Autopsy of Vulnerabilities E z e q u i e l Z e q u i - - PowerPoint PPT Presentation

autopsy of vulnerabilities
SMART_READER_LITE
LIVE PREVIEW

Autopsy of Vulnerabilities E z e q u i e l Z e q u i - - PowerPoint PPT Presentation

Jun 02, 2023 213 likes •509 views

Autopsy of Vulnerabilities E z e q u i e l Z e q u i V z q u e z Who Am I? B a c k e n d d e v e l o p e r D e v O p s S e c u r i t y & H a c k i n g F r o m J e r

slide-1
SLIDE 1
slide-2
SLIDE 2

E z e q u i e l “ Z e q u i ” V á z q u e z

Autopsy of Vulnerabilities

slide-3
SLIDE 3

Who Am I?

B a c k e n d d e v e l

  • p

e r D e v O p s S e c u r i t y & H a c k i n g F r

  • m

J e r e z ( s

  • u

t h e r n S p a i n ) @RabbitLair

slide-4
SLIDE 4
slide-5
SLIDE 5

S A

  • C

O R E

  • 2

1 4

  • 5

– S Q L i n j e c t i

  • n

a s a n

  • n

y mo u s u s e r S A

  • C

O R E

  • 2

1 8

  • 2

– R e mo t e c

  • d

e e x e c u t i

  • n

a s a n

  • n

y mo u s u s e r

We will “dissect” the following

slide-6
SLIDE 6

Why this session?

slide-7
SLIDE 7

Why this session?

slide-8
SLIDE 8

D e s c r i p t i

  • n
  • f

t e c h n

  • l
  • g

y c

  • mp
  • n

e n t s i mp l i e d

  • n

t h e v u l n e r a b i l i t y D e s c r i p t i

  • n
  • f

h

  • w

t h e v u l n e r a b i l i t y w

  • r

k s V u l n e r a b i l i t y e x p l

  • i

t i n g l i v e d e mo

Three steps analysis

slide-9
SLIDE 9

S Q L I n j e c t i

  • n

a s a n

  • n

y mo u s u s e r D r u p a l 7 . 3 1 a n d b e l

  • w

2 5 / 2 5 s c

  • r

e

  • n

N I S T i n d e x P a t c h e d

  • n

O c t

  • b

e r 1 5 t h , 2 1 4

SA-CORE-2014-005 / CVE-2014-3704

slide-10
SLIDE 10

Arrays on HTTP POST method

slide-11
SLIDE 11

F i l e includes/database/database.inc Me t h

  • d

expandArguments S Q L q u e r i e s wi t h c

  • n

d i t i

  • n

l i k e “column IN (a, b, c)” Q u e r y s k e l e t

  • n

i s b u i l d wi t h p l a c e h

  • l

d e r s , wh i c h a r e r e p l a c e d a f t e r t h e y a r e s a n i t i z e d

Database queries sanitization

slide-12
SLIDE 12

U s e r e d i t f

  • r

m a s a d mi n i s t r a t

  • r

. We c a n s e l e c t wh i c h r

  • l

e s t h e u s e r h a s .

Database queries sanitization: an example

  • b

e c

  • me

s

  • >
slide-13
SLIDE 13

Me t h

  • d

expandArguments c h a n g e s t h e i mp l i c i t i n d e x e s b y e x p l i c i t

  • n

e s u s i n g a r r a y n a me

Database queries sanitization: an example

  • b

e c

  • me

s

  • >
slide-14
SLIDE 14

T h e q u e r y s t r u c t u r e i s b u i l t u s i n g t h e e x p l i c i t a r r a y k e y s a s p l a c e h

  • l

d e r s F i n a l l y , t h e p l a c e h

  • l

d e r s a r e r e p l a c e d b y t h e s a n i t i z e d v a l u e s , a n d t h e q u e r y i s e x e c u t e d

Database queries sanitization: an example

slide-15
SLIDE 15

O r i g i n a l a r r a y k e y s a r e u s e d t

  • b

u i l d p l a c e h

  • l

d e r n a me s wi t h

  • u

t b e i n g s a n i t i z e d .

The vulnerability

slide-16
SLIDE 16

O r i g i n a l a r r a y k e y s a r e u s e d t

  • b

u i l d p l a c e h

  • l

d e r n a me s wi t h

  • u

t b e i n g s a n i t i z e d .

The vulnerability

slide-17
SLIDE 17

Let's see it!

slide-18
SLIDE 18

R e mo t e c

  • d

e e x e c u t i

  • n

a s a n

  • n

y mo u s u s e r D r u p a l 5 . x , 6 . x , 7 . 5 7 a n d b e l

  • w,

8 . 5 . a n d b e l

  • w

2 4 / 2 5 s c

  • r

e

  • n

N I S T i n d e x P a t c h e d

  • n

Ma r c h 2 8 t h , 2 1 8

SA-CORE-2018-002 / CVE-2018-7600

slide-19
SLIDE 19

A r r a y s wh

  • s

e k e y s s t a r t wi t h # c h a r a c t e r Me c h a n i s m t

  • r

e n d e r e v e r y t h i n g R e c u r s i v e b e h a v i

  • r

C a l l b a c k s : post_render, pre_render, . . .

Render arrays

slide-20
SLIDE 20

F

  • r

m s u b mi t t e d v i a X H R r e q u e s t S u b mi t t e d v a l u e s a r e s t

  • r

e d

  • n

#value a t t r i b u t e f

  • r

e a c h fi e l d P a r a me t e r element_parents d e t e r mi n e s e c t i

  • n
  • f

f

  • r

m t

  • b

e r e

  • r

e n d e r e d

Form processing with AJAX API

slide-21
SLIDE 21

A f

  • r

m fi e l d c

  • n

t a i n i n g a r e n d e r a r r a y wi t h a c a l l b a c k c a n b e r e

  • r

e n d e r e d u s i n g A J A X A P I .

The vulnerability

slide-22
SLIDE 22

Let's see it!

slide-23
SLIDE 23

Final thoughts

K e e p y

  • u

r s i t e s u p d a t e d . N

  • e

x c e p t i

  • n

s . T h a n k y

  • u

, s e c u r i t y t e a m! T

  • p

r e v e n t v u l n e r a b i l i t i e s

  • n

y

  • u

r c

  • d

e , y

  • u

n e e d t

  • l

e a r n a b

  • u

t t h e m.

slide-24
SLIDE 24

Final thoughts

slide-25
SLIDE 25

Join us for contribution opportunities

F r i d a y , A p r i l 1 2 , 2 1 9

9 :

  • 1

8 : R

  • m:

6 2

Mentored Contribution First Time Contributor Workshop General Contribution

#DrupalContributions

9 :

  • 1

2 : R

  • m:

6 6 9 :

  • 1

8 : R

  • m:

6 A

slide-26
SLIDE 26

What did you think?

L

  • c

a t e t h i s s e s s i

  • n

a t t h e D r u p a l C

  • n

S e a t t l e w e b s i t e :

http://seattle2019.drupal.org/schedule

T a k e t h e S u r v e y !

https://www.surveymonkey.com/r/DrupalConSeattle

slide-27
SLIDE 27

A u t

  • p

s y

  • f

V u l n e r a b i l i t i e s , b y Z e q u i V á z q u e z

Questions?

slide-28
SLIDE 28

A u t

  • p

s y

  • f

V u l n e r a b i l i t i e s , b y Z e q u i V á z q u e z

Thank you!