Sunday, November 30, 2008

Code review – what functions cause problems?

You never have enough time to do Code Review if you try to walk trough every functions, instead, we can focus on the “high risk” functions that hackers have been known to take advantage of Web application.

The common potential problem areas are:
1.       User input;
2.       The third party input that from other untrusted sources, such as external database;
3.       The output. For example, the error message may reveal too much information, or a poorly coded application may insert tainted SQL data into a database, which your application would be potentially use it.

Here is the list of “high risk” functions (copy from a PDF file and some websites, I also added some):
1.       Buffer overflow
When a particular function/operation writes more data into a variable than the variable was designed to hold, the result is buffer overflow. Fortunately, this only occurs on the languages that must predeclare their variable storage size, such as C and C++. ASP, Perl, and Python all have dynamic variable allocation, which means they can interpreter themselves handle the variable size.
For C/C++, the “high risk” functions are:
(1)    str* family: strcpy(), strcat(), strcadd(), strccpy(), streadd(), strecpy(), strtrns(). We should avoid to use these functions
(2)    strn* family: strncpy(), strncat(), and so on. This is a safer alternative to the str* family. The strn* family is essentially the same as the str* family except it allow you to specify a maximum length. So we only need to make sure that the specified maximum value is equal or less than the destination variable size.
(3)    memcpy(), bcopy(), memccpy(), memmove().
(4)    sprintf(), snprintf(), vsprintf(), vsnprintf(), swprintf(), vswprintf().
(5)    gets(), fgets().
(6)    getc(), fgetc(), getchar(), read().

2.       Cross-Site Scripting (XSS)
XSS is in fact a subset of HTML injection. It allows attackers to execute the script in the victim’s browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing etc.
Looking for XSS vulnerabilities is tough; the best place to start is with the common output functions used by the language:
(1)    C/C++: printf(), fprintf(), output streams, and so on.
(2)    Java: Don’t use
(3)    .NET: the better way is to use the Microsoft Anti-XSS Library freely available from MSDN.
(4)    ASP: Response.Write, Response.BinaryWrite,
(5)    Perl: print, printf, syswrite.
(6)    PHP: print, printf, echo.

3.       Information Disclosure
This is not a technical problem, it is quite possible that the application may provide some information that can be used by attackers. For example, developer may insert some output for debug purpose and forget to delete it.
We need to review all the output functions of the language with:
(1)    Printing sensitive information (passwords, credit card numbers) in full display.
(2)    Displaying application configuration, server configuration information, environment variables, and so on.
(3)    Revealing too much information in error message. For example, failed database connections typically spit out connection details that include database host address, authentication details and target tables; failed file inclusion may disclose file paths, which allows attackers to determine the layout of application.
(4)    Avoiding the use of public debugging mechanisms in production applications. The better way is to write debugging information to a log on the application server.

4.       File system access/interaction
We need to check where, when and how a web application accesses the local file system on the server, the danger lies in using filenames that may contain tainted data.
(1)    C/C++: open(), fopen(), create(), mknod(), catopen(), dbm_open(), opendir(), unlink(), link(), chmod(), stat(), lstat(), mkdir(), readlink(), rename(), rmdir(), symlink(), chdir(), chroot(), utime(), truncate(), glob().
(2)    ASP: Server.CreateObject() that create Scripting.FileSystemObject objects.
(3)    Perl: chmod, chown, link, lstat, mkdir, readlink, rename, rmdir, stat, symlink, truncate, unlink, utime, chdir, chroot, dbmopen, open, sysopen, opendir, glob.
(4)    PHP: opendir(), chdir(), dir(), chgrp(), chmod(), chown(), copy(), file(), fopen(), get_meta_tags(), link(), mkdir(), readfile(), rename(), rmdir(), symlink(), unlink(), gafile(), gzopen(), readgz-file(), fdf_add_template(), fdf_open(), fdf_save().
(5)    Java: java.io.*, java.util.zip.*, java.util.jar
(6)    JSP: < %@include file=’filename’% >
(7)    ColdFusion: CFFile, CFInclude tags.

5.       Calling External Programs
Calling external programs is danger, if tainted user data is included within the call, an attacker could trick the command processor into executing additional commands, or changing the intended command.
(1)    C/C++: exec* family, exec(), execv(), execve(), and so on.
(2)    Perl: exec,’’(backticks), qx//, and <> (the globbing function).
(3)    PHP: fopen(), popen(), exec(), passthru(), system().
(4)    Python: os.exec* family, os.exec, os.execve, os.execle, os.execlp, os.execvp, os.execvpe, os.popen, os.system.
(5)    Java: Runtime.exec().
(6)    ColdFustion: CFExecute, CFServlet tags.

