VOTD: Log Neutralization Engineering Secure Software Last Revised: September 2, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
What is Log Neutralization? If you allow newlines ( \n ) in your log entries, then attackers ● can forge log entries (inject false log data), throwing off investigations CWE-117 ● Related to generalized CRLF Injection ● Carriage Return Line Feeds: \r ○ CWE-93 ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2
Examples $ java ArgumentLogger $'a normal event\nApr 25, 2012 1:26:19 PM ArgumentLogger main\nWARN: Attack suspected at 129.21.208.62' Sep 02, 2020 9:05:58 AM ArgumentLogger main // REAL INFO: a normal event // FAKE Apr 25, 2012 1:26:19 PM ArgumentLogger main // FAKE WARN: Attack suspected at 129.21.208.62 // REAL $ java ArgumentLogger --safe $'a normal event\nApr 25, 2012 1:26:19 PM ArgumentLogger main\nWARN: Attack suspected at 129.21.208.62' Sep 02, 2020 9:06:29 AM ArgumentLogger main INFO: a normal event_Apr 25, 2012 1:26:19 PM ArgumentLogger main_WARN: Attack suspected at 129.21.208.62 SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Examples public class ArgumentLogger { private static Logger log = Logger.getLogger(ArgumentLogger.class.getName()); public static void main(String[] args) { System.out.println("Logging commandline arguments:"); if (args.length > 0) { // Log safely if (args[0].equals("--safe") && args.length > 1) { System.out.println("Safe mode enabled."); // Encode carriage returns to avoid log forgery String clean = args[1].replace('\n', '_').replace('\r', '_'); log.info(clean); // Log unsafely } else { log.info(args[0]); } } } } SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Examples PayPal ● Attackers entered false payment entries ○ CVE-2006-0201 ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5
Mitigations Don’t allow newlines in your log entries ● Remove them entirely ○ Depending on what tools are used to analyze logs, the carriage ● return ( \r ) character might not be enough Consider <br> if you view logs online ○ Don’t forget to log the situation where a newline is injected ● Of course, even with log neutralization, if the attacker has ● read/write access to the actual log files, you’re out of luck Encrypt your logs ○ Store them remotely ○ Log manual changes to logs ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 6
Notes This vulnerability is only a repudiation (auditability) threat ● By itself, this is pretty innocuous (not very harmful) ● In conjunction with other attacks, an attacker and forge logs ○ with false information to throw off post-exploit investigation Attackers with access to previous (or similar) logs can easily ● reverse-engineer patterns, making forgeries indistinguishable CAPEC-93 ○ Strangely enough, common logging libraries (e.g. logj4 , ● java.util.logging ) don’t have an option to remove newlines SWEN-331: Engineering Secure Software Benjamin S Meyers 7
Recommend
More recommend
