佚名MYHACK58:62200713708Vulnerability classification and to further explore-exploit warning-the black bar safety net
Vulnerability is a forever fairy tale. To achieve esque hero dream, to achieve to break the technological monopoly of the freedom blueprint, discover the vulnerability of the people, exploit the people, patching holes in people, like the vulnerability of people, afraid of the vulnerability of people just like this colorful world, as they constitute a computer network security world forever!
Now many of the port shall be called the vulnerability, the vulnerability of the use when their trick and the baby, in fact, vulnerability is what we might there are a lot of misconceptions. Below in conjunction with the relevant information and my personal understanding, today we will talk about what is vulnerability, this is very basic question.
1. What is vulnerability
Professional on the vulnerabilities in hardware, software, Protocol specific implementation or system security policy on the main was human there is a defect, which can allow an attacker to unauthorized access to or destruction of the system. However, this is actually a Medica, many books on the definition are different, here is a relatively comprehensive. How to understand it, or have an example to say, that over the decades, the loopholes too much, not one one said.
2, the vulnerability of the narrow scope
The vulnerability affects a wide range of software and hardware device, including the operating system itself and its supporting software, the network client and server software, network routers and security firewalls. How to understand what is in these different software and hardware devices are there may be different security vulnerabilities issues.
3, the vulnerability of the broad scope of the
Here vulnerability refers to all the threats to Computer Information Security of things. Including personnel, hardware, software, programs, data.
4, vulnerabilities of long-term
The vulnerability problem is with the time closely related. A system from the publisher of that day, as the user of the in-depth use of the system loopholes will be constantly exposed, these previously discovered vulnerabilities will continue to be the system vendors release patches for software fixes, or after the release of the new version of the system can be corrected. And in the new version of the system corrects the older version has a vulnerability, it would also introduce some new vulnerabilities and errors. Thus over time, the old vulnerabilities will continue to disappear, new vulnerabilities will constantly emerge. Vulnerability is also the long term presence.
5, the vulnerability of concealment
System security vulnerability refers to can be used for system safety hazard, the system itself, or provided on the presence of defects. In short, vulnerability is a system in a particular realization of the error. For example, in establishing security mechanisms in the planning considerations on the defects, the system and other software programming errors, as well as in the use of the system provides security mechanisms to human configuration errors and the like.
System security vulnerability is in the system specific implementation and the specific use of the produced error, but is not present in the system errors are security vulnerabilities. Only a threat to the security of the system error is the vulnerability. Many of the errors in the normal case will not be on the system safety cause harm, only people under certain conditions the deliberate use of will affect the system security.
6, a vulnerability must be found
Vulnerability although it may initially present in the system, but a vulnerability does not own appears, must be found. In actual use, the user will find the system in the presence of errors, while the invaders will have the use of some of the errors and make it become a threat to the security of the System Tools, then people will realize this error is a system security vulnerabilities. The system supplier will as soon as possible release for this vulnerability patch, to correct this error. This is the system security vulnerabilities from being found to be correct in the General process.
The system attackers are often security vulnerabilities are found and users, to for a system to attack, if you can not find and use the system in the presence of security vulnerabilities is unlikely to succeed. For a higher level of security system in particular.
System security vulnerabilities and systems attacks between the activities have a close relationship. And thus shouldn’t be out of the system attack event to talk about the security vulnerability issue. Wide range of attacks exists, only that the vulnerability exists is bound to be found.
7. why keep up with the latest computer system and security issues recent developments
Departing from the specific time and the specific system environment to discuss vulnerability issues is pointless. Only for the target system of the system version, its running on software version and services running settings and the actual environment to specifically talk about where there may be vulnerabilities and their possible solutions.
At the same time it should be noted that the vulnerability of the research must be to keep track of the current date of the computer system and security issues of the latest developments. This is akin to a computer virus development issues research similar. If the work can not be maintained on the new technologies of tracking, there is no talk about System Security and vulnerability issues of the right to speak, even if is the former the work of the will gradually lose value.
You like the vulnerability that you hate is also good. It never existed, did it"not to object Hi, not to have sad",“love her love her soul----freedom, equality, sharing, innovation”. At the same time it also proves that this world there is no absolute security, if the world ever there is a computer there is software, then it will prove what is called eternity. Fairy tales have eternal false beauty, and vulnerability is the eternal real fairy tale.
A different perspective of a security vulnerability classification
For a specific app the security vulnerability may be from the multidimensional classification.
