WIXLIB

UNCOVERING VULNERABILITIESIN SECURE CODINGGUIDELINESDeepsec 2018Fernando Arnaboldi 2018 IOActive, Inc. All Rights Reserved.

AGENDA Who, What, How, & WhySecure Coding Guidelines–––– NISTOWASPCWECERTConclusions 2018 IOActive, Inc. All Rights Reserved.

WHO, WHAT, HOW, & WHY/huː,hʊ, wɒt, haʊ, ənd wʌɪ/(n) who cares about this, what was done, how it wasperformed, and why it makes sense to analyze it. 2018 IOActive, Inc. All Rights Reserved.

WHO CARES Security Consultants Software Architects 2018 IOActive, Inc. All Rights Reserved.

WHAT WAS ANALIZED Secure coding guidelines Secure pieces of code Coverage 2018 IOActive, Inc. All Rights Reserved.

HOW WAS ANALYZED 2018 IOActive, Inc. All Rights Reserved.

& WHY People use them 2018 IOActive, Inc. All Rights Reserved.

WHAT’S THE GOAL Create awareness what may happen with guidelines:– They may have mistakes– They may have backdoors– However, they are important 2018 IOActive, Inc. All Rights Reserved. if ((options ( WCLONE WALL)) && (current- uid 0)) retval -EINVAL;

SECURE CODING GUIDELINES: NISTNIST Software Assurance Metrics/nist/(n) a non-regulatory agency of the United States Departmentof Commerce dedicated to improving software assurance.Software assurance indicates that software is free fromvulnerabilities, either intentionally designed into the softwareor accidentally inserted at any time during its lifecycle, andthat the software functions in the intended manner. 2018 IOActive, Inc. All Rights Reserved.

THE PHP INCLUDE PROBLEM This test case showshow to solve the “PHPInclude” problemFail: Using the .inc fileextension will exposethe code whenreferencing filesdirectlySource: https://samate.nist.gov/SARD/view testcase.php?tID 1768 2018 IOActive, Inc. All Rights Reserved.

SECURE CODING GUIDELINES: OWASPOWASP/owɒsp/(n) the Open Web Application Security Project is aworldwide, not-for-profit charitable organization focused onimproving the security of software. 2018 IOActive, Inc. All Rights Reserved.

USERNAME GUIDANCESource: OWASP Source Code Review 2.0 Alpha – Page 59:https://www.owasp.org/images/7/78/OWASP AlphaRelease CodeReviewGuide2.0.pdf 2018 IOActive, Inc. All Rights Reserved.

BRUTE-FORCING USERNAMES What if your users are aware?Assume someone is brute-forcing 10.000 user accountswith three different passwordsIf user identifications are case insensitive– 10.000*3 30.000 requests Case sensitive usernames with six letters require 26combinations per username– i.e. master, Master, mAster– 10.000 * 26 * 3 10.000 * 64 * 3 1.920.000 requests 2018 IOActive, Inc. All Rights Reserved.

EXCEPTIONS IN TRY/CATCH BLOCKS20082016FYI, this is in fact .NET code, not Java 2018 IOActive, Inc. All Rights Reserved.

EXCEPTIONS IN TRY/CATCH BLOCKS (CONT’D) Fail: This functionmay throw anIOException within acatch block 2018 IOActive, Inc. All Rights Reserved.

CRYPTOGRAPHYSource: OWASP Source Code Review 2.0 Alpha – Page 122 & 59:https://www.owasp.org/images/7/78/OWASP AlphaRelease CodeReviewGuide2.0.pdf 2018 IOActive, Inc. All Rights Reserved.

SECURE CODING GUIDELINES: CWECWE/cwe/(n) the Common Weakness Enumeration is an organizationsponsored by United States Computer EmergencyReadiness Team (US-CERT). It defines a set of softwareweaknesses, which enumerate design and architecturalvulnerabilities as well as low-level coding and design errors. 2018 IOActive, Inc. All Rights Reserved.

CWE-456: MISSING INITIALIZATION OF AVARIABLE Fail #1: Username disclosure(timing)Fail #2: Error may not beloggedFail #3: Logging injectionSource: https://cwe.mitre.org/data/definitions/456.html 2018 IOActive, Inc. All Rights Reserved.

CWE-749: EXPOSED DANGEROUSMETHOD OR FUNCTION Fail: SQL InjectionSource: https://cwe.mitre.org/data/definitions/749.html 2018 IOActive, Inc. All Rights Reserved.

SECURE CODING GUIDELINES: CERTCERT/səːt/(n) a non-profit United States federally funded research anddevelopment center. 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONSTO EXPOSE SENSITIVE INFORMATION Failure to filter sensitive information when propagatingexceptions often results in information leaks that canassist an attacker's efforts to develop further exploits. An attacker may craft input arguments to exposeinternal structures and mechanisms of the application.Source: RR01J. Do not allow exceptions to expose sensitive information 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONS (CONT’D) “This compliant solutionimplements the policythat only files that live inc:\homepath may beopened by the user andthat the user is notallowed to discoveranything about filesoutside this directory” 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONS (CONT’D) Demo: How to expose information 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONS (CONT’D) “only files that live in c:\homepath may be opened by the user” Fail #1: What about C:\\homepathfail? 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONS (CONT’D) Fail #2: Does not handle all exceptionsFail #3: Does not validate method arguments 2018 IOActive, Inc. All Rights Reserved.

ERR01-J. DO NOT ALLOW EXCEPTIONS (CONT’D) Fail #4: Error may not be logged 2018 IOActive, Inc. All Rights Reserved.

FIO00-J. DO NOT OPERATE ON FILES INSHARED DIRECTORIES “To prevent vulnerabilities, a program must operate only on files insecure directories. [ ] file links can be swapped out and may notalways point to the intended location. As a result, file links in shareddirectories are untrusted and should not be operated on”Source: IO00-J. Do not operate on files in shared directories 2018 IOActive, Inc. All Rights Reserved.

FIO00-J. DO NOT OPERATE ON FILES (CONT’D) Demo: How to leave a secure directorySource: IO00-J. Do not operate on files in shared directories 2018 IOActive, Inc. All Rights Reserved.

FIO00-J. DO NOT OPERATE ON FILES (CONT’D)1.Create a symlink and a hard link: ln -s /tmp/extract data symlink ln /tmp/extract data hardlink ls -llrwxr-xr-x 1 fear staff 17 Nov 27 16:33 symlink - /tmp/extract data-rw-r--r-- 2 fear staff0 Nov 27 16:32 hardlink2.Check the symlink: java isInSecureDir /Users/fear/deepsec/symlinkAccessing: /tmp/extract dataFile not in secure directory3. Check the hard link: java isInSecureDir /Users/fear/deepsec/hardlinkAccessing: /Users/test/hardlink 2018 IOActive, Inc. All Rights Reserved.

CONCLUSIONS/kənˈkluːʒ(ə)ns/(n) how did this happen and where do we go from here? 2018 IOActive, Inc. All Rights Reserved.

CONCLUSIONS Lessons learned from the identified issues Who should define the guidelines How to write secure code 2018 IOActive, Inc. All Rights Reserved.

SECURE CODING GUIDELINES: CWE CWE /cwe/ (n) the Common Weakness Enumeration is an organization sponsored by United States Computer Emergency Readiness Team (US-CERT). It defines a set of software weaknesses, which enumerate design and architectural vulnerabilities as well as low-level coding and design errors.