OWASP - User contributions [en]

Binary planting

2010-08-21T17:48:59Z

Mitjak:

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to some local or remote file system location in order for a vulnerable application to load and execute it.

There can be various reasons why an application would load a malicious binary:

# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly setting access permissions on application directories.)
# One application may be used for planting a malicious binary in another application's trusted location. (An example is the Internet Explorer - Safari blended threat vulnerability)
# The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical example is a Windows application loading a dynamic link library from the current working directory after the latter has been set to a network shared folder.)

==Risk Factors==

TBD

==Examples==

=== Insecure Access Permissions-based Attack ===

# A Windows application installer creates a root directory (C:\Application) and installs the application in it, but fails to limit write access to the directory for non-privileged users.
# Suppose the application (C:\Application\App.exe) loads the WININET.DLL library by calling LoadLibrary("WININET.DLL"). This library is expected to be found in the Windows System32 folder.
# Local user A plants a malicious WININET.DLL library in C:\Application
# Local user B launches the application, which loads and executes the malicious WININET.DLL instead of the legitimate one.

=== Current Working Directroy-based Attack ===

# Suppose a Windows application loads the DWMAPI.DLL library by calling LoadLibrary("DWMAPI.DLL"). This library is expected to be found in the Windows System32 folder, but only exists on Windows Vista and Windows 7.
# Suppose the application is associated with the ".bp" file extension.
# The attacker sets up a network shared folder and places files honeypot.bp and DWMAPI.DLL in this folder (possibly marking the latter as hidden).
# The attacker invites a Windows XP user to visit the shared folder with Windows Explorer.
# When the user double-clicks on honeypot.bp, user's Windows Explorer sets the current working directory to the remote share and launches the application for opening the file.
# The application tries to load DWMAPI.DLL, but failing to find it in the Windows system directories, it loads and executes it from the attacker's network share.

==Related [[Threat Agents]]==

* [[:Category:Internet_attacker]]
* [[:Category:Intranet_attacker]]

==Related [[Attacks]]==

* [[:Category:Embedded Malicious Code]]
* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Portability Flaw]]
* [[Process Control]]

==Related [[Controls]]==

TBD

==References==

* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]
* [http://www.securityfocus.com/archive/1/510426 Elevation of Privilege Vulnerability in iTunes for Windows] - example of Insecure Access Permissions-based Attack
* [http://www.securityfocus.com/archive/1/513190 Remote Binary Planting in Apple iTunes for Windows] - example of Current Working Directroy-based Attack

__NOTOC__

[[Category:Attack]]

Binary planting

2010-08-20T01:22:39Z

Mitjak: /* References */

Binary planting

2010-08-20T01:21:42Z

Mitjak: /* Risk Factors */

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to some local or remote file system location in order for a vulnerable application to load and execute it.

There can be various reasons why an application would load a malicious binary:

# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly setting access permissions on application directories.)
# One application may be used for planting a malicious binary in another application's trusted location. (An example is the Internet Explorer - Safari blended threat vulnerability)
# The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical example is a Windows application loading a dynamic link library from the current working directory after the latter has been set to a network shared folder.)

==Risk Factors==

TBD

==Examples==

=== Insecure Access Permissions-based Attack ===

# A Windows application installer creates a root directory (C:\Application) and installs the application in it, but fails to limit write access to the directory for non-privileged users.
# Suppose the application (C:\Application\App.exe) loads the WININET.DLL library by calling LoadLibrary("WININET.DLL"). This library is expected to be found in the Windows System32 folder.
# Local user A plants a malicious WININET.DLL library in C:\Application
# Local user B launches the application, which loads and executes the malicious WININET.DLL instead of the legitimate one.

=== Current Working Directroy-based Attack ===

# Suppose a Windows application loads the DWMAPI.DLL library by calling LoadLibrary("DWMAPI.DLL"). This library is expected to be found in the Windows System32 folder, but only exists on Windows Vista and Windows 7.
# Suppose the application is associated with the ".bp" file extension.
# The attacker sets up a network shared folder and places files honeypot.bp and DWMAPI.DLL in this folder (possibly marking the latter as hidden).
# The attacker invites a Windows XP user to visit the shared folder with Windows Explorer.
# When the user double-clicks on honeypot.bp, user's Windows Explorer sets the current working directory to the remote share and launches the application for opening the file.
# The application tries to load DWMAPI.DLL, but failing to find it in the Windows system directories, it loads and executes it from the attacker's network share.

==Related [[Threat Agents]]==

* [[:Category:Internet_attacker]]
* [[:Category:Intranet_attacker]]

==Related [[Attacks]]==

* [[:Category:Embedded Malicious Code]]
* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Portability Flaw]]
* [[Process Control]]

==Related [[Controls]]==

TBD

==References==

'''Note1:''' A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:

* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]
* [http://www.securityfocus.com/archive/1/510426 Elevation of Privilege Vulnerability in iTunes for Windows] - example of Insecure Access Permissions-based Attack
* [http://www.securityfocus.com/archive/1/513190 Remote Binary Planting in Apple iTunes for Windows] - example of Current Working Directroy-based Attack

__NOTOC__

Binary planting

2010-08-20T01:19:30Z

Mitjak: Created page with '{{Template:Attack}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Binary planting is a general term for an attack wher…'

{{Template:Attack}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

[[Binary planting]] is a general term for an attack where the attacker places (i.e., plants) a binary file containing malicious code to some local or remote file system location in order for a vulnerable application to load and execute it.

