Automated vulnerability scanning and exploitation Dennis Pellikaan - PowerPoint PPT Presentation

Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering July 4, 2013 Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 20

Introduction Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 2 / 20

Research question How feasible is an automated approach to compromise servers using a known source code attack on a large scale? Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 3 / 20

Collect scripts Collected scripts Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 4 / 20

Analyse scripts SQL Injection mysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’"); File Inclusion require $_POST["lang_install"].".php"; Command Injection exec ($_GET[’com’], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 5 / 20

Analyse scripts Vulnerable scripts Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 6 / 20

Analyse scripts Vulnerable categories Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 7 / 20

Exploit vulnerabilities SQL Injection mysql_query ("SELECT * FROM users WHERE id=’$_GET[id]’"); File Inclusion require $_POST["lang_install"].".php"; Command Injection exec ($_GET[’com’], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 8 / 20

Exploit vulnerabilities SQL Injection override_function (mysql_query, log_function); File Inclusion 338 require $_POST["lang_install"].".php"; 338 log_function ($_POST["lang_install"].".php"); Command Injection 183 exec ($_GET[’com’], $result); 183 log_function ($_GET[’com’], $result); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 9 / 20

Exploit vulnerabilities Exploitability Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 10 / 20

Search Google Advanced Search Operators allinurl:"/page.php?page_id=" allintitle:"My special script v0.2a" Selective results Rate-limiting, CAPTCHA, IPv6 20,000 search queries per day 120,000 results with 22,000 queries Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 11 / 20

Search Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 12 / 20

Validate search results Installation root http://www.example.com/users/script/install/admin.php /sourceforge/special1.0/install/admin.php File comparison with bundled files (readme.txt, style.css, etc) Hash and text matching Scoring system based on matching 1,555 results had a perfect match 4,214 results had a partial match Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 13 / 20

Results Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 14 / 20

Example (1) 42 $sql = mysql_query("UPDATE users SET userid=’$_GET[userid]’ Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 15 / 20

Example (1) 42 $sql = mysql_query("UPDATE users SET userid=’$_GET[userid]’ Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 16 / 20

Example (2) 47 $sql="update staff set first_name=’$_POST[fname]’, last_name=’$_POST[lname]’, middle_name=’$_POST[mname]’, username=’".$_SESSION[’admin_name’]."’, password=’".$_SESSION[’admin_pwd’]."’, profile_id=1 where username=’admin’ "; 48 $result = mysql_query($sql); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 17 / 20

Example (2) 47 $sql="update staff set first_name=’$_POST[fname]’, last_name=’$_POST[lname]’, middle_name=’$_POST[mname]’, username=’".$_SESSION[’admin_name’]."’, password=’".$_SESSION[’admin_pwd’]."’, profile_id=1 where username=’admin’ "; 48 $result = mysql_query($sql); Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 18 / 20

Conclusion How feasible is an automated approach to compromise servers using a known source code attack on a large scale? Lots of components in the system, all with own quirks Almost 6,000 vulnerable servers identified Process can run continuously for more results More input is more output :-) Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 19 / 20

Questions Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 20 / 20

Automated vulnerability scanning and exploitation Dennis Pellikaan - PowerPoint PPT Presentation

Automated vulnerability scanning and exploitation Dennis Pellikaan Thijs Houtenbos University of Amsterdam System and Network Engineering July 4, 2013 Dennis Pellikaan, Thijs Houtenbos Automated vulnerability scanning and exploitation 1 / 20

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

FamilySearch Scanning (Scanstone) An Automated Exposure Method For Scanning Microfilm Heath

Meeting 100 // Docker and Vulnerability Scanning // If Youre New! Join our Slack:

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce

Scanning In the old War Games film there is a teenager with an automated way of calling

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

OpenVAS Open Vulnerability Scanning Free your vulnerabilities! Vlatko Koturjak |

Practical Exploitation on System Vulnerability of ProtoGENI Dawei Li Advisor: Dr. Xiaoyan Hong

The Automated Exploitation Grand Challenge A Five-Year Retrospective Julien Vanegue IEEE

Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky

Automated Attacks at Scale Understanding Credential Exploitation Mayank Dhiman Will

LAVA: Large-scale Automated Vulnerability Addition Tim Leek, Patrick Hulin, Ryan Whelan (MIT/LL),

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

good? About Us Tom Cross, IBM X-Force Vulnerability tracking, analysis, and response

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

them all A story of cross-software ownage, shared codebases and advanced exploitation. Mateusz

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

WE MAKE DIGITAL HUMANS CONTENTS SCANNING 3D EXTRAS - FACIAL SCANNING - HAIR + CLOTH -