, or other strings which implement some kind of access protection timing attacks might be an issue

Timing Attacks

Basic pattern/assumption:

• Canonical string comparison (e.g. ==, .equals(),…) is not time constant
  • “AAAAAAB” == “AAAAAAA” is slower than “ABAAAAA” == “AAAAAAA”

Timing Attacks mitigation

• Constant time comparison is usually implemented like:

def fixed_length_secure_compare(a, b)
  raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize

  l = a.unpack "C#{a.bytesize}"

  res = 0
  b.each_byte { |byte| res |= byte ^ l.shift }
  res == 0
end

Day 1 - Recap

Addon Links

• WAT
• git-shell argument injection
• JavaScript theology
• The Perl Jam: Exploiting a 20 Year-old Vulnerability
• The Perl Jam 2
• WildCards_Gone_Wild