[32384] in bugtraq
Re: Six Step IE Remote Compromise Cache Attack
daemon@ATHENA.MIT.EDU (Goetz Babin-Ebell)
Tue Nov 11 18:22:32 2003
Message-ID: <3FB145CB.6080508@trustcenter.de>
Date: Tue, 11 Nov 2003 21:25:47 +0100
From: Goetz Babin-Ebell <babin-ebell@trustcenter.de>
MIME-Version: 1.0
To: Alun Jones <alun@texis.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <200311111714.hABHEY021618@mystic2.trustcenter.de>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000204080601000904010104"
--------------ms000204080601000904010104
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello Alun,
Alun Jones wrote:
>>-----Original Message-----
>>From: Goetz Babin-Ebell [mailto:babin-ebell@trustcenter.de]
>>Sent: Monday, November 10, 2003 11:25 AM
>>
>>But wrongly rejecting good input has no security implications.
>>But wrongly accepting bad input has.
>
> Coding to satisfy only security implications, in a vacuum separated from the
> rest of the world, all the security bugs in the world can be fixed simply by
> removing all the features.
That is not what I have said:
You define a field of accepted inputs (your white list)
All inputs, that do not match the white list,
is rejected with an error.
Now you have to study the errors with the supplied input.
If there is some input that should be accepted,
you have to adapt your white list.
(After testing that this inpuut doesn't barf your program...)
> Wrongly rejecting good input has a very strong implication - your program
> fails to do what it is tasked with.
Only for those inputs you are not sure
that it really does what it should do.
And that is good.
An error message is always better than an wrong result.
> You can call that a security
> implication, in that security's task is not just to prevent access by the
> unwashed, but also to allow, provide and facilitate access to those that are
> approved.
Your program has a function.
If gets some inputs, does some operations and generates some outputs.
There are 3 differend kinds of inputs:
1. inputs you are sure it will generate correct output
2. inputs you are sure it will generate unwanted output
3. inputs you don't know what output it will will generate
You want only to generate error messages for inputs of kind 2.
I want to generate error messages for inputs of the kinds 2 & 3.
Lets have an example:
A program that gets a number and calculates the next number.
For some inputs it will generate correct outputs.
For other inputs you are either not sure or you know that
it will generate some wrong output.
The used data type is unsigned char.
The 1st version of the input test function is:
BOOL CheckInput(const char*in)
{
if (!in)
return FALSE;
if (in[0] >= '0' && in[0] <= '9' && !in[1])
return TRUE;
return FALSE;
}
This is OK until the first customer tries
the number 10 and gets an error message.
Reading (and testing) the code, we find:
there is no problem with 2 digit numbers.
So the 2nd version of the input test function is:
BOOL CheckInput(const char*in)
{
if (!in)
return FALSE;
if (in[0] >= '0' && in[0] <= '9' && !in[1])
return TRUE;
if (in[0] >= '0' && in[0] <= '9' &&
in[1] >= '0' && in[1] <= '9' && !in[2])
return TRUE;
return FALSE;
}
This is OK until the first customer tries
the number 100 and gets an error message.
Reading (and testing) the code, we find:
there is a problem with numbers bigger than 255.
So the 3rd version of the input test function is:
BOOL CheckInput(const char*in)
{
if (!in)
return FALSE;
if (in[0] >= '0' && in[0] <= '9' && !in[1])
return TRUE;
if (in[0] >= '0' && in[0] <= '9' &&
in[1] >= '0' && in[1] <= '9' && !in[2])
return TRUE;
if (in[0] >= '0' && in[0] <= '9' &&
in[1] >= '0' && in[1] <= '9' &&
in[2] >= '0' && in[2] <= '1' && !in[3])
return TRUE;
if (in[0] >= '0' && in[0] <= '9' &&
in[1] >= '0' && in[1] <= '9' &&
in[2] == '2' && in[1] >= '0' && && in[1] <= '4'
&& !in[3])
return TRUE;
if (in[0] >= '0' && in[0] <= '9' &&
in[1] >= '0' && in[1] <= '9' &&
in[2] == '2' && in[1] == '5' && in[0] >= '0' && in[0] <= '5'
&& !in[3])
return TRUE;
return FALSE;
}
Now we have found the real limits of the program.
