cs161 Lecture 20: Programming errors, Audits Most common vulnerabilities are due to bugs, not design flaws (though design can mitigate the effects). Kinds local/remote: do you need normal local privs, or can you do it from afar? normal/root: do you get root privileges, or just some user? DoS buffer overrun by far the most common a few common culprits gets(), sprintf() use snprintf and friends but off the end? use dynamic buffers heap exhaustion? format string: printf %n makes them very bad almost always use constant, or simple table lookup (internationalization) message catalog must not be user controlled ftpd: after ls, uses printf directly to print strings signed/unsigned system calls ping of death integer overflow tmpfile race attacker knows that a priv'd user will manipulate a certain file use mkstemp or: char *filename; int fd; do { filename = tempnam (NULL, "foo"); fd = open (filename, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 0600); free (filename); } while (fd == -1); tmpwatch: attacker can arrange to delete a secure program's file never use a stored name (fchown, fchmod, etc) For ANY well-known name opened by priv'd program: TOCTOU: better to drop privs "Priv'd" may just mean "someone else", so you can make jim delete his files system, popen: privd programs must execute unpriv'd programs very carefully unclean metacharacters unclean env (LD_PRELOAD is an ugly one) user controlled PATH, LD_LIBRAY_PATH (or even CLASSPATH) (fix with with careful fork/drop/exec) checking user input huge class of problem, no single solution perl taintmode is one type of aid places with "little languages" are the worst (hardest to get right) system() perl's open html url encoding SQL injection cross-site scripting malicious html, javascript, java can be placed by 3rd party webbugs GETs that do something example of not checking input data this can be quite hard (HTML char encoding, multiple defaults) DoS crashing servers (so even if there's no exploit, can be bad) globbing (ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*) Auditing Priorities 1. Any binary which is installed setuid or setgid. 2. Anything which provides a service over a network. 3. Any remotely accessible CGI/PHP scripts. 4. cronjobs or other automated script which runs with privileges. Popularity (by install, not by use) Tools some static checkers help (including gcc warnings, turn them ON (also perl)) fuzz random input, doen years ago for shell utiulities, repeated later. open source did well crashme for kernels just out for browsers IE did very well, Oopen Source poorly