1 From the user group classification
●Public class software vulnerabilities. Such as Windows vulnerability, IE vulnerability, and so on.
●Dedicated software vulnerabilities. Such as Oracle vulnerabilities, Apache vulnerabilities, etc.
2, from the data perspective is divided into
●Be able to read supposedly can’t read the data, including memory data, file data, user input data, the data in the database, the network transmission of data, and so on.
●Be able to specify the content written to the specified place to this place, including file, memory, database, etc.
●Input data can be performed, including machine code execution, according to Shell code execution, press the SQL code execution, and so on
3, from the scope of the perspective is divided into
●Remote vulnerability, the attacker can use and directly through a network attack vulnerability. Such vulnerabilities great harm, an attacker can arbitrary by the vulnerability of the operation of others computer. And such vulnerabilities can easily lead to worm attack, in Windows.
●Local vulnerability, an attacker must be on the machine has access to the premise in order to attack the vulnerability. More typical is a local elevation of Privilege vulnerabilities, such vulnerabilities in the Unix system widely exists, can let ordinary users get the highest administrator privileges.
4 from trigger conditions can be divided into
●Take the initiative to trigger the vulnerability, an attacker can actively use the vulnerability to attack, such as direct access to the others computer.
●Passive trigger the vulnerability, must be computer operator to carry out attacks using the vulnerability. For example the attacker to the administrator send an email with a special jpg image file, if the administrator open the picture file will lead to figure the software a vulnerability to be triggered, allowing the system to be attacked, but if the administrator does not look at this picture it is not affected by the attack.
5, from the operation perspective can be divided into
●File operation type, mainly for the operation of the target file path can be controlled, such as by parameters, configuration files, environment variables, symbolic links, lamps, thus may lead to the following two questions:
◇Written content can be controlled, thereby falsifying contents of the file, resulting in privilege escalation or direct modification of important data, such as modifying the loan-to-Deposit data, such vulnerabilities are many, such as the history of the Oracle TNS LOG file can be specified vulnerability, can lead to anyone can control running the Oracle service of the computer;
◇Content information may be output, contains the content to be printed to the screen, recording to a readable log files, generated can be user to read the core files, etc., of such vulnerabilities in the history of the Unix system crontab subsystem appears many times that the ordinary user can read the protected shadow file;
●Memory cover, mainly for the memory unit may specify, the written content can be specified, so that we can perform an attacker want to execute the code, buffer overflows, format string vulnerabilities, PTrace vulnerability, the history of the Windows2000 hardware debug registers the user can write vulnerability, or directly modify the memory of the confidential data.
●Logic errors, such vulnerability is widespread, but few paradigms, it is difficult to check the vision, can be broken down as follows:
◇Conditions of competition vulnerability, usually for the design problem, typically a Ptrace vulnerability, the widespread existence of the file operation timing of the competition
◇Policy error, usually design issues, such as the history of the FreeBSD Smart IO vulnerabilities.
◇Algorithmic problems, usually as a design problem or code issue, such as the history of Microsoft’s Windows 9 5/9 8 shared password can be easily acquired vulnerabilities.
◇Design imperfections, such as the TCP/IP Protocol in the 3-Step handshake leads to a SYN FLOOD denial of service attack.
◇Realization of the error, usually the design is no problem, but coding the presence of the logical errors, such as the history of the betting system of the pseudo-random algorithm implementation issues
●External command execution problem, typically there is an external command can be controlled by the PATH variable, enter the SHELL special characters and so on andSQL injectionproblem.
6, from the timing on the watch can be divided into
●It has been found a long time of vulnerability: the vendor has released a patch or repair method, many people already know. This type of vulnerability is usually a lot of people have carried out the repair, the macroscopic on harm is relatively small.
●Just found the loophole: manufacturers just send a patch or repair method, know people also not much. With respect to a vulnerability to its harmful larger, if at this time the emergence of a worm, or a fool of the use of the program, it will result in large number of systems under attack.
●0day: not yet disclosed the vulnerability, in private transactions. This type of vulnerability generally to the public will not have what impact, but will cause the attacker to aim at the goal by a precise attack, harm is also very large.
Second, the different perspective of the exploit
If a defect can not be utilized to dry“originally”can’t do the things security related, then it can not be called a security vulnerability, so the security vulnerability is necessarily and exploit closer together.