But the importand fact is:
For all input the program ever accepted,
it calculated the correct output.
> If all we are doing is trying to prevent unauthorised access, then all we
> have to do is turn off, unplug, and shred, our computers. There - security
> made easy.
I did never say we should dump our computers.
I did say our programs should only accept
input we are sure they process correctly.
Bye
Goetz
--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
--------------ms000204080601000904010104
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIkDCC
BEQwggOtoAMCAQICDwCQHgAAAAJOQu0jEgf3pTANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UE
BhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoTMVRD
IFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAgBgNV
BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRpZmlj
YXRlQHRydXN0Y2VudGVyLmRlMB4XDTAzMDIxMDE0NDI1MFoXDTA0MDIxMDE0NDI1MFowgaox
CzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMRowGAYD
VQQKExFUQyBUcnVzdENlbnRlciBBRzEUMBIGA1UECxMLRW50d2lja2x1bmcxGjAYBgNVBAMT
EUdvZXR6IEJhYmluLUViZWxsMSkwJwYJKoZIhvcNAQkBFhpiYWJpbi1lYmVsbEB0cnVzdGNl
bnRlci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALB6adN6EChrpAbT5KV1
ceRRIDAoGnz2gsBoFI2BwJLS+RpuIZfdJOepm4crg3X6LXrMKwSF/lshFeHrVPtLzabgLGyF
SujsJP0z3u7f4XNYCGHl4UbyPkYboIP9GC/DRtsknO1YfJUy/4yKBG4VjJ4AP6vZTEQey6jm
xelsK2ek4vwRfUjs/z9UcZmtj4ipiHP6IqFyydDTLarn1jWHUu2zFnJzryZ6mXdOUPihCOFG
D+c1KFksZ1VscgDpKygTQcIg/VItmbeFkhOj9IkboOyiVKvvfhujlxmdm9ACt22MjMrB0RAb
9TR1DgXlyofwykKAK+GM8Cu8jcKaJjvfhaMCAwEAAaOB0zCB0DAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIF4DA+BglghkgBhvhCAQgEMRYvaHR0cDovL3d3dy50cnVzdGNlbnRlci5k
ZS9ndWlkZWxpbmVzL2luZGV4Lmh0bWwwEQYJYIZIAYb4QgEBBAQDAgWgMF0GCWCGSAGG+EIB
AwRQFk5odHRwczovL3d3dy50cnVzdGNlbnRlci5kZS9jZ2ktYmluL2NoZWNrLXJldi5jZ2kv
OTAxRTAwMDAwMDAyNEU0MkVEMjMxMjA3RjdBNT8wDQYJKoZIhvcNAQEFBQADgYEAObOwuCFG
0HmVvCm8llpJ3qsBqtZgFyUT0wuz8JG6CZjHn5lwvOg+8m8huKrE5oGEQIo9EwLcFLDNVsxB
CiwjX2juU3JQl2Hs2smUyHkOqg+W0COetRp+PcDAk4hk0Mth5A3bDy3FrzyhbjpYjAZTvnsY
9+QYmJm5cGWBJK9I7kIwggREMIIDraADAgECAg8AkB4AAAACTkLtIxIH96UwDQYJKoZIhvcN
AQEFBQAwgbwxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1i
dXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3
b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZI
hvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNlbnRlci5kZTAeFw0wMzAyMTAxNDQyNTBaFw0w
NDAyMTAxNDQyNTBaMIGqMQswCQYDVQQGEwJERTEQMA4GA1UECBMHSGFtYnVyZzEQMA4GA1UE
BxMHSGFtYnVyZzEaMBgGA1UEChMRVEMgVHJ1c3RDZW50ZXIgQUcxFDASBgNVBAsTC0VudHdp
