Bugtraq mailing list archives
Re: New Whitepaper - "Second-order Code Injection Attacks"
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 01 Nov 2004 17:45:51 -0800
I found an instance of this class of vulnerability in 1998 where an attacker could inject code into the "locate" database, which would later be executed when root tried to do a locate on some path name http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html
Mine was not the first such"secondary code injection" attack. It was a consequence of exploring a PoC by MiG for a buffer overflow vulnerability in bash, where in a tall directory tree would overflow bash when you try to cd into that directory and you have the pwd set to be part of your prompt. At the time, it did not occur to me that it was a special kind of buffer overflow.
Crispin Gunter Ollmann wrote:
Hi list, NGS Software is pleased to make available a new whitepaper about second-order code injection attacks. Abstract: "Many forms of code injection targeted at web-based applications (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack (e.g. stealing a user's current session information or executing a modified SQL query). In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time. Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack. A second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application (e.g. temporarily cached, logged, stored in a database) and then later retrieved, rendered and executed by the victim." The paper can be accessed from: http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf Cheers, Gunter ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BScProfessional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076http://www.nextgenss.com ------------------------------------------------------
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 01)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Crispin Cowan (Nov 02)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jeff Williams (Nov 02)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Nicolas Gregoire (Nov 03)
- <Possible follow-ups>
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 02)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 05)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Crispin Cowan (Nov 02)