Bugtraq mailing list archives

RE: New Whitepaper - "Second-order Code Injection Attacks"

From: "Gunter Ollmann (NGS)" <gunter () ngssoftware com>
Date: Tue, 2 Nov 2004 22:04:38 -0000

Cool.

I make no claims that this a previously "undiscovered" security flaw.  I
myself have been exploiting these kinds of flaws in web-based applications
for many years as well.  However, the purpose of the paper is two fold.

[Classification] -- Firstly, the paper attempts to classify the second-order
code injection attacks, and differentiate between other immediate effects of
code injection into web applications.  Hopefully making it a little easier
for professional pentesters to explain the significance of their findings. 

[Awareness] -- Secondly, too many organisations that I come across don't
really understand what code injection is - everything is either cross-site
scripting or SQL injection.  I believe it is important to clearly
differentiate between the code injection attacks - and to explain their
significance within a corporate environment.  

What gets me is that to properly assess the security of any modern web-based
application now days, to properly check for second-order code injection
attacks, security teams must also have access to and assess the supporting
applications as well -- ranging from the customer-support applications
reviewing client account details, through to centralised log analysis and
management tools.  In way too many client pentesting reports I've written
over the years, the exploitation of backend systems/processes through
second-order code injection attacks were far more damaging to their
corporate security than a bit of cross-site scripting and session hijacking
on their exposed web application.

Cheers,

Gunter

-----Original Message-----
From: Crispin Cowan [mailto:crispin () immunix com]
Sent: 02 November 2004 01:46
To: Gunter Ollmann
Cc: bugtraq () securityfocus com
Subject: Re: New Whitepaper - "Second-order Code Injection Attacks"

I found an instance of this class of vulnerability in 1998 where an 
attacker could inject code into the "locate"
database, which would later be executed when root tried to do a locate 
on some path name 
http://msgs.securepoint.com/cgi-bin/get/bugtraq/601/1.html

Mine was not the first such"secondary code injection" attack. 
It was a consequence of exploring a PoC by MiG for a buffer overflow 
vulnerability in bash, where in a tall directory tree would overflow 
bash when you try to cd into that directory and you have the pwd set 
to be part of your prompt.
At the time, it did not occur to me that it was a special kind of 
buffer overflow.

Crispin

Gunter Ollmann wrote:

Hi list,

NGS Software is pleased to make available a new whitepaper about 
second-order code injection attacks.

Abstract:
"Many forms of code injection targeted at web-based

applications (for

instance cross-site scripting and SQL injection) rely upon the 
instantaneous execution of the embedded code to carry out the attack 
(e.g. stealing a user's current session information or executing a 
modified SQL query).  In some cases it may be possible for

an attacker

to inject their malicious code into a data storage area that

may be executed at a later date or time.

Depending upon the nature of the application and the way the

malicious

data is stored or rendered, the attacker may be able to conduct a 
second-order code injection attack.

A second-order code injection attack can be classified as

the process

in which malicious code is injected into a web-based application and 
not immediately executed, but instead is stored by the

application (e.g.

temporarily cached, logged, stored in a database) and then later 
retrieved, rendered and executed by the victim."

The paper can be accessed from:
http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf


Cheers,

Gunter

------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director                        
                                                     
Next  Generation  Security  Software  Ltd.            
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK   Fax: +44 (0)208 401 0076
http://www.nextgenss.com      
------------------------------------------------------


--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

Current thread:

New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 01)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Crispin Cowan (Nov 02)
  - Re: New Whitepaper - "Second-order Code Injection Attacks" Jeff Williams (Nov 02)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Nicolas Gregoire (Nov 03)
- <Possible follow-ups>
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 02)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 05)