Monday, July 13, 2009
OWASP NZ: Application Bug Chaining: Mark Piper, Catalyst IT

Bug chaining - an idea that hasn't really propagated yet.

How do we rate how severe a bug is? Consider how easy it is to exploit, where it is accessible from (client-side, server-side, internet, local, mass exploitable, targeted exploit, etc).

Audience attempted to rate the severity of a couple of bugs:

  • SQL injection on authenticated site -> medium/high
  • File upload php files on authenticated site -> high/critical
  • Local file disclosure -> medium/high
  • XSS - reflective, authenticated -> low/medium

Is attacker considered 'authenticated' once there is an XSS attack? Any subsequent attacks can be treated as authenticated.

When you join together the XSS bug with the file upload bug, then it's critical!

Bug chaining: taking multiple bugs and chaining them together to create exploitable vulnerabilities. Instead of looking at each individual bug, look at how they can be combined together.

There are now frameworks to help chain together exploits - and this is how a lot of worms now work.

Recent examples of chaining exploits: PHPMyAdmin <= 3.1.3; SugarCRM <= 5.2.0e - compromise server through 3 bugs together.

How to deal with this? CVSSv2:

  • Common Vulnerability Scoring System v2.0
  • Scoring system for assessing bugs
  • Considers exploit complexity, application location, authentication, target likelihood etc
  • Can be very complex, time consuming, difficult to follow

"You can explain this stuff all day, but when network admins actually see you do it, that's when they understand" Brett Moore

VtigerCRM - large open-source CRM system which fixed problems with a security patch, but don't link to the fix (and haven't installed it themselves!).

He wrote a BeEf module for VtigerCRM that can run as an auto-run module (took less than 2 hours to write):

  • Chains file upload and XSS bug to upload a malicious PHP script to start a command shell
  • Connection is from server to the attackers machine, so user doesn't need to stay connected

Summary:

Don't look at severity of individual bugs - need to look at how bugs can be joined together.

Understand the bugs.

Follow the OWASP coding and testing guidelines.

Tools:

  • BeEf - command console for an attacker to run script on the client computer. Modular list of exploits, and control multiple victims. Autorun modules to automatically execute modules within 1.5-2 seconds.
 |  | 
posted on Monday, July 13, 2009 2:57:28 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
Related posts:
10 things YOU are doing wrong!
Dean Carter: Ramblings of an ex-QSA
Quintin Russ / Mike Jager - Hosting and Security
Graeme Neilson / Kirk Jackson: Tales from the Crypt0
Metlstorm: Low Scuttling Chillicrab
Paul Craig: What to do when you get pwned?
Comments are closed.
Navigation
Home
About
Code Camp
Wellington Groups

 RSS 2.0 | Send mail to the author(s)

Categories
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Blogroll

Archive
<July 2009>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678


September, 2010 (1)
August, 2010 (1)
July, 2010 (8)
February, 2010 (1)
January, 2010 (1)
December, 2009 (1)
October, 2009 (3)
September, 2009 (3)
August, 2009 (6)
July, 2009 (6)
June, 2009 (2)
May, 2009 (4)
April, 2009 (1)
March, 2009 (3)
February, 2009 (8)
January, 2009 (3)
December, 2008 (10)
November, 2008 (10)
October, 2008 (21)
September, 2008 (16)
August, 2008 (7)
July, 2008 (1)
June, 2008 (7)
May, 2008 (3)
April, 2008 (8)
February, 2008 (4)
January, 2008 (1)
December, 2007 (1)
November, 2007 (8)
September, 2007 (10)
August, 2007 (5)
July, 2007 (9)
June, 2007 (25)

Month View

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2010 Kirk Jackson

Theme design by Jacob Hodges with newtelligence dasBlog 1.9.6264.0

Sign In
Pick a theme: