[32357] in bugtraq
Re: Six Step IE Remote Compromise Cache Attack
daemon@ATHENA.MIT.EDU (Goetz Babin-Ebell)
Mon Nov 10 14:20:19 2003
Message-ID: <3FAFCA02.30803@trustcenter.de>
Date: Mon, 10 Nov 2003 18:25:22 +0100
From: Goetz Babin-Ebell <babin-ebell@trustcenter.de>
MIME-Version: 1.0
To: "Steven M. Christey" <coley@mitre.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <200311072031.hA7KVw1k024556@linus.mitre.org>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040307080109070401060206"
--------------ms040307080109070401060206
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello Steven,
Steven M. Christey wrote:
> Paul Schmehl said:
>>We need a paradigm shift in programming from "allow all but the
>>known bad" to "disallow all but the known good", don't we?
>
>
> We need a little bit more than that, because our understanding of
> "what's bad" increases with time, and that frequently reduces the set
> of "what's good."
Yes.
But wrongly rejecting good input has no security implications.
But wrongly accepting bad input has.
> Unfortunately, it was subject to a CRLF injection vulnerability, which
> was not publicly known at the time the application had been developed.
> And the CRLF injection attack normally would not have worked thanks to
> the app's design, except the web application had a "feature" (perhaps
> accidental) in which a customized control file could define new fields
> that should have been labeled immutable, but were not.
But this is a case of wrongly accepting bad input.
Only accepting known good inputs would reject CRLF...
> As a different example, consider directory traversal issues in which
> ".." sequences are separated by illegal characters that are filtered
> out only *after* the ".." check is performed. The process goes like:
>
> 1) Software checks for ".." sequences and generates an error if any
> are found
> 2) Software cleanses and canonicalizes the input
>
> Such software could be subject to directory traversal via a ".|."
> sequence that isn't found in step 1, but the "|" gets removed in step
> 2; or maybe a "%2e%2e" URL encoding would work.
Here we have 2 problems:
1. The processing of the input was done in the wrong order.
2. The software shold not filter out illegal input,
but reject it.
With that the order of the input processing would not matter
You have to:
1. cannonilaize the input
2. check for any not allowed characters
3. check for ".." sequences.
And all 3 steps should generate an error
if something illegal was found.
> While this may be an example of an "allow all but known bad" approach,
> there are also lessons to be learned about designing the software so
> that security-sensitive operations are performed in the proper order.
Yep.
> In addition, there's a need to know and explicitly model which
> vulnerabilities a piece of data may be exposed to at different points
> in time. It's not just "known good," it's "known good under a
> specific context at a specific time."
I don't think we should primarily look for vulnerabilities,
but we all should spend more time on the definition of allowed input
and reject all that is not in these limits.
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
--------------ms040307080109070401060206
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIkDCC
BEQwggOtoAMCAQICDwCQHgAAAAJOQu0jEgf3pTANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UE
BhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAgBgNV
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRpZmlj
YXRlQHRydXN0Y2VudGVyLmRlMB4XDTAzMDIxMDE0NDI1MFoXDTA0MDIxMDE0NDI1MFowgaox
CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMRowGAYD
VQQKExFUQyBUcnVzdENlbnRlciBBRzEUMBIGA1UECxMLRW50d2lja2x1bmcxGjAYBgNVBAMT