There can be various reasons why an application would load a malicious binary:

# Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location. (A typical example is an application installer not properly setting access permissions on application directories.)
# One application may be used for planting a malicious binary in another application's trusted location. (An example is the Internet Explorer - Safari blended threat vulnerability)
# The application searches for a binary in untrusted locations, possibly on remote file systems. (A typical example is a Windows application loading a dynamic link library from the current working directory after the latter has been set to a network shared folder.)

==Risk Factors==

* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this attack likely or unlikely to actually happen
* You can mention the likely technical impact of an attack
* The [business impact] of an attack is probably conjecture, leave it out unless you're sure

==Examples==

=== Insecure Access Permissions-based Attack ===

# A Windows application installer creates a root directory (C:\Application) and installs the application in it, but fails to limit write access to the directory for non-privileged users.
# Suppose the application (C:\Application\App.exe) loads the WININET.DLL library by calling LoadLibrary("WININET.DLL"). This library is expected to be found in the Windows System32 folder.
# Local user A plants a malicious WININET.DLL library in C:\Application
# Local user B launches the application, which loads and executes the malicious WININET.DLL instead of the legitimate one.

=== Current Working Directroy-based Attack ===

# Suppose a Windows application loads the DWMAPI.DLL library by calling LoadLibrary("DWMAPI.DLL"). This library is expected to be found in the Windows System32 folder, but only exists on Windows Vista and Windows 7.
# Suppose the application is associated with the ".bp" file extension.
# The attacker sets up a network shared folder and places files honeypot.bp and DWMAPI.DLL in this folder (possibly marking the latter as hidden).
# The attacker invites a Windows XP user to visit the shared folder with Windows Explorer.
# When the user double-clicks on honeypot.bp, user's Windows Explorer sets the current working directory to the remote share and launches the application for opening the file.
# The application tries to load DWMAPI.DLL, but failing to find it in the Windows system directories, it loads and executes it from the attacker's network share.

==Related [[Threat Agents]]==

* [[:Category:Internet_attacker]]
* [[:Category:Intranet_attacker]]

==Related [[Attacks]]==

* [[:Category:Embedded Malicious Code]]
* [[Code Injection]]

==Related [[Vulnerabilities]]==

* [[Portability Flaw]]
* [[Process Control]]

==Related [[Controls]]==

TBD

==References==

'''Note1:''' A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:

* [http://cwe.mitre.org/data/definitions/114.html CWE-114: Process Control]
* [http://www.securityfocus.com/archive/1/510426 Elevation of Privilege Vulnerability in iTunes for Windows] - example of Insecure Access Permissions-based Attack
* [http://www.securityfocus.com/archive/1/513190 Remote Binary Planting in Apple iTunes for Windows] - example of Current Working Directroy-based Attack

__NOTOC__

Session Fixation

2006-09-29T12:46:21Z

Mitjak: /* References */

{{Template:Vulnerability}}
{{Template:Fortify}}

==Abstract==

Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

==Description==

Session fixation vulnerabilities occur when:

# A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
# An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.

In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to authenticate against the server using that session identifier, giving the attacker access to the user's account through the active session.

'''Example'''

The following example shows a snippet of code from a J2EE web application where the application authenticates users with LoginContext.login() without first calling HttpSession.invalidate().

<pre>
private void auth(LoginContext lc, HttpSession session) throws LoginException {
...
lc.login();
...
}
</pre>

In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page. Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application. The code responsible for authenticating the victim continues to use the pre-existing session identifier, now the attacker simply uses the session identifier recorded earlier to access the victim's active session, providing nearly unrestricted access to the victim's account for the lifetime of the session.

Even given a vulnerable application, the success of the specific attack described here is dependent on several factors working in the favor of the attacker: access to an unmonitored public terminal, the ability to keep the compromised session active and a victim interested in logging into the vulnerable application on the public terminal. In most circumstances, the first two challenges are surmountable given a sufficient investment of time. Finding a victim who is both using a public terminal and interested in logging into the vulnerable application is possible as well, so long as the site is reasonably popular. The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above.

The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker. In the example above, the attacker did this through a direct method that is not subtle and does not scale suitably for attacks involving less well-known web sites. However, do not be lulled into complacency; attackers have many tools in their belts that help bypass the limitations of this attack vector. The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [1]. By tricking the victim into submitting a malicious request to a vulnerable application that reflects JavaScript or other code back to the victim's browser, an attacker can create a cookie that will cause the victim to reuse a session identifier controlled by the attacker.

It is worth noting that cookies are often tied to the top level domain associated with a given URL. If multiple applications reside on the same top level domain, such as bank.example.com and recipes.example.com, a vulnerability in one application can allow an attacker to set a cookie with a fixed session identifier that will be used in all interactions with any application on the domain example.com [2].

Other attack vectors include DNS poisoning and related network based attacks where an attacker causes the user to visit a malicious site by redirecting a request for a valid site. Network based attacks typically involve a physical presence on the victim's network or control of a compromised machine on the network, which makes them harder to exploit remotely, but their significance should not be overlooked. Less secure session management mechanisms, such as the default implementation in Apache Tomcat, allow session identifiers normally expected in a cookie to be specified on the URL as well, which enables an attacker to cause a victim to use a fixed session identifier simply by emailing a malicious URL.

==Related Threats==

==Related Attacks==

[[Session Hijacking]]

==Related Vulnerabilities==

==Related Countermeasures==

[[Category:Session Management]]

==References==

[1] Fortify Descriptions. http://vulncat.fortifysoftware.com.

[2] D. Whalen. The Unofficial Cookie FAQ. http://www.cookiecentral.com/faq/#3.3.

[3] ACROS Security. http://www.acrossecurity.com/papers/session_fixation.pdf.

==Categories==

{{Template:Stub}}

[[Category:Session Management Vulnerability]]

[[Category:Java]]

[[Category:Code Snippet]]