[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

From: "Ory Segal" <osegal@xxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Date: Wed, 15 Mar 2006 16:23:12 +0200
------_=_NextPart_001_01C6483B.FF3D5C6E
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi,
=20
Another interesting thing to note, which I totally agree with is:
=20
Quote: "While technically possible, the truth is that they are just not
seen in the real world. Our experience at WhiteHat Security, having
assessed hundreds of Web sites and identified thousands of
vulnerabilities, shows that statistically, buffer overflows appear near
the bottom of the list of total discovered issues."
=20
I've been around for quite a while, and I can't remember the last time I
have seen a Buffer Overflow in a custom-built web application. Anyone
else?
=20
-Ory
=20
=20
=20

________________________________

From: Ryan Barnett [mailto:rcbarnett@gmail.com]=20
Sent: Wednesday, March 15, 2006 15:42
To: ol@uncon.org
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer
overflow myths


The article you posted is a good read, however it does not entirely
debunk the core message of Jeremiah's article.  The SecurityFocus
article wanted to show that it would still be possible to execute a
blind buffer overflow against ISAPI extensions.=20
=20
If we are not looking at the article examples in a lab view, but rather
a real world view, then the Vulnerabilty Requirements section becomes
important -
=20
"There are very few necessary requirements of the vulnerability for
exploitation to be successful. If any type of filtering is being done on
our input, output from the extension would be required to display which
bytes are denied or modified.=20

The second and third requirements are that a register must point to our
payload and have enough room for single or multi-stage shell code."

With these caveats in mind - is this really a blind buffer overflow if
it is a requirement that denied byts are displayed back to the attacker?
=20
Additionally, the author summed it up with this statement -
=20
"One can now see that even when an attacker does not have access to the
binary, source or platform information, exploitation may in some
specific scenarios allow for remote code execution."=20
=20
This brings up another point from Jeremiah's article - the likelyhood of
a buffer overlow is less then the other attacks he mentioned (SQL
Injection, etc...)
=20
-Ryan

=20
On 3/15/06, ol@uncon.org <ol@uncon.org> wrote:=20

	> Did you read the article or did you just base your response on
the 2
	sample
	> sentences sent in the email?  The article quite clearly
outlined the fact=20
	> that it was focusing on "custom" applications and not widely
available (to
	> everyone, including attackers) software.
=09
	Yes I did. Did you read the article I posted? It clearly
describes how it is=20
	possible and thus likely hood is greatly increased on custom
applications
	(using ISAPI as a particular example I grant you).
=09
=09
=09
=09
=09




--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member=20
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache=20

------_=_NextPart_001_01C6483B.FF3D5C6E
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2>Hi,</FONT></SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2>Another interesting thing to note, which I totally agree with=20
is:</FONT></SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =
size=3D2>Quote:=20
"While technically possible, the truth is that they are just not seen in =
the=20
real world. Our experience at WhiteHat Security, having assessed =
hundreds of Web=20
sites and identified thousands of vulnerabilities, shows that =
statistically,=20
buffer overflows appear near the bottom of the list of total discovered=20
issues."</FONT></SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =
size=3D2>I've=20
been around for quite a while,&nbsp;and I can't remember the last time I =
have=20
seen a Buffer Overflow in a custom-built web application. Anyone=20
else?</FONT></SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2>-Ory</FONT></SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D531091714-15032006>&nbsp;</SPAN></DIV>
<DIV><SPAN class=3D531091714-15032006><FONT face=3DArial color=3D#0000ff =

size=3D2></FONT></SPAN>&nbsp;</DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Ryan Barnett =
[mailto:rcbarnett@gmail.com]=20
<BR><B>Sent:</B> Wednesday, March 15, 2006 15:42<BR><B>To:</B>=20
ol@uncon.org<BR><B>Cc:</B> websecurity@webappsec.org<BR><B>Subject:</B> =
Re: [WEB=20
SECURITY] Re: Jeremiah Grossman writes about buffer overflow=20
myths<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>The article you posted is a good read, however it does not entirely =
debunk=20
the core message of Jeremiah's article.&nbsp; The SecurityFocus article =
wanted=20
to show that it would still be possible to execute a blind buffer =
overflow=20
against ISAPI extensions. </DIV>
<DIV>&nbsp;</DIV>
<DIV>If we are not looking at the article examples in a lab view, but =
rather a=20
real world view, then the Vulnerabilty Requirements section becomes =
important=20
-</DIV>
<DIV>&nbsp;</DIV>
<DIV>"There are very few necessary requirements of the vulnerability for =

exploitation to be successful. If any type of filtering is being done on =
our=20
input, output from the extension would be required to display which =
bytes are=20
denied or modified. </DIV>
<P class=3Dtext>The second and third requirements are that a register =
must point=20
to our payload and have enough room for single or multi-stage shell =
code."</P>
<DIV>With these caveats in mind - is this really a blind buffer overflow =
if it=20
is a requirement that denied byts are displayed back to the =
attacker?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Additionally, the author summed it up with this statement -</DIV>
<DIV>&nbsp;</DIV>
<DIV>"One can now see that even when an attacker does not have access to =
the=20
binary, source or platform information, exploitation may <STRONG>in some =

specific scenarios</STRONG> allow for remote code execution." </DIV>
<DIV>&nbsp;</DIV>
<DIV>This brings up another point from Jeremiah's article - the =
likelyhood of a=20
buffer overlow is less then the other attacks he mentioned (SQL =
Injection,=20
etc...)</DIV>
<DIV>&nbsp;</DIV>
<DIV>-Ryan<BR><BR>&nbsp;</DIV>
<DIV><SPAN class=3Dgmail_quote>On 3/15/06, <B =
class=3Dgmail_sendername><A=20
href=3D"mailto:ol@uncon.org";>ol@uncon.org</A></B> &lt;<A=20
href=3D"mailto:ol@uncon.org";>ol@uncon.org</A>&gt; wrote:</SPAN>=20
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc =
1px solid">&gt;=20
  Did you read the article or did you just base your response on the=20
  2<BR>sample<BR>&gt; sentences sent in the email?&nbsp;&nbsp;The =
article quite=20
  clearly outlined the fact <BR>&gt; that it was focusing on "custom"=20
  applications and not widely available (to<BR>&gt; everyone, including=20
  attackers) software.<BR><BR>Yes I did. Did you read the article I =
posted? It=20
  clearly describes how it is <BR>possible and thus likely hood is =
greatly=20
  increased on custom applications<BR>(using ISAPI as a particular =
example I=20
  grant you).<BR><BR><BR><BR><BR></BLOCKQUOTE></DIV><BR><BR =
clear=3Dall><BR>--=20
<BR>Ryan C. Barnett<BR>Web Application Security Consortium (WASC) Member =
<BR>CIS=20
Apache Benchmark Project Lead<BR>SANS Instructor: Securing =
Apache<BR>GCIA, GCFA,=20
GCIH, GSNA, GCUX, GSEC<BR>Author: Preventing Web Attacks with Apache=20
</BODY></HTML>

------_=_NextPart_001_01C6483B.FF3D5C6E--
Follow-Ups:
- Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
  - From: Andrew van der Stock
Prev by Date: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Next by Date: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Previous by thread: [WEB SECURITY] Jeremiah Grossman writes about buffer overflow myths
Next by thread: Re: [WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org