Input Sanitization

Input Sanitization COEN 225

All Input is Evil • All input is evil: • At least potentially • Input can be: (A random collection) • Files • Web forms • Cookies • Registry entries • Database contents • Command line arguments • Environmental variables • HTTP requests • Named pipes • E-mail • …

Finding Common Entry Points • Files • Contain data specified by users • Contain data supplied by application • Can be intentionally or unintentionally corrupted • Attacker can also attack file metadata: • Extension • Path • File system attributes • …

Finding Common Entry Points • Sockets • Easy to connect to sockets  need to filter data • Attacker can • Monitor data • Send malformed data to client or to server • Intercept data in the middle of a request and replace it • A.k.a Man in the middle attack

Finding Common Entry Points • HTTP requests • Almost always passes through firewalls • Using webproxy, users have complete control over what is send to the server • Named pipes • See sockets • But programmers might forget how named pipes work and trust input • E.g. SQL Server 2000 vulnerability • See http://www.blakewatts.com/namedpipepaper.html

Finding Common Entry Points • Pluggable Protocol Handler • Example: • http, ftp, https in URL • mailto:tschwarz@scu.edu?subject=WrongPerson • Tell system which application handles data when a hyperlink is clicked • Maliciously crafted link irc://[~900 characters] caused buffer overflow in mIRC protocol handler that allowed arbitrary code execution

Finding Common Entry Points • Programmatic Interfaces • RPC • COM • DCOM • ActiveX • Managed code entry points (Windows) • .NET Remoting

Finding Common Entry Points • SQL • Improperly filtered input strings can lead to execution of powerful SQL commands • Registry • User Interfaces • Win95 machines were used in libraries • Attacker could remove the “Start” button for free entertainment

Finding Common Entry Points • Command line arguments • Attacker provides helpful link with arguments embedded • Example: Cross scripting attacks • Environmental Variables • Can be used by programs to make decisions

Canonicalization • Authentication decision made by one module • Access done by other module

Input Validation • Input – Anything controlled by outsider • user command line input • configuration files that could be manipulated • http requests • packets under consideration by firewall • …

Input Validation • Security Strategies • Black List • List all things that are NOT allowed • List is difficult to create • Adding insecure constructs on a continuous basis means that the previous version was unsafe • Testing is based on known attacks. • List from others might not be trustworthy. • White List • List of things that are allowed • List might be incomplete and disallow good content • Adding exceptions on a continuous basis does not imply security holes in previous versions. • Testing can be based on known attacks. • List from others can be trusted if source can be trusted.

Input Validation • Principle problem • Location of Check  Location of Use • Principle solution • Canonicalization of input • Transform input into a canonical form • Decision is made on input in the same form that program uses

Canonicalization • Two major program errors: • Misunderstanding definition of canonical form • Stopping canonicalization process to early

Canonicalization:Dealing with Metacharacters • Meta-information can be attached • Out-Of-Band • In-Band • Often more readable • Often more compact • Has security implications • Potential for overlappingtrust domains: • There exists a logical boundary between data and metadata • Parser need to identify the difference between data and metadata correctly

Canonicalization:Dealing with Metacharacters • Example: NULL character for termination of strings

Canonicalization:Dealing with Metacharacters • Simplest Vulnerability: • Users can embed metacharacters into input that is not filtered • Instance of second-order injection attack • The attack happens when the metacharacter is evaluated • Example: Password update (next slide)

Canonicalization:Dealing with Metacharacters No input sanitization! use CGI; … verify session details … $new_password = $query->param(′password′); open(IFH,″</opt/passwords.txt″) || die (″$!″); open(OFH,″>/opt/passwords.txt.tmp″) || die (″$!″); while(IFH) { ($user, $pass) = split /:/; if ($user ne $session_username) print OFH ″$user:$pass\n″; else print OFH ″$user:$new_password\n″; } … close( IFH ); close( OFH ); User bob inputs: test\njim:npwd OFH becomes: bob:test jim:npwd Bob just added a new user

