autopsy of vulnerabilities
play

Autopsy of Vulnerabilities E z e q u i e l Z e q u i - PowerPoint PPT Presentation

Autopsy of Vulnerabilities E z e q u i e l Z e q u i V z q u e z Who Am I? B a c k e n d d e v e l o p e r D e v O p s S e c u r i t y & H a c k i n g F r o m J e r


  1. Autopsy of Vulnerabilities E z e q u i e l “ Z e q u i ” V á z q u e z

  2. Who Am I? B a c k e n d d e v e l o p e r D e v O p s S e c u r i t y & H a c k i n g F r o m J e r e z ( s o u t h e r n S p a i n ) @RabbitLair

  3. We will “dissect” the following S A - C O R E - 2 0 1 4 - 0 0 5 – S Q L i n j e c t i o n a s a n o n y mo u s u s e r S A - C O R E - 2 0 1 8 - 0 0 2 – R e mo t e c o d e e x e c u t i o n a s a n o n y mo u s u s e r

  4. Why this session?

  5. Why this session?

  6. Three steps analysis D e s c r i p t i o n o f t e c h n o l o g y c o mp o n e n t s i mp l i e d o n t h e v u l n e r a b i l i t y D e s c r i p t i o n o f h o w t h e v u l n e r a b i l i t y w o r k s V u l n e r a b i l i t y e x p l o i t i n g l i v e d e mo

  7. SA-CORE-2014-005 / CVE-2014-3704 S Q L I n j e c t i o n a s a n o n y mo u s u s e r D r u p a l 7 . 3 1 a n d b e l o w 2 5 / 2 5 s c o r e o n N I S T i n d e x P a t c h e d o n O c t o b e r 1 5 t h , 2 0 1 4

  8. Arrays on HTTP POST method

  9. Database queries sanitization includes/database/database.inc F i l e expandArguments Me t h o d “column IN (a, b, c) ” S Q L q u e r i e s wi t h c o n d i t i o n l i k e Q u e r y s k e l e t o n i s b u i l d wi t h p l a c e h o l d e r s , wh i c h a r e r e p l a c e d a f t e r t h e y a r e s a n i t i z e d

  10. Database queries sanitization: an example U s e r e d i t f o r m a s a d mi n i s t r a t o r . We c a n s e l e c t wh i c h r o l e s t h e u s e r h a s . - - b e c o me s - - >

  11. Database queries sanitization: an example expandArguments Me t h o d c h a n g e s t h e i mp l i c i t i n d e x e s b y e x p l i c i t o n e s u s i n g a r r a y n a me - - b e c o me s - - >

  12. Database queries sanitization: an example T h e q u e r y s t r u c t u r e i s b u i l t u s i n g t h e e x p l i c i t a r r a y k e y s a s p l a c e h o l d e r s F i n a l l y , t h e p l a c e h o l d e r s a r e r e p l a c e d b y t h e s a n i t i z e d v a l u e s , a n d t h e q u e r y i s e x e c u t e d

  13. The vulnerability O r i g i n a l a r r a y k e y s a r e u s e d t o b u i l d p l a c e h o l d e r n a me s wi t h o u t b e i n g s a n i t i z e d .

  14. The vulnerability O r i g i n a l a r r a y k e y s a r e u s e d t o b u i l d p l a c e h o l d e r n a me s wi t h o u t b e i n g s a n i t i z e d .

  15. Let's see it!

  16. SA-CORE-2018-002 / CVE-2018-7600 R e mo t e c o d e e x e c u t i o n a s a n o n y mo u s u s e r D r u p a l 5 . x , 6 . x , 7 . 5 7 a n d b e l o w, 8 . 5 . 0 a n d b e l o w 2 4 / 2 5 s c o r e o n N I S T i n d e x P a t c h e d o n Ma r c h 2 8 t h , 2 0 1 8

  17. Render arrays # A r r a y s wh o s e k e y s s t a r t wi t h c h a r a c t e r Me c h a n i s m t o r e n d e r e v e r y t h i n g R e c u r s i v e b e h a v i o r post_render , pre_render , C a l l b a c k s : . . .

  18. Form processing with AJAX API F o r m s u b mi t t e d v i a X H R r e q u e s t #value S u b mi t t e d v a l u e s a r e s t o r e d o n a t t r i b u t e f o r e a c h fi e l d element_parents P a r a me t e r d e t e r mi n e s e c t i o n o f f o r m t o b e r e - r e n d e r e d

  19. The vulnerability A f o r m fi e l d c o n t a i n i n g a r e n d e r a r r a y wi t h a c a l l b a c k c a n b e r e - r e n d e r e d u s i n g A J A X A P I .

  20. Let's see it!

  21. Final thoughts K e e p y o u r s i t e s u p d a t e d . N o e x c e p t i o n s . T h a n k y o u , s e c u r i t y t e a m! T o p r e v e n t v u l n e r a b i l i t i e s o n y o u r c o d e , y o u n e e d t o l e a r n a b o u t t h e m.

  22. Final thoughts

  23. Join us for contribution opportunities F r i d a y , A p r i l 1 2 , 2 0 1 9 Mentored First Time General Contribution Contributor Contribution Workshop 9 : 0 0 - 1 8 : 0 0 9 : 0 0 - 1 2 : 0 0 9 : 0 0 - 1 8 : 0 0 R o o m: 6 0 2 R o o m: 6 0 6 R o o m: 6 A #DrupalContributions

  24. What did you think? L o c a t e t h i s s e s s i o n a t t h e D r u p a l C o n S e a t t l e w e b s i t e : http://seattle2019.drupal.org/schedule T a k e t h e S u r v e y ! https://www.surveymonkey.com/r/DrupalConSeattle

  25. Questions? A u t o p s y o f V u l n e r a b i l i t i e s , b y Z e q u i V á z q u e z

  26. Thank you! A u t o p s y o f V u l n e r a b i l i t i e s , b y Z e q u i V á z q u e z

Recommend


More recommend