VOTD: Log Neutralization Engineering Secure Software Last Revised: - - PowerPoint PPT Presentation

votd log neutralization
SMART_READER_LITE
LIVE PREVIEW

VOTD: Log Neutralization Engineering Secure Software Last Revised: - - PowerPoint PPT Presentation

Oct 11, 2023 189 likes •265 views

VOTD: Log Neutralization Engineering Secure Software Last Revised: September 2, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Log Neutralization? If you allow newlines ( \n ) in your log entries, then attackers

slide-1
SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

VOTD: Log Neutralization

Engineering Secure Software

Last Revised: September 2, 2020 1

slide-2
SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is Log Neutralization?

  • If you allow newlines (\n) in your log entries, then attackers

can forge log entries (inject false log data), throwing off investigations

  • CWE-117
  • Related to generalized CRLF Injection

○ Carriage Return Line Feeds: \r ○ CWE-93

2

slide-3
SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

3

$ java ArgumentLogger $'a normal event\nApr 25, 2012 1:26:19 PM ArgumentLogger main\nWARN: Attack suspected at 129.21.208.62' Sep 02, 2020 9:05:58 AM ArgumentLogger main // REAL INFO: a normal event // FAKE Apr 25, 2012 1:26:19 PM ArgumentLogger main // FAKE WARN: Attack suspected at 129.21.208.62 // REAL $ java ArgumentLogger --safe $'a normal event\nApr 25, 2012 1:26:19 PM ArgumentLogger main\nWARN: Attack suspected at 129.21.208.62' Sep 02, 2020 9:06:29 AM ArgumentLogger main INFO: a normal event_Apr 25, 2012 1:26:19 PM ArgumentLogger main_WARN: Attack suspected at 129.21.208.62

slide-4
SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

4

public class ArgumentLogger { private static Logger log = Logger.getLogger(ArgumentLogger.class.getName()); public static void main(String[] args) { System.out.println("Logging commandline arguments:"); if (args.length > 0) { // Log safely if (args[0].equals("--safe") && args.length > 1) { System.out.println("Safe mode enabled."); // Encode carriage returns to avoid log forgery String clean = args[1].replace('\n', '_').replace('\r', '_'); log.info(clean); // Log unsafely } else { log.info(args[0]); } } } }

slide-5
SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Examples

  • PayPal

○ Attackers entered false payment entries ○ CVE-2006-0201

5

slide-6
SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

Mitigations

  • Don’t allow newlines in your log entries

○ Remove them entirely

  • Depending on what tools are used to analyze logs, the carriage

return (\r) character might not be enough

○ Consider <br> if you view logs online

  • Don’t forget to log the situation where a newline is injected
  • Of course, even with log neutralization, if the attacker has

read/write access to the actual log files, you’re out of luck

○ Encrypt your logs ○ Store them remotely ○ Log manual changes to logs

6

slide-7
SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Notes

  • This vulnerability is only a repudiation (auditability) threat
  • By itself, this is pretty innocuous (not very harmful)

○ In conjunction with other attacks, an attacker and forge logs with false information to throw off post-exploit investigation

  • Attackers with access to previous (or similar) logs can easily

reverse-engineer patterns, making forgeries indistinguishable

○ CAPEC-93

  • Strangely enough, common logging libraries (e.g. logj4,

java.util.logging) don’t have an option to remove newlines

7