history of some vulnerabilities and exploit techniques

63
History of some Vulnerabilities .. And exploit techniques

Upload: blaufish

Post on 02-Nov-2014

627 views

Category:

Technology


9 download

DESCRIPTION

Presentation on computer vulnerabilities and exploitation of them from 1970ies - 2013. Based on materials from from Early Computer Security Papers: Ongoing Collection (seclab.cs.ucdavis.edu), securitydigest.org, seclists.org, phrack, Morris Worm analysis's and various other preserved historical insights. In particular it covers Buffer Overflows, Injection attacks, XSS Cross Site Scripting. Note from audience member during presso was that injection vulns were known you had to protect from when member was coding in the 70'ies. Which fits my take aways: info security are horrible at remembering what it knew 20 years ago.

TRANSCRIPT

Page 1: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 2: History of some Vulnerabilities and exploit techniques

whoami

Peter Magnussonomegapoint.se

Page 3: History of some Vulnerabilities and exploit techniques

History of some VulnerabilitiesIntro

Lessons from 1974 & 1988

Buffer Overflows

Injections

XSS Cross Site Scripting

Page 4: History of some Vulnerabilities and exploit techniques

- intro -

History of some Vulnerabilities & Exploit techniques

Page 5: History of some Vulnerabilities and exploit techniques

This is just a tribute. Couldn't remember The Greatest Song in the World, no, no.

This is a tribute, oh, to The Greatest Song in the World

Tenacious D – Tributehttp://www.youtube.com/watch?v=_lK4cX5xGiQ

Page 6: History of some Vulnerabilities and exploit techniques

• Defenders practicing STFUNDA

• Limited shared knowledgeSecret closed mailing lists etc

• Often pointless/boringVendor/CERT style info

• Attackers practicing STFUAttackers not Bragging

What we know we don't know

Page 7: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

Dark Ages Golden Days Cloudy days

Page 8: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

Dark Ages Golden Days Cloudy days

securitydigest.org – liberating archives from old closed mailing lists (I haven't had nearly as much time to read this stuff as I would like to)

Page 9: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

Early Days, .mil

Page 10: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

CERT & vendors: "A potential security vulnerability has been identified in X where, under certain circumstances, user privileges can be expanded via Y

Morris Worm

Page 11: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

Golden days! Bugtraq, Full Disclosure etc takes off

1998 – 2000 : It is not just OS/utilities any more…

Page 12: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

No Free Bugs, APTs, Crimeware, 0-days, Spearphising

Page 13: History of some Vulnerabilities and exploit techniques

1970-1988 1988-1994 1994-2009 2009-

CERT & vendors: "A potential security vulnerability has been identified in X where, under certain circumstances, user privileges can be expanded via Y

Golden days! Bugtraq, Full Disclosure etc takes off

No Free Bugs, APTs, Crimeware, 0days galore

Morris Worm

Early Days

Page 14: History of some Vulnerabilities and exploit techniques

Great Historical Resources

• http://seclab.cs.ucdavis.edu/projects/history/CD/– Computer security as a discipline was first studied in the early 1970s, although the issues had influenced

the development of many earlier systems such as the Atlas system and MULTICS. Unfortunately, many of the early seminal papers are often overlooked as developers (and sometimes researchers) rediscover problems and solutions, leading to wasted time and development effort.

• http://securitydigest.org/– This site is dedicated to preserving the history of early computer security digests and mailing lists,

specifically those prior to the mid 1990's. This includes the Unix 'Security Mailing List', through to the Zardoz 'Security Digest' to the Core 'Security List', i.e. those preceeding BugTraq. These forums are a valuable insight into the embryonic development of the field of computer security, especially as it relates to the Internet, and the development of the Doctrine of Disclosure.

• http://seclists.org/– Any hacker will tell you that the latest news and exploits are not found on any web site—not even

Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq.

