An Abuse Case Example | Software Security: Building Security In

Cigital reviewed a client-server application that manipulated a financially sensitive database, finding a classic software security problem. In this case, the architecture was set up so that the server counted on a client-side application to manage all of the data access permissions. No permissions were enforced on the server itself. In fact, only the client had any notion of permissions and access control. To make matters worse, a complete copy of the sensitive database (only parts of which were to be viewed by a given user with a particular client) was sent down to the client. The client program ran on a garden-variety desktop PC. This means that a complete copy of sensitive data expressly not to be viewed by the user was available on that user's PC in the clear.

If the user looked in the application's cache on the hard disk and used the unzip utility, the user could see all sorts of sensitive information that should not have been allowed to be seen. It turns out that the client also enforced which messages were sent to the server, and the server honored these messages independent of the user's actual credentials. The server was assuming that any messages coming from the client had properly passed through the client software's access control system (and policy) and were, therefore, legitimate. By either intercepting network traffic, corrupting values in the client software's cache, or building a hostile client, a malicious user could inject data into the database that no user was even supposed to read (much less write).

Attack Patterns from Exploiting Software

Attack patterns are extremely useful in generating valid abuse cases. Exploiting Software includes the identification and description of the 48 attack patterns and 1 fragment listed here [Hoglund and McGraw 2004]. This is an incomplete list of attack patterns, which as a catalog of knowledge is in a nascent stage. For examples and stories corresponding to these attack patterns, see Exploiting Software. Don't forget that these attack patterns are described from the point of view of the attacker.

Make the Client Invisible

Talk directly with the server, masquerading as the client. Explore the input space.

Target Programs That Write to Privileged OS Resources

Look for programs that write to system directories of registry keys.

Use a User-Supplied Configuration File to Run Commands That Elevate Privilege

Configuration files are excellent targets since they control high-privilege programs. System-wide configuration files are particularly interesting.

Make Use of Configuration File Search Paths

Try to put a malicious config file in the search path ahead of the default config file.

Direct Access to Executable Files

Run programs with privilege. Look for such programs on Web servers especially.

Embedding Scripts within Scripts

Take advantage of the hundreds of languages, compilers, and interpreters (as well as backwards compatibility constraints) to slip through filters. Forgotten nooks and crannies are most interesting.

Leverage Executable Code in Nonexecutable Files

Inject code through a seemingly innocuous route and have a process load and execute the attack.

Argument Injection

When input filtering is poor or nonexistent, spin a shell and use it.

Command Delimiters

Use off-nominal characters (like semicolons) to string commands together.

Multiple Parsers and Double Escapes

Take advantage of several parser pass-throughs with double escapes.

User-Supplied Variable Passed to Filesystem Calls

Filesystem calls are a good attack site since user input is directly consumed. Pass in parameters.

Postfix NULL Terminator

Play with NULL and its various representations to break parsing.

Postfix, Null Terminate, and Backslash

Alternate representations of NULL can be used to bypass filters.

Relative Path Traversal

Take advantage of the current working directory to play relative path games.

Client-Controlled Environment Variables

Supply environment variables before authentication.

User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth)

PHP has bad defaults. Try them.

Session ID, Resource ID, and Blind Trust

Change IDs in midstream, or otherwise guess IDs.

Analog In-Band Switching Signals (aka "Blue Boxing")

Play specific control commands across a normal link. When command and data lines are shared, this can be huge fun.

Attack Pattern Fragment: Manipulating Terminal Devices

Use shell commands to aim things at other terminals.

Simple Script Injection

Take advantage of stored data problems to inject scripts and pollute data.

Embedding Scripts in Nonscript Elements

Put scripts into HTML tags that are less obvious.

XSS in HTTP Headers

Play with HTTP headers.

HTTP Query Strings

Inject scripts into HTTP variables.

User-Controlled Filenames

Put HTML into filenames.

Passing Local Filenames to Functions That Expect a URL

Use local filenames that expect to consume a URL.

Meta-characters in E-mail Headers

E-mail headers are often consumed by client software. Try things.

Filesystem Function Injection, Content Based

Take advantage of headers in media files (and other files) to get elsewhere in the filesystem.

Client-Side Injection, Buffer Overflow

Aim buffer overflow attacks at clients through a malicious server.

Cause Web Server Misclassification

Take advantage of filename extension silliness.

Alternate Encoding of the Leading Ghost Characters

Use multiple encoding attacks to avoid filters.

Using Slashes in Alternate Encoding

Slash characters are interesting because they are related to the filesystem. Use both kinds of slashes.

Using Escaped Slashes in Alternate Encoding

Escape slashes to escape filtering.

Unicode Encoding

Unicode breaks filters.

UTF-8 Encoding

UTF-8 breaks filters.

URL Encoding

HEX breaks filters. URLs can be represented in many ways.

Alternative IP Addresses

Use alternate encodings for IP numbers.

Slashes and URL Encoding Combined

Combine encoding attacks.

Web Logs

Escape characters are translated before being placed in a log. Build fake entries.

Overflow Binary Resource Files

Modify sound, graphics, video, or font files (with a hex editor).

Overflow Variables and Tags

Take advantage of bad tag/variable parsing.

Overflow Symbolic Links

Try links to avoid access restrictions.

MIME Conversion

Play with conversion and translation issues.

HTTP Cookies

Use cookies as an attack vector.

Filter Failure through Buffer Overflow

Make a filter fail open.

Buffer Overflow with Environment Variables

Use environment variables as an attack vector.

Buffer Overflow in an API Call

Use API calls as an attack vector. Buffer overflows in libraries are very valuable.

Buffer Overflow in Local Command-Line Utilities

Use command-line programs as attack vectors.

Parameter Expansion

Parameter expansion can lead to buffer overflow.

String Format Overflow in syslog()

The syslog function is often misused.

For this simple example, we'll choose to think about a legitimate user (gone bad) as the threat. The Make the Client Invisible attack pattern is particularly relevant to this system (as are a number of others). In this case, the server trusts the client to provide correct messages. However, this trust is mostly unfounded since creating a malicious client (either by sniffing traffic and building an attack generator or by reverse-engineering the real client) is so easy. This attack pattern leads to an abuse case describing what happens when a malicious client interacts with the server.

From the anti-requirements side of the story, we consider what happens when an attacker bypasses the access control "security mechanism" built into the client software. In this case, the mechanism is laid bare to attack on a standard PC belonging to the attacker. The resulting abuse case describes why this security mechanism is inadequate and most likely results in a major design change.