Y2tsdW5nMRowGAYDVQQDExFHb2V0eiBCYWJpbi1FYmVsbDEpMCcGCSqGSIb3DQEJARYaYmFi
aW4tZWJlbGxAdHJ1c3RjZW50ZXIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCwemnTehAoa6QG0+SldXHkUSAwKBp89oLAaBSNgcCS0vkabiGX3STnqZuHK4N1+i16zCsE
hf5bIRXh61T7S82m4CxshUro7CT9M97u3+FzWAhh5eFG8j5GG6CD/Rgvw0bbJJztWHyVMv+M
igRuFYyeAD+r2UxEHsuo5sXpbCtnpOL8EX1I7P8/VHGZrY+IqYhz+iKhcsnQ0y2q59Y1h1Lt
sxZyc68mepl3TlD4oQjhRg/nNShZLGdVbHIA6SsoE0HCIP1SLZm3hZITo/SJG6DsolSr734b
o5cZnZvQArdtjIzKwdEQG/U0dQ4F5cqH8MpCgCvhjPArvI3CmiY734WjAgMBAAGjgdMwgdAw
DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwPgYJYIZIAYb4QgEIBDEWL2h0dHA6Ly93
d3cudHJ1c3RjZW50ZXIuZGUvZ3VpZGVsaW5lcy9pbmRleC5odG1sMBEGCWCGSAGG+EIBAQQE
AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJp
bi9jaGVjay1yZXYuY2dpLzkwMUUwMDAwMDAwMjRFNDJFRDIzMTIwN0Y3QTU/MA0GCSqGSIb3
DQEBBQUAA4GBADmzsLghRtB5lbwpvJZaSd6rAarWYBclE9MLs/CRugmYx5+ZcLzoPvJvIbiq
xOaBhECKPRMC3BSwzVbMQQosI19o7lNyUJdh7NrJlMh5DqoPltAjnrUafj3AwJOIZNDLYeQN
2w8txa88oW46WIwGU757GPfkGJiZuXBlgSSvSO5CMYIEdzCCBHMCAQEwgdAwgbwxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFU
QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYD
VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZp
Y2F0ZUB0cnVzdGNlbnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMAkGBSsOAwIaBQCgggJ7MBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMTExMTIwMjU0N1ow
IwYJKoZIhvcNAQkEMRYEFPVQThw0iPyeeiZIPfdvXNIRY01NMFIGCSqGSIb3DQEJDzFFMEMw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMIHhBgkrBgEEAYI3EAQxgdMwgdAwgbwxCzAJBgNVBAYTAkRFMRAwDgYD
VQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzFUQyBUcnVzdENlbnRl
ciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAYDVQQLExlUQyBUcnVz
dENlbnRlciBDbGFzcyAzIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZpY2F0ZUB0cnVzdGNl
bnRlci5kZQIPAJAeAAAAAk5C7SMSB/elMIHjBgsqhkiG9w0BCRACCzGB06CB0DCBvDELMAkG
A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAoT
MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjAg
BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnRp
ZmljYXRlQHRydXN0Y2VudGVyLmRlAg8AkB4AAAACTkLtIxIH96UwDQYJKoZIhvcNAQEBBQAE
ggEAbWcYYx2avYsbqs+alli+CLPC9G41rWMI1M/YK+l2LY9pu9CFkZTIRTVRQ1DEecc7tpdi
hXMEaSD4NR6OxrIDiI5kYsIjYIaRY9jifjRHTDl870SCZG+OLfbr/hZKGcz4tw2XGQTb0WDq
UDJXAqY3IFJ0hy0J7cwcCT53KKic2bBU1IJs59xtSISz/wwUyYFN9vZpLEGnTBc24x04g2gL
uCIQQ2vxCE2B9DTTPY5fZ2WYNBGSWa/9w1li/BfvGXvZAWW2dXheadZ6/EtLak4Wp6QN7l5I
+hbxUkSlFhb+Fi/k+2Fp/00IwC7q2kGLo8LYxeKQmgy7JddWPJqHl8AiFwAAAAAAAA==
--------------ms000204080601000904010104--