Canonicalization:Dealing with Metacharacters • Discovering attacks like this: • Identify code that deals with metacharacter strings • Identify all delimiter characters that are specially handled and put them into a list • Identify filtering performed on input • Eliminate potentially hazardous delimiter characters from list • Remaining characters on list indicate a vulnerability

Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 1 Input string is formatted a number of ways before it becomes a file name. Added to a statically sized buffer and prefixed with \\\\?\\%TEMP%\\

Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 2 Set of delimiter characters that are specially handled: ‘/’ ‘\’ “..” String is passed to Expand EnvironmentStrings( ). Environmental variables are denoted with % characters.

Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 3 Set of delimiter characters that are specially handled: ‘/’ ‘\’ “..” String is passed to Expand EnvironmentStrings( ). Environmental variables are denoted with % characters.

Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 4 Filtering: strrchr searches last occurrence for ‘/’ and ‘\’ and increments past it. strstr searches for “..”

Canonicalization:Dealing with Metacharacters Bool HandleUploadedFile(char * filename) { unsigned char buf[MAX_PATH], pathname[MAX_PATH]; char * fname = filename, *tmp1, *tmp2; DWORD rc; HANDLE hFile; tmp1 = strrchr(filename,′/′); tmp2 = strrchr(filename,′\\′); if(tmp1||tmp2) fname = (tmp1 > tmp2? tmp1 : tmp2)+1; if(!fname) return FALSE; if(strstr(fname, ″.. ″)) return FALSE; _snprintf(buf, sizeof(buf), ″\\\\?\\%TEMP%\\%s″,fname); rc = ExpandEnvironmentStrings(buf, pathname, sizeof(pathname)); if(rc == 0 || rc > sizeof(pathname)) return FALSE; hFile = CreateFile(pathname, …); … read bytes into the file … } 5 However, ‘%’ remains Client can supply a number of environmental variables such as QUERY_STRING In addition, something like ..\..\..\any\pathname\file.txt supplied in QUERY_STRING allows client to write to arbitrary locations in the file system

Canonicalization:Dealing with Metacharacters • NULL character injection • NULL characters are necessary to terminate strings when calling C routines from OS and many APIs • Perl and other languages do not use NULL for termination • Example: • Perl application programmer tests that file name ends in “.txt” • Attack inputs sequence “%00” in CGI input • Decoded as NUL character • Can be used to cut-off filename, including extension open(FH, ″>$username.txt″) || die(″$!″); print FH $data; close(FH);

Canonicalization:Dealing with Metacharacters: NULL • NUL metacharacter is used to end C-strings, but not Perl, Java, PHP, … • This is a canonicalization issue: • C-based modules canonicalize strings differently than the no-C/no-Unix world • Issues arise when strings cross boundaries between these worlds

Canonicalization:Dealing with Metacharacters: NULL • Possible results: • Memory corruption because strlen returns a different value • Truncation of strings  False decisions • Especially for FILE NAMES B O B . T X T \0 B O B \0 . T X T \0

Path Metacharacters • Windows File Names: • C:\\WINDOWS\system32\calc.exe • Optional device • Followed by path • NOT UNIQUE • C:\\WINDOWS\system32\drivers\..\calc.exe • calc.exe • .\calc.exe • ..\calc.exe • \\?\WINDOWS\systems32\calc.exe • File system uses file canonicalization • But the system is less than canonical

Path Metacharacters • Issues: • File squatting (in Windows) • Need to use CreateFile carefully in order to • Not open an existing file that sits in the canonical path of the file name • CreateFile canonicalization • eliminates any directory traversal components before validating whether each path segment exists • C:\nonexistent\path\..\..\blah.txt accesses C:\blah.txt • File-like Objects • CreateFile can open objects that are treated like files but are not files: • \\host\object • type\name • Device Files • Reside in the file hierarchy • But are canonicalized differently • COM!-9, LPT1-9, CON, CONIN$, CONOUT$, PRN, AUX, CLOCK$, NUL • Programmers are often not aware of the rules