Page 15: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 16: History of some Vulnerabilities and exploit techniques

History of some VulnerabilitiesIntro

Lessons from 1974 & 1988

Buffer Overflows

Injections

XSS Cross Site Scripting

Page 17: History of some Vulnerabilities and exploit techniques

- Lessons from 1974 -

History of some Vulnerabilities & Exploit techniques

Page 18: History of some Vulnerabilities and exploit techniques

1974 – Kager, Schell, USAF

USAF were amazing at computer security in the 1970ies!!!

Page 19: History of some Vulnerabilities and exploit techniques

- Lessons from 1988 -

History of some Vulnerabilities & Exploit techniques

Page 20: History of some Vulnerabilities and exploit techniques

Morris Worm was BIG! in 1988

• Infected most of internet– Cross compiled for two main targets

• Exploited Buffer Overflow• Exploited DEBUG backdoor in sendmail• Exploited cracking weak passwords

• Basically, it was amazing & threatening.

Page 21: History of some Vulnerabilities and exploit techniques

1988 reactions to the Morris Worm

"So I've decided to take my work back underground, To stop it falling into the wrong hands. "

– Prodigy, Music for the Jilted Generation, 1994http://www.youtube.com/watch?v=kJ6jApzrExY

Page 22: History of some Vulnerabilities and exploit techniques

1988 #1. Create Restricted Mailing List

With the old security mailing list the only requirement was an OK from the root of the system (other than home computers). I would like to suggest that there would be a

trusted group of people to start the mailing list (mabye start with phage@purdue). People would need someone who was on the

list already to vouch for them, an OK from the person's home root, and that their name be circulated to the mailing list to see if anyone objects. I am suggesting these additional requirements because I know of people (now in

retrospect) that shouldn't have been on the old list who would not qualify with these additional requirements. I would also suggest that there are no aliases (i.e. [email protected]) but mail would be sent to individuals only.

Page 23: History of some Vulnerabilities and exploit techniques

1988 - #2. Security Repository

The are a number of sites who don't have source, yet they want holes fixes. For some problems, it is easy enough to patch a binary with adb, but for other problems that is not

enough. I would suggest a ftp site on the Internet that would keep binaries to patched programs. I would suggest Sun-3, Sun-4, and Vaxen binaries. Possibly other machines (i.e. Pyramid, Sequent, Encore, HP) if there seems to be enough of an interest.

Page 24: History of some Vulnerabilities and exploit techniques

1988 - #3. Get Vendors Involved

There should be at least one rep. from each major UNIX box vendor who would be responsible for get fixes into release software. This doesn't seem to be much of a priority with vendors right now. I think we should collectively

scream bloody murder until the see a bit more responsiveness from our friends.

Page 25: History of some Vulnerabilities and exploit techniques

1988 - #4. Hole List

I think it *might* be a good idea to develop a list of security holes that should be checked. This list should have a very limited circulation. This list should not live on the same machine as the security mailing list of the archives. It should be mailed from a system other than it's home (otherwise that machine become a prime spot for breaking). On the other hand, having such a list might be too risky.

Page 26: History of some Vulnerabilities and exploit techniques

What went wrong?

• 1970: USAF sats computer security cannot be solved by secrecy

• -1988: Secret mailing lists with secrecy!• 1988-: More secrecy!– BAD: Focus on secrecy rather than information– BAD: Everything seems adhoc, eg no search for

known vulns in products.– Good: stated need for vendors, patches,

checklists.

Page 27: History of some Vulnerabilities and exploit techniques

1994: FULL DISCLOSURE

Secrecy didn't work Vendors weren't proactive

Because the past had been repeated20 years later, implementing 1974 advice

Page 28: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 29: History of some Vulnerabilities and exploit techniques

History of some VulnerabilitiesIntro

Lessons from 1974 & 1988

Buffer Overflows

Injections

XSS Cross Site Scripting

Page 30: History of some Vulnerabilities and exploit techniques

- Buffer Overflows -

History of some Vulnerabilities & Exploit techniques

Page 31: History of some Vulnerabilities and exploit techniques

Buffer Overflow

1972 1988 1996 2001 now

Computer Security Technology Planning Study:

"The code performing this function does not check the

source and destination addresses properly,

permitting portions of the monitor to be overlaid by the

user. This can be used to inject code into the monitor that will permit the user to seize control of the machine."