6.       Dynamic code execution
Some languages contain mechanisms to interpret and run native scripting code, the advantage is that allows the program to “build” a subprogram dynamically, and user can input fragment script code. However, it opens a door to the attacker who may insert his own script code to be compiled and executed.
(1)    Perl: eval function, do, and any regex operation with the e modifier.
(2)    Python: exec, compile, eval, execfile, input.
(3)    ASP: Eval, Execute, ExecuteGlobal.

7.       External objects/Libraries
Including or loading libraries is helpful in making the design of a program easier. However, you need to make sure that all external library loading routines do not user any sort of tainted data, an attacker could coerce your program into loading an alternate library, which could provide him an advantage.
(1)    Perl: import, require, use, do.
(2)    Python: import, _import_.
(3)    ASP: Server.CreateObject(), tag in global.asa.

(4)    JSP: jsp:useBean.

(5)    Java: URLClassLoader, JarURLConnection from the java.net package; ClassLoader, Runtime.load, Runtime.loadLibrary, System.load, and System.loadLibrary from the java.lang package.

(6)    ColdFusion: CFObject.

 

8.       Structured Query Language/Database Queries

The two problem areas are:

(1)    Connection setup: the connection usually contains authentication information, such as user name, password, database server etc. this information should be considered sensitive and need to be well protected.

(2)    Tampering with queries: when inserted into a SQL query, an attacker could submit data that could trick the database server into executing different queries than the one intended.

The following list of functions and commands could lead you to these potential problems:

(1)       PHP: ifx_connect(), ifx_pconnect(), ifx_prepare(), ifx_query(), msql_connect(), msql_pconnect(), msql_db_query(), msql_query(), mysql_connect(), mysql_db_query(), mysql_pconnect(), mysql_query(), odbc_exec(), odbc_pconnect(), odbc_prepare(), ora_logon(), ora_open(), ora_parse(), ora_plogon(), OCILogon(), OCIParse(), OCIPLogon(), pg_connect(), pg_exec(), pg_pconnect(), Sybase_connect(), Sybase_pconnect(), Sybase_query().

(2)       ASP: ADODB.* objects.

(3)       Java: createStatement() and execute() methods in java.sql module.

(4)       Perl: DB::* modules

(5)       ColdFusion: CFInsert, CFQuery, CFUpdate tags.

 

9.       Networking and communication streams

The outgoing and incoming network connection and communication stream used by the program is a potential security hole. For example, your application may make an FTP connection to a particular server to retrieve a file, or may set up a listening server processes to answer incoming network connections. It is very important to make sure not to allow a remote attacker to compromise the server.

The following list of functions allows your application to establish or use network and communication streams:

(1)    Perl and C/C++: connect, accept.

(2)    PHP: imap_open, imap_popen, ldap_connect, ldap_add, mcal_open, fsockopen, pfsockopen, ftp_connect, ftp_login, mail.

(3)    Python: socket.*, urllib.*, ftplib.* modules.

(4)    ASP: CDONTS.* objects, CDONTS.Attachment, CDONTS.NewMail, AttachFile and AttachURL methods.

(5)    Java: ServerSocket in java.net.*, java.rmi.*.

(6)    ColdFusion: CFFTP, CFHTTP, CFLDAP, CFMail, CFPOP tags.

 

References:

1.       Michael Cross, “Developer’s Guide to Web Application Security”, ISBN-10 1-59749-061-X

2.       OWASP TOP 10, 2007, http://www.owasp.org

 

Saturday, November 22, 2008

Make your own Windows XP SP3 plus IE7 and WMP11 installation CD


Recently I need to reinstall Windows XP. I know it will take some times to install services packs and IE7, Windows Media Player etc. Is it possible to make a CD that includes these things, so I won’t be bothered by installing them after finish the Windows XP installation?

Preparation:

a. My original Win XP CD and product key;

b. Nlite 1.4.9.1 (http://www.nliteos.com/)

c. Windows Media Player 11 Slipstreamer (http://www.boooggy.org/slipstreamer/)

d. IE7 installer and service packs:

  • IE7-WindowsXP-KB938127-v2-x86-ENU.exe
  • IE7-WindowsXP-KB956390-x86-ENU.exe

e. Windows Media Player 11 installer and service packs:

  • WindowsMedia11-KB929399-v2-x86-INTL.exe
  • WindowsMedia11-KB936782-x86-ENU.exe
  • WindowsMedia11-KB939683-x86-ENU.exe
  • WindowsMedia11-KB954154-x86-ENU.exe

f. Windows XP sp3 and the latest service pack(before Nov 21st, 2008):