EUdvZXR6IEJhYmluLUViZWxsMSkwJwYJKoZIhvcNAQkBFhpiYWJpbi1lYmVsbEB0cnVzdGNl
bnRlci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB6adN6EChrpAbT5KV1
ceRRIDAoGnz2gsBoFI2BwJLS+RpuIZfdJOepm4crg3X6LXrMKwSF/lshFeHrVPtLzabgLGyF
SujsJP0z3u7f4XNYCGHl4UbyPkYboIP9GC/DRtsknO1YfJUy/4yKBG4VjJ4AP6vZTEQey6jm
xelsK2ek4vwRfUjs/z9UcZmtj4ipiHP6IqFyydDTLarn1jWHUu2zFnJzryZ6mXdOUPihCOFG
D+c1KFksZ1VscgDpKygTQcIg/VItmbeFkhOj9IkboOyiVKvvfhujlxmdm9ACt22MjMrB0RAb
9TR1DgXlyofwykKAK+GM8Cu8jcKaJjvfhaMCAwEAAaOB0zCB0DAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIF4DA+BglghkgBhvhCAQgEMRYvaHR0cDovL3d3dy50cnVzdGNlbnRlci5k
ZS9ndWlkZWxpbmVzL2luZGV4Lmh0bWwwEQYJYIZIAYb4QgEBBAQDAgWgMF0GCWCGSAGG+EIB
AwRQFk5odHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2kv
OTAxRTAwMDAwMDAyNEU0MkVEMjMxMjA3RjdBNT8wDQYJKoZIhvcNAQEFBQADgYEAObOwuCFG
0HmVvCm8llpJ3qsBqtZgFyUT0wuz8JG6CZjHn5lwvOg+8m8huKrE5oGEQIo9EwLcFLDNVsxB
CiwjX2juU3JQl2Hs2smUyHkOqg+W0COetRp+PcDAk4hk0Mth5A3bDy3FrzyhbjpYjAZTvnsY
9+QYmJm5cGWBJK9I7kIwggREMIIDraADAgECAg8AkB4AAAACTkLtIxIH96UwDQYJKoZIhvcN
AQEFBQAwgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1i
dXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3
b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZI
hvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw0wMzAyMTAxNDQyNTBaFw0w
NDAyMTAxNDQyNTBaMIGqMQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVyZzEQMA4GA1UE
BxMHSGFtYnVyZzEaMBgGA1UEChMRVEMgVHJ1c3RDZW50ZXIgQUcxFDASBgNVBAsTC0VudHdp
Y2tsdW5nMRowGAYDVQQDExFHb2V0eiBCYWJpbi1FYmVsbDEpMCcGCSqGSIb3DQEJARYaYmFi
aW4tZWJlbGxAdHJ1c3RjZW50ZXIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCwemnTehAoa6QG0+SldXHkUSAwKBp89oLAaBSNgcCS0vkabiGX3STnqZuHK4N1+i16zCsE
hf5bIRXh61T7S82m4CxshUro7CT9M97u3+FzWAhh5eFG8j5GG6CD/Rgvw0bbJJztWHyVMv+M
igRuFYyeAD+r2UxEHsuo5sXpbCtnpOL8EX1I7P8/VHGZrY+IqYhz+iKhcsnQ0y2q59Y1h1Lt
sxZyc68mepl3TlD4oQjhRg/nNShZLGdVbHIA6SsoE0HCIP1SLZm3hZITo/SJG6DsolSr734b
o5cZnZvQArdtjIzKwdEQG/U0dQ4F5cqH8MpCgCvhjPArvI3CmiY734WjAgMBAAGjgdMwgdAw
DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwPgYJYIZIAYb4QgEIBDEWL2h0dHA6Ly93
d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9pbmRleC5odG1sMBEGCWCGSAGG+EIBAQQE
AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJp
bi9jaGVjay1yZXYuY2dpLzkwMUUwMDAwMDAwMjRFNDJFRDIzMTIwN0Y3QTU/MA0GCSqGSIb3
DQEBBQUAA4GBADmzsLghRtB5lbwpvJZaSd6rAarWYBclE9MLs/CRugmYx5+ZcLzoPvJvIbiq
xOaBhECKPRMC3BSwzVbMQQosI19o7lNyUJdh7NrJlMh5DqoPltAjnrUafj3AwJOIZNDLYeQN
2w8txa88oW46WIwGU757GPfkGJiZuXBlgSSvSO5CMYIEdzCCBHMCAQEwgdAwgbwxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYD
VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZp
Y2F0ZUB0cnVzdGNlbnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMAkGBSsOAwIaBQCgggJ7MBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMTExMDE3MjUyMlow
IwYJKoZIhvcNAQkEMRYEFKV9l4Gfq3MV8C0MAUdhyUQGGz6aMFIGCSqGSIb3DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHhBgkrBgEEAYI3EAQxgdMwgdAwgbwxCzAJBgNVBAYTAkRFMRAwDgYD
VQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRl
ciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
dENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNl
bnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMIHjBgsqhkiG9w0BCRACCzGB06CB0DCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlAg8AkB4AAAACTkLtIxIH96UwDQYJKoZIhvcNAQEBBQAE
ggEAqcrX+Mp11Y5diV1p39T4Qn6sXXEF0kyMQq7xcZ12f8CN4K/SaDG3nyXY7mx85BPaRC+R
8fC2TsXveTrSO01vGWRfT4jwsiBpM5OEj1c0LcY9GRwIHDMWutra7Cn/UhlvoQNd6Xo6FtFR
K6YrmmFKR0p8fxBEJON5++2ocgym/ge8korDq49MyXCfv/+v7hQ6xOa3+YayHDTItdSBWgVE
LF0LM3laN9mH7Hn9c+QYPmNqa8/2u8VOUzEg3qEspqhvpjcpDjhnfwkzMdQJT2n4CDVxO9X6
3bTftD8Yh5W7YjMIEYA0bybR+f1PKKc2WQHu5ULp1k9nKVGbCSwcvgYfrwAAAAAAAA==
--------------ms040307080109070401060206--