Page 32: History of some Vulnerabilities and exploit techniques

Buffer Overflow

1972 1988 1996 2001 now

Morris Worm

Buffer Overflow in fingerd (gets) used to exploits

VAX unix.

Exploit payload executed /bin/sh

Page 33: History of some Vulnerabilities and exploit techniques

Buffer Overflow

1972 1988 1996 2001 now

Smashing the Stack For Fun and Profit

The first big easily understood guide on how to exploit.

Covered the popular Intel x86 machine code.Now everyone learned buffer overflows!

Page 34: History of some Vulnerabilities and exploit techniques

Buffer Overflow

1972 1988 1996 2001 now

Code Red & other Windows Worms

Buffer Overflows hits Windows hard.

Again and again.

Bill Gates posts Trustworthy Computing Memo in January 2002

Page 35: History of some Vulnerabilities and exploit techniques

Buffer Overflow

1972 1988 1996 2001 now

Mitigation Wars Buffer Overflows partially mitigated in many modern operating systems (except embedded software which often is without

mitigations). Advanced exploits circumvents mitigations. Most application developers do .NET and Java which are mitigated.

Offense: heap spraying, Info leaks, ROP, …

Defense: Stack Canaries, SafeSEH/SEHOP, DEP, ASLR, ROPGuard

Page 36: History of some Vulnerabilities and exploit techniques

Buffer Overflows

1972First

Documented (?)

Computer Security

Technology PS

1988

Rediscovered

VAX exploit

Morris Worm

1995

Rediscovered

Intel X86 exploits

Smashing the Stack for Fun

and Profit

2001Massive

exploitation

Windows worms

Trustworthy Computing

Memo

2013Mitigation

Wars

ASLR, NX, …

Infoleaks, ROP, Spraying

Page 37: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 38: History of some Vulnerabilities and exploit techniques

History of some VulnerabilitiesIntro

Lessons from 1974 & 1988

Buffer Overflows

Injections

XSS Cross Site Scripting

Page 39: History of some Vulnerabilities and exploit techniques

- Injections -

History of some Vulnerabilities & Exploit techniques

Page 40: History of some Vulnerabilities and exploit techniques

Injection

2000JavaScript Injection

(XSS)

Page 41: History of some Vulnerabilities and exploit techniques

Georgi Guninski security advisory #1, 2000

[…] But the following JavaScript is executed: <IMGLOWSRC="javascript:alert('Javascript is executed')">

[…] for example displaying a fake login screen

[…] also possible to read user's messages, to send messages from user's name and doing other mischief.

[…] It is also possible to get the cookie from Hotmail, which is dangerous.

Page 42: History of some Vulnerabilities and exploit techniques

Injection

1998

SQL Injection

RFP: NT Web Technology

Vulnerabilities

2000JavaScript

Injection (XSS)

Page 43: History of some Vulnerabilities and exploit techniques

"And I didn't invent SQL injection.

I may have been one of the first to publicly explain it in tutorial fashion, but it existed for as long as SQL itself existed; it was just that few people saw the

security implications of it. But that may be because SQL wasn't ubiquitous

like it is today, so it had limited impact in limited circles."

http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/

Page 44: History of some Vulnerabilities and exploit techniques

Injection

1994Major domo os command

injection

1998

SQL Injection

RFP: NT Web Technology

Vulnerabilities

2000JavaScript

Injection (XSS)

Page 45: History of some Vulnerabilities and exploit techniques

Injection

1988(Sendmail

DEBUG feature/backdoo

r)

1994Major domo os

command injection

1998

SQL Injection

RFP: NT Web Technology

Vulnerabilities

2000JavaScript

Injection (XSS)

Page 46: History of some Vulnerabilities and exploit techniques

Injection

1985

Unquoted shell…

1988(Sendmail

DEBUG feature/backdoo

r)