  • WindowsXP-KB936929-SP3-x86-ENU.exe
  • WindowsXP-KB938464-x86-ENU.exe
  • WindowsXP-KB941569-x86-ENU.EXE
  • WindowsXP-KB944043-v3-x86-ENU.exe
  • WindowsXP-KB946648-x86-ENU.exe
  • WindowsXP-KB950582-x86-ENU.exe
  • WindowsXP-KB950760-x86-ENU.exe
  • WindowsXP-KB950762-x86-ENU.exe
  • WindowsXP-KB950974-x86-ENU.exe
  • WindowsXP-KB951066-x86-ENU.exe
  • WindowsXP-KB951072-v2-x86-ENU.exe
  • WindowsXP-KB951376-v2-x86-ENU.exe
  • WindowsXP-KB951698-x86-ENU.exe
  • WindowsXP-KB951748-x86-ENU.exe
  • WindowsXP-KB951830-x86-ENU.exe
  • WindowsXP-KB951978-x86-ENU.exe
  • WindowsXP-KB952287-x86-ENU.exe
  • WindowsXP-KB952954-x86-ENU.exe
  • WindowsXP-KB953155-x86-ENU.exe
  • WindowsXP-KB953839-x86-ENU.exe
  • WindowsXP-KB954459-x86-ENU.exe
  • WindowsXP-KB955069-x86-ENU.exe
  • WindowsXP-KB956391-x86-ENU.exe
  • WindowsXP-KB956803-x86-ENU.exe
  • WindowsXP-KB957095-x86-ENU.exe
  • WindowsXP-KB957097-x86-ENU.exe
  • WindowsXP-KB958644-x86-ENU.exe

Here’s what I’ve done:

1. Install Nlite and Wmp11 slipstreamer, you may need to install .NET Framework V2.0 first.

2. Copy all the files in your Win XP CD to a folder, let’s assume it is c:\winxpSp3

3. Run Nlite, in the welcome page, select language.



4. Locate the XP distribution folder, in this example, it is c:\winxpSp3, Nlite will detect the language, service pack, and version of your Win XP


5. In “Presets” window, use one of the previous settings (if you have) or just click “next” button.

6. In “Task Selection” window, click “All” button, then click “Drivers” button, which means I don’t integrate particular drivers to this CD, because I may use this CD to install my uncle’s computer that has different video card and sound card.





7. In “Service Pack” window, select the sp3 file “WindowsXP-KB936929-SP3-x86-ENU.exe”Nlite will automatically extract and integrate sp3 to the xp distribution folder(c:\winxpSp3).



After the integration, the version number has been changed.



8. In “Hotfixes, Add-ons” window, insert all the hotfixes, be careful the sequence of the hot fixes, I failed several times because of this, you should put IE7 installer first, then IE7’s 2 hot fixes, and small number is first, KB938127 then KB956390, it may cause some problems if KB956390 is ahead. Use the small green button that locate on the right side to adjust the sequence; then add windows media play and its hotfixes and all the xp service packs, check the sequence as well. Finally, you should get something like this:



9. In “Components” window, I simply selected “Movie Maker” and “Music Samples” because I never use them. You can remove more unused components if you want to.



10. In “Unattended” window, you can provide answers to all of the questions that xp normally asks during the installation.
In “General” tab, enter the Product key, I also turn off firewall and Hibernate because I have Symantec firewall and I think Hibernate is useless.



11. In “RunOnce” tab, you can add some commands here, and they will be executed on first user logon. Think about this, if I put a Trojan horse here, and release this combination CD to Internet, someone download and install it, what happens? Haha, you’re on my control.



12. In “Users” tab, enter password for Administrator. I also added a user for daily uses, it is not good to log on as administrator all the time.



13. In “Regional” tab, select the Time zone.



14. Work through all tabs and make adjustments if needed


15. In “Options” window, I only changed the “TCP/IP patch” to 100, it will certainly speed up my emule and BT.



16. In “Tweaks” window, I selected to show “My document icon” and “My computer icon” on desktop; there’re so many items you can select.



17. After finish all the settings, Nlite will start the process



18. When the process go through Windows media Player installer, Nlite will automatically run wmp11 slipstreamer to extract and integrate wmp11 to distribution folder.



19. Next window is making Bootable ISO, you can either create image or burn it directly, I suggest creating an image, and then you can test it using Vmware or Virtual PC. Enter a label name, click “Make ISO”, select the location of ISO file.



20. Now you have a bootable ISO image of Windows XP SP3+IE7+WMP11! Before you burn a CD with this image, you’d better test it with Vmware or Virtual PC, because exception is not predictable, install it in a Virtual machine, and see if it runs well.