The exploitability of the vulnerability perspective are:
●Data perspective: access to would have been inaccessible data, including read and write. This one is usually the attacker’s core purpose, and can cause a very serious disaster, such as a Bank data can be written to.
●Permission view: permission to bypass or elevation of privileges. Usually elevation of privileges is in order to obtain the desired data manipulation capabilities.
●Usability perspective: get system some services of the control limit, this may result in some important service is the attacker to stop and cause a denial of service attack.
●Authentication bypass: normally the use of the authentication system vulnerabilities without authorized entry into the system. Usually authentication bypass are for elevation of privilege or direct access to Data Services.
●Code execution point of view: the main is to let a program will input the content as code to execute, thereby obtaining the remote system access or local systems of higher authority. This angle isSQL injection, a memory pointer to the game class vulnerability, buffer overflow, format string, plastic overflow, etc. as the main drive. This angle is usually to bypass system authentication, privilege escalation, data read in preparation.
Third, the vulnerability excavation method
You must first clear the security vulnerability is a Software BUG of a subset of all software testing tools for security vulnerability discover practical. Now the”hacker“with various vulnerabilities of the excavation means in a mode to be followed are:
●fuzz testing black box testing, via the configuration may cause the program problems the way to construct the input data for automatic testing.
●Source code audit, white box testing, there is now a range of tools can assist find the procedures in security BUGS, the most simple is your hands on the latest version of the C language compiler.
●IDA disassemble the audit, gray-box testing, and above this source code audit is very similar, the only difference is that a lot of times youCan get software, but you can’t get the source code to audit, but IDA is a very strong anti-compilation platform, will allow you based on the compilation of the code in fact is also a source of equivalents for a security audit.
●Dynamic tracking analysis, is the recording procedure under different conditions to perform all security related operations such as file operations, and then analysis of these sequence of operations if there is a problem, this is a race condition class vulnerability discovery one of the main ways, other taint propagation tracking also belongs to this category.
●Patch comparison, the vendors of the software out of the question usually will be in the patch resolved, by contrast patch context pieces of the source code or disassembly code will be able to understand the vulnerability of specific details.
The above means no matter is what kind of are related to one key point: through manual analysis to find a comprehensive process covering the path. Analysis techniques varied, with the analysis of design documents, analysis of source code, analyze, disassemble code, dynamic debuggers, etc.
Fourth, the vulnerability rating
Examine the vulnerability of the hazard should be tight and use the vulnerability to hazards related, is not generally recognized of all buffer overflow vulnerabilities are high-risk vulnerabilities. To remote vulnerabilities, for example, a better division method as:
1 can be remote access to OS and application version information.
2 Open unnecessary or dangerous service, remote access to system sensitive information.
3 can be remote restricted files, read data.
4 may be performed remotely important or not subject to a restricted file, the data read.
5 can be remote restricted files, data modified.
6 may be performed remotely restricted to important files, data modified.
7 can be performed remotely are not restricted to obtain important files, data modification, or for ordinary service a denial of service attack.
8 can be Remote to the ordinary user identity execute a command or for System, Network-Level denial of service attacks.
9 may be Remote to the management of the user identity executing command restricted, not too easy to use it.
1 0 can remote to manage the identity of the user executing the command is not restricted, easy to use it.
Local exploits are almost always leads to code execution under the above 1 0 prepared for:
Remote Active trigger code execution(such as IE vulnerability) to.
Remote passive trigger code execution(such as Word vulnerability/software vulnerability) to.
Fifth, the DEMO
A firewall spacer only allows the operation and maintenance portion of people access the Internet to run a Unix server; operating systemonly the root user and the oracle User can log in, theoperating systemrunning Apache(nobody privileges, Oracle, oracle User permissions and other services.
One of the attacker’s purpose is to modify the Oracle database in the billing table of the data.
It may attack the steps of:
●1. Access to the operational portion of a network, obtain an operation and maintenance portion of the IP address which can be access through the firewall is to protect the Unix Server.
●2. Use the Apache service to a remote buffer overflow vulnerability direct access to one of the nobody permissions shell access.
●3. Useoperating systema suid program vulnerability will be their permissions elevated to root privileges.
●4. With Oracle sysdba login into the database, the local login does not require password.
●5. Modify the target table of the data.
The above 5 Process Analysis down as follows:
●Step 1: authentication bypass
●Step 2: Remote vulnerability, code execution(machine code), authentication bypass
●Step 3: elevation of Privilege, authentication bypass
●Step 4: authentication bypass
●Step 5: write data