[PPT] - Static Detection of Second-Order Vulnerabilities in Web Applications PowerPoint Presentation

SLIDE 1

Static Detection of Second-Order Vulnerabilities in Web Applications

Johannes Dahse and Thorsten Holz

Ruhr-University Bochum

USENIX Security ’14, 20-22 August 2014, San Diego, CA, USA

SLIDE 2

2

„First-Order“ Vulnerabilities

<?php $name = $_POST['name']; // ', 1), (version(), 1)-- - $sql = “INSERT INTO users VALUES ('$name', '$pwd')“; mysql_query($sql); ?>

SQL injection
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

user input

application

send

!“*$()&/'\

SLIDE 3

3

Sanitization

<?php $name = mysql_real_escape_string($_POST['name']); $sql = “INSERT INTO users VALUES ('$name', '$pwd')“; mysql_query($sql); ?>

SQL injection (prevented)
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

user input

application

send

!“*$()&/'\

SLIDE 4

4

Second-Order Vulnerability (1)

<?php $name = mysql_real_escape_string($_POST['name']); $sql = “INSERT INTO users VALUES ('$name', '$pwd')“; mysql_query($sql); ?>

Database Write
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

user input

application database

send write

SLIDE 5

5

Second-Order Vulnerability (2)

Database Read
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

user input

application database

send write

<?php $result = mysql_query('SELECT * FROM users'); $row = mysql_fetch_assoc($result); echo $row['name']; ?>

read

SLIDE 6

6

Multi-Step Exploit (1)

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

database

<?php $name = $_POST['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES ('$name', '$pwd')“; mysql_query($sql); ?>

First-Order SQL injection

user input

application

send

!“*$()&/'\

SLIDE 7

7

Multi-Step Exploit (1)

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

database

write

<?php $name = $_POST['name']; // ', 'payload')-- - $sql = “INSERT INTO users VALUES ('$name', '$pwd')“; mysql_query($sql); ?>

Exploit First-Order SQL injection

user input

application

send

SLIDE 8

8

Multi-Step Exploit (2)

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

database

read

Second-Order Command Execution

application

request

<?php $result = mysql_query('SELECT * FROM users'); $row = mysql_fetch_assoc($result); system('htpasswd -b .htpasswd Admin '.$row['pwd']); ?>

SLIDE 9

9

Second-Order Vulnerabilities

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion
$_GET
$_POST
$_COOKIE
$_FILES
$_SERVER

...

Databases
File Names
$_SESSION (File Content)

...

Cross-Site Scripting
SQL Injection
Code Execution
File Inclusion
File Disclosure

... User input Persistent Data Store (PDS) Sensitive Sink 1. 2.

SLIDE 10

10

Second-Order Vulnerabilities

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion
$_GET
$_POST
$_COOKIE
$_FILES
$_SERVER

...

Databases
File Names
$_SESSION (File Content)

...

Cross-Site Scripting
SQL Injection
Code Execution
File Inclusion
File Disclosure

... User input Sensitive Sink 1. 2. Persistent Data Store (PDS)

SLIDE 11

11

Our Approach

Static Code Analysis (no access to environment)
Analyze writes and reads to persistent data stores
Connect input and output points at the end of the analysis

to detect second-order and multi-step vulnerabilities

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 12

12

Source: http://rewalls.com

2. Implementation
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

(Overview)

SLIDE 13

13

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

First-Order Taint Analysis

mysql_query('insert into users values(null, '$name', '$pwd');

$name = $_POST['name'];

SLIDE 14

14

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

First-Order Taint Analysis

mysql_query('insert into users values(null, '$name', '$pwd');

$name = $_POST['name'];

SLIDE 15

15

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

First-Order Taint Analysis

mysql_query('insert into users values(null, '$name', '$pwd');

$name = $_POST['name'];

SLIDE 16

16

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

First-Order Taint Analysis

mysql_query('insert into users values(null, '$name', '$pwd');

$name = $_POST['name'];

Vulnerability Report POST[name] SQLi

SLIDE 17

17

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Analysis (write)

mysql_query('insert into users values(null, '$name', '$pwd');

$name = escape($_POST['name']);

id name pass

users

SLIDE 18

18

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Multi-Step Taint Analysis (write)

mysql_query('insert into users values(null, '$name', '$pwd');

$name = $_POST['name'];

id name pass

users

Vulnerability Report POST[name] SQLi

SLIDE 19

19

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Analysis (read)

echo('Hi ' . $res['name'] . ' !');

$res = mysql_query('select name

from users');

$row = mysql_fetch_assoc($res);

PDS *

SLIDE 20

20

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Analysis (read)

echo('Hi ' . $res['name'] . ' !');

$res = mysql_query('select name

from users');

$row = mysql_fetch_assoc($res);

PDS *

SLIDE 21

21

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Analysis (read)

echo('Hi ' . $res['name'] . ' !');

$res = mysql_query('select name

from users');

$row = mysql_fetch_assoc($res);

PDS *

SLIDE 22

22

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Analysis (read)

echo('Hi ' . $res['name'] . ' !');

$res = mysql_query('select name

from users');

