7/31/2019 inputval

1/3

Input Validation Attacks========================Written by R a v e N for BSRF (http://blacksun.box.sk)17/7/2000

"Input Validation Attacks". Some of you may be startled by this term. But, totell you the truth, it's quite simple, and fun too. Here, let me explain.

What's an IVA?--------------IVA stands for an Input Validation Attack. I'll try to make this as simple aspossible, so even the ones of you who don't have any programming experiencewould still understand.Suppose you have a program that receives input. That could be practicallyanything. In fact, almost every application that you know receives some sortof input. When you tell your browser where to go, you're giving it input. Whenyou play a computer game and you tell your figure to move to the left, that'sinput. When you type in your password, that's input too. So, what happens whena program doesn't validate the input that you give it correctly?Suppose, for example, that if you typed your input, and then a certaincharacter and afterwards a command and it will be executed? Or maybe, if youtype a password that's too long, the program will go amok and let you inwithout the password. Or maybe it'll let you in if you won't type anythingat all.

The program didn't validate the input correctly - it didn't make sure that theuser is typing what he is supposed to type. So let's make a long story short -there is a bug or a hole in the program or it's implementation that involvescertain input, and the program doesn't make sure that such input is not given,thus allowing us to exploit the hole. Now for a few examples, to clear thingsup and to show you how this can be done and exploited.

Examples--------The best possible real example that I can think of is the PHF hole. Yes, PHF!Some of you may already recognize this hole. Yeah, yeah, we know it's datedback in 1996, but let's forget about it for a second and concentrate on howthis works.

Let's imagine we're back in 1996. PHF is a CGI script that comes standard withthe Apache Web Server - the world's most popular web server (and it still isuntil this very day). Everything is doing just fine, until Jennifer Myersfound out that the PHF script will accept the newline character and issuecommands to the command line with the webserver's privileges. This means thatif httpd (the HTTP Daemon, i.e. the program that listens on port 80 (bydefault) and waits for HTTP connections. The term daemon isn't limited toInternet-related issues, and is better explained in other BSRF tutorials) isrunning as root (which is a very stupid thing to do. Web servers should runfrom a very restricted account), every command can be executed with rootprivileges.

Basically, to get the password file, all you had to do is to type this:http://www.some-vulnerable-webserver.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/passwd

Then you will get the password file, as if you had console access to a rootterminal and typed in cat /etc/passwd (if the file is shadowed, you can alsoget /etc/shadow. After all, you have root permissions). From this point, allyou have to do is to run a password cracker and wait.Smarter crackers would issue different commands. For example, they couldcreate an .rhosts file on root's home directory and add their hostname and

7/31/2019 inputval

2/3

username, and then use rlogin to remotely login to that system (if such aservice is running and is not firewalled. But then again, an admin that isstupid enough to run httpd as root would probably also have it runningunrestrictedly as well). Refer to rlogin's manual page for furtherinstructions.

Analyzing the attack--------------------http://www.some-vulnerable-webserver.com/cgi-bin/phf?Qalias=x&0a/bin/cat&20/etc/passwd

Hmm...That's awfully long, isn't it? Let's take it piece by piece.

http://www.some-vulnerable-webserver.comThere's not much to explain here - this part tells your web browser who tocontact.

/cgi-bin/phfThis part tells your browser to request for the file called phf, under thecgi-bin directory, which is under the root directory (it's the main directory,similar to c:\ in the DOS / Windows world).

?

Passes input to phf, the cgi script.

Qalias=xSo far this is normal input, which the program (and the programmer) isexpecting.

&0aThis is the fun part. &0a is the new line metacharacter. It tells PHF tostart a completely new command line.

/bin/cat&20/etc/passwdThe command to execute. Tells PHF to run the following command:/bin/cat /etc/passwd

The cat program is a standard Unix program that dumps the contents of a fileto the "standard output" (stdout). This usually means your computer monitor,unless the output is redirected (to the printer, to a file, or in this case,through a TCP/IP socket and straight down to our browser).&20 is another metacharacter, which stands for a blank space, which is alsocalled a "white space" (it is used instead of real spaces because httpd cannotaccept spaces in URL requests).

How to prevent such attacks---------------------------First of all, make sure that everything runs with privileges that are asrestricted as possible, and can only access files that it should and has tohave access to (and if so, minimize access. For example: a web server needs to

be able to read html, gif, jpg, cgi scripts or other files that belong to theweb site, but does not require writing access to them). That way you canminimize or completely eliminate any possible damage.Also, as a developer, you must take security into mind when you code yourprograms, and also test them under unexpectable conditions. In other words,when you test a car, you test it for all sorts of strange situations and wildcrashes, and drive it through different kinds of terrains. You can't just makesure that it can drive and then send it out to the market, otherwise peoplewill realize that although the car works just fine in normal conditions, itdoesn't handle unexpected ones properly, and will eventually switch to another

7/31/2019 inputval

3/3