Path Metacharacters • CreateFile() (Windows) idiosyncrasies • Strips out trailing spaces in file names • Example attack • Programmer attaches “.txt” to a user-provided name • Attacker provides “helloworld.exe “ with trailing space • The trailing space with following .txt is stripped out • Case Sensitivity • Windows filenames are not case sensitive, UNIX and HFS filenames are • DOS 8.3 • Short file name is created by the file system if the file name is too long. • File can be referred to by the short file name • Use \\?\ before file name to disable DOS filename parsing • Insure that files are normal files by checking for FILE_ATTRIBUTE_NORMAL, or face access to named pipes, … • Alternative Data Streams are created with an “:” separator

Path Metacharacters • Registry keys • Naming similar to files • Similar issues • Worthy of its own presentation

Canonicalization:Dealing with Metacharacters • Shell Metacharacter Injection • Attack vector • User controls input to an argument for execve(), popen(), … • Dangerous shell characters • ; | & < > ` ! - * / ? ( ) . [space] [ ] “\t” ^ ~ \ “\\” quotes “\r” “\n” $

Canonicalization:Dealing with Metacharacters • SQL Injection attack • Attack vector: • User controls part of the SQL query string

CanonicalizationMeta Character Filtering • Three basic options • Detect erroneous input and reject what appears to be an attack • Detect and strip dangerous characters • Detect and encode dangerous characters with a metacharacter escape sequence

CanonicalizationMeta Character Filtering • Eliminating Metacharacters • Whitelisting: Allow only good strings if($input_data =~ /[^A-Za-z0-9_ ]/) { exit; } • Whitelisting: Strip away anything that is not good $input_data =~ s/ /[^A-Za-z0-9]/g • Stripping is vulnerable to mistakes • Blacklisting: Make decisions based on dangerous characters (not recommended)

CanonicalizationMeta Character Filtering • Escaping Metacharacters • Non-destructive: metacharacters are preserved in string • Goal: Receiving module receives a safe string • Attack vectors: • Metacharacter evasion • Encoded metacharacter can be used to avoid other filtering

CanonicalizationMeta Character Filtering • Escaping Metacharacters • Filtering does not detect encoded metacharacters • Example: ..%2F..%2Fetc%2Fpasswd • Double Encoding Attacks dXNlcj1wYXNzd2QmaG9tZWRpcj0uLiUyNSUzMiU0Ni4uJTL1JTMyJTQ Base 64 Decoder user=passwd&homedir=..%25%32%46..%25%32%46etc Hexadecimal Decoder pass 1 user=passwd&homedir=..%2F..%2Fetc Hexadecimal Decoder pass 1 user=passwd&homedir=../../etc

CanonicalizationMeta Character Filtering • Character Sets • Example vulnerabilities • Wide characters (unicode) C-style strings are terminated with a 16 NULL, normal character strings with an 8 NULL • Homographic attacks • Different characters look the same • “Microsoft”  “Microsoft” in Unicode • one ‘o’ is cyrillic • String length calculations need to take character set into account (wide characters vs. normal characters)

Input Sanitization

Input Sanitization

Presentation Transcript

Media Sanitization

Input

Disk Clearing and Disk Sanitization

Input

INPUT

Input

Sanitization of Electronic Media

Input

INPUT

Input

Hand Sanitization, a good habit - Dettol

Swimming Pool sanitization

Input

input

Disinfection & sanitization services

Residential Cleaning And Sanitization Services

Car Sanitization in Gurgaon

Sanitization in Udaipur

Sanitization Services - Vansanit

Office and home sanitization

Coronavirus Sanitization Services Dublin | Bogdancleaning.ie