$row = mysql_fetch_assoc($res);

PDS *

Temporary Vulnerability Report users[name] XSS

SLIDE 23

23

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Decision

PDS *

Temporary Vulnerability Report users[name] XSS

id name pass

PDS'

users

Reads Writes

connect

SLIDE 24

24

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Decision

PDS *

Temporary Vulnerability Report users[name] XSS

id name pass

PDS'

users

tainted? Reads Writes

SLIDE 25

25

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Decision

PDS *

Temporary Vulnerability Report users[name] XSS

id name pass

PDS'

users

sanitized? Reads Writes

SLIDE 26

26

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Second-Order Taint Decision

PDS *

Temporary Vulnerability Report users[name] XSS

id name pass

PDS'

users

Second-Order Vulnerability Report XSS

Reads Writes

SLIDE 27

27

Source: http://rewalls.com

3. Evaluation
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 28

28

Selected Software

osCommerce 2.3.3.4
HotCRP 2.61
OpenConf 5.30
MyBloggie 2.1.4
NewsPro 1.1.5
Scarf 2007-02-27
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 29

29 False Positive True Positive False Negative

PDS Usage and Coverage (first-order)

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

Non-Taintable Taintable '"\<>

Manually counted PDS (841) Detected Taintable PDS

71%

6%

29%

77% 23%

PDS

SLIDE 30

30

Second-Order Vulnerabilities

159 True Positives (79%)



97% persistent XSS (database)



Missed by previous work

43 False Positives (21%)



Root cause: Path-sensitive sanitization



E.g., store only valid email



Failures in 1st step propagate to 2nd step

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

PDS

SLIDE 31

31

Multi-Step Exploits

14 True Positives (93%)



2 based on file upload



12 based on SQLi



Missed by previous work

1 False Positives (7%)



False positive SQLi

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

PDS

SLIDE 32

32

Second-Order LFI in OpenConf

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

$r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; }

PDS

SLIDE 33

33

Second-Order LFI in OpenConf

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

$r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; }

PDS

SLIDE 34

34

Second-Order LFI in OpenConf

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

$r = mysql_query("select setting, value from " . OCC_TABLE_CONFIG); while ($l = mysql_fetch_assoc($r)) { $config[$l['setting']] = $l['value']; } function printHeader($what, $function="0") { require $GLOBALS['pfx'] . $GLOBALS['config']['OC_headerFile']; } function updateConfigSetting($setting, $value) {

csql_query("UPDATE `" . OCC_TABLE_CONFIG . "`

SET `value`=' " . safeSQLstr(trim($value)) . " ' WHERE `setting`='" . safeSQLstr($setting) . " ' "); } foreach (array_keys($_POST) as $p) { if (preg_match("/^OC_[\w-]+$/", $p)) { updateConfigSetting($p, $_POST[$p]); } }

PDS

SLIDE 35

35

Multi-Step Exploitation in OpenConf

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

/data/papers/1.pdf

1. upload
2. escalate
3. reconfigure

OC_headerFile

4. included

SQLi or XSS

Remote Command Execution

All issues are fixed in version 5.31 and 6.01

File Upload Second-Order LFI

SLIDE 36

36

Source: http://rewalls.com

4. Conclusion
1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 37

37

Conclusion

Static detection of second-order vulnerabilities is possible



Analyze and collect reads/writes to PDS (database, file names, session data)



Determine sensitive data flow at the end of analysis

> 150 new vulnerabilities



Leading to RCE in NewsPro, Scarf, OpenConf, osCommerce



Overlooked problem in practice, missed in previous work

Future work



Support prepared statements



Improve SQL parser

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 38

38

Thank you Facebook

for the generous award

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 39

39

Questions?

johannes.dahse@rub.de

1. Introduction
2. Implementation
3. Evaluation
4. Conclusion

SLIDE 40

40

Static Detection of Second-Order Vulnerabilities in Web Applications

„First-Order“ Vulnerabilities

Sanitization

Second-Order Vulnerability (1)

Second-Order Vulnerability (2)

Multi-Step Exploit (1)

Multi-Step Exploit (1)

Multi-Step Exploit (2)

Second-Order Vulnerabilities

Second-Order Vulnerabilities

Our Approach

to detect second-order and multi-step vulnerabilities

First-Order Taint Analysis

First-Order Taint Analysis

First-Order Taint Analysis

First-Order Taint Analysis

Second-Order Taint Analysis (write)

Multi-Step Taint Analysis (write)

Second-Order Taint Analysis (read)

Second-Order Taint Analysis (read)

Second-Order Taint Analysis (read)

Second-Order Taint Analysis (read)

Second-Order Taint Decision

Second-Order Taint Decision

Second-Order Taint Decision

Second-Order Taint Decision

Selected Software

PDS Usage and Coverage (first-order)

Second-Order Vulnerabilities

Multi-Step Exploits

Second-Order LFI in OpenConf

Second-Order LFI in OpenConf

Second-Order LFI in OpenConf

Multi-Step Exploitation in OpenConf

Conclusion

Thank you Facebook

for the generous award

Questions?

johannes.dahse@rub.de

Thank you! Enjoy the conference.