1994Major domo os

command injection

1998

SQL Injection

RFP: NT Web Technology

Vulnerabilities

2000JavaScript

Injection (XSS)

Page 47: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 48: History of some Vulnerabilities and exploit techniques

History of some VulnerabilitiesIntro

Lessons from 1974 & 1988

Buffer Overflows

Injections

XSS Cross Site Scripting

Page 49: History of some Vulnerabilities and exploit techniques

- XSS Cross Site Scripting -

History of some Vulnerabilities & Exploit techniques

Page 50: History of some Vulnerabilities and exploit techniques

XSS Cross Site Scripting

1995JavaScript introduced

Same Origin Policy

Page 51: History of some Vulnerabilities and exploit techniques

XSS Cross Site Scripting

1995JavaScript introduced

Same Origin Policy

199xBrowser

vulnerability research

(Guniniski et al)

Silly XSS-ish abuse of Guestbooks

and similar

Page 52: History of some Vulnerabilities and exploit techniques

XSS Cross Site Scripting

1995JavaScript introduced

Same Origin Policy

199xBrowser

vulnerability research

(Guniniski et al)

Silly XSS-ish abuse of Guestbooks

and similar

2000Guniniski: JavaScript Injection in

hotmail

Microsoft: Cross Site Scripting

(Michael Barrett, Marvin Simkin

and Toby Barrick ~1999?)

CERT: Malicious HTML Tags

Embedded …

Page 53: History of some Vulnerabilities and exploit techniques

XSS Cross Site Scripting

1995JavaScript introduced

Same Origin Policy

199xBrowser

vulnerability research

(Guniniski et al)

Silly XSS-ish abuse of Guestbooks

and similar

2000Guniniski: JavaScript Injection in

hotmail

Microsoft: Cross Site Scripting

(Michael Barrett, Marvin Simkin

and Toby Barrick ~1999?)

CERT: Malicious HTML Tags

Embedded …

2002Larholm: IIS

allows universal CrossSite Scripting

(2005 Klein: DOM Based XSS)

Page 54: History of some Vulnerabilities and exploit techniques

XSS Cross Site Scripting

1995JavaScript introduced

Same Origin Policy

199xBrowser

vulnerability research

(Guniniski et al)

Silly XSS-ish abuse of Guestbooks

and similar

2000Guniniski: JavaScript Injection in

hotmail

Microsoft: Cross Site Scripting

(Michael Barrett, Marvin Simkin

and Toby Barrick ~1999?)

CERT: Malicious HTML Tags

Embedded …

2002Larholm: IIS

allows universal CrossSite Scripting

(2005 Klein: DOM Based XSS)

2010Content Security

Policy

Page 55: History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities

.. And exploit techniques

Page 56: History of some Vulnerabilities and exploit techniques

RANT

What infosec guys do best?

Page 57: History of some Vulnerabilities and exploit techniques

<rant></rant>

• Security pros are brilliant at not knowing what security knew 10-20 years ago. – Security by secrecy have not worked very well– Dealing with trust & "need to know" on an internet

scale is hard.• Security wasted 20+ years in addressing the insane

level of Buffer overflow problems.• Vendors aren't doing enough has been said since

at least 1988. SDL is bringing some change since 2003 !

Page 58: History of some Vulnerabilities and exploit techniques

<rant></rant>

• Easy to rant about the past. – What about today?

• AppSec – YOU make the software, no vendor.– That's a big change.

• What contemporary fails will people rant about in 2043?

Page 59: History of some Vulnerabilities and exploit techniques

TAKE AWAY

What you might consider learning from this exercise

Page 60: History of some Vulnerabilities and exploit techniques

Secrecy suck

Take Away

Page 61: History of some Vulnerabilities and exploit techniques

Try to avoid wasting 20 years of knowledge again

Take Away

Page 62: History of some Vulnerabilities and exploit techniques

Don't be the next "vendor" claimed to do nothing preemptively. Work on reducing your

vulnerabilities.

Take Away

Page 63: History of some Vulnerabilities and exploit techniques

FIN

.. And exploit techniques