Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Argument injection issues

from [Steven M. Christey] Network Security [Permanent Link]
Subject: Argument injection issues
Date: Tue, 13 Feb 2007 19:17:05 -0500 (EST) 

In a Solaris telnet vulnerability thread, Casper Dik said:


It's not "still" in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a program without escaping special
characters.


The emerging terminology for this kind of issue is "argument
injection" (CWE-88), although like many vulnerability-related
concepts, the term is attack-focused.  Then again, "failure to
properly construct a command or directive such that all
arguments/switches are under full control of the calling program" just
doesn't have the same ring to it, nor does it account for the fact
that a large variety of weaknesses that lead to the same behavior.

One one level, this kind of issue applies to many kinds of behaviors,
not just invocation of OS commands.  For example, using
onload/onmouseover attributes for XSS could be thought of as a type of
argument injection, and certain variants of SQL injection.

You can get into a lot of subtle variations on this one theme, even in
OS command invocation - switches like "--" bypassing blacklists that
just look for "-", use of "/a" style switches when invoking Windows
programs, conducting arg injection through URI handlers, etc.

Theoretically, argument injection doesn't just involve "special
characters," but any set of reserved words or constructs that are used
as separators between arguments or data elements.  When you are doing
some kind of invocation across representation boundaries, you have to
have a correct model for how the arguments will be interpreted -
likely impossible if you're invoking arbitrary programs that will have
their own parsing routines.  Command line switches are just the low
hanging fruit.

Some interesting/relevant examples: CVE-1999-0113 (the canonical AIX
-froot example), CVE-2007-0882 (Solaris -froot), CVE-2006-4692,
CVE-2006-6597, CVE-2006-3015, CVE-2006-2312, CVE-2006-2058,
CVE-2006-2057/CVE-2006-2056 (the same bug in Firefox and IE),
CVE-2006-1865, CVE-2005-4699, and probably a few dozen others that
aren't explicitly labeled as such.

- Steve
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Argument injection issues, Steven M. Christey <=
Previous by Date:  [Full-disclosure] Sample Packet Captures, crazy frog crazy frog
Next by Date:  Re: DotClear Full Path Disclosure Vulnerability, Raphaël HUCK
Previous by Thread:  [Full-disclosure] Sample Packet Captures, crazy frog crazy frog
Next by Thread:  Apache Multiple Injection Vulnerabilities, hugo
Indexes:  [Date] [Thread] [Top] [All Lists]