Difference between revisions of "Direct Static Code Injection"

From OWASP
Jump to: navigation, search
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
Direct Static Code Injection attack consists on injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
 
Upon a user request to the modified resource, the actions defined on it will be executed at server side in the context of web server process.
 
  
[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross Site Scripting | XSS]] (“Cross Site Scripting” or “HTML injection”) where the code is executed on client side.
+
A Direct Static Code Injection attack consists of injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization.
 +
Upon a user request to the modified resource, the actions defined in it will be executed at server side in the context of web server process.
  
==Severity==
+
[[Server-Side Includes (SSI) Injection | Server Side Includes]] is considered a type of direct static code injection. It should not be confused with other types of code injection, like [[Cross-site Scripting (XSS)| XSS]] (“Cross-site scripting” or “HTML injection”) where the code is executed on the client side.
High
+
  
==Likelihood of exploitation==
+
==Risk Factors==
Medium to Low
+
TBD
 +
[[Category:FIXME|need content here]]
  
==Examples ==
+
==Examples==
  
 
===Example 1===
 
===Example 1===
This is a simple example of exploitation of CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
+
This is a simple example of exploitation of a CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368.
By requesting the following URL to the server, it’s possible to execute commands defined on ‘’’’setup’’’ variable.
+
By requesting the following URL to the server, it’s possible to execute commands defined on the ‘’’’setup’’’ variable.
 
<br>
 
<br>
 
  csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
 
  csSearch.cgi?command=savesetup&setup=''PERL_CODE_HERE''
 
<br>
 
<br>
For the classical example, it can be used the following command to remove all files from “/” folder:
+
For the classic example, the following command can be used to remove all files from “/” folder:
 
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`
 
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`
  
Note that the above command must be encoded in order to be accepted.
+
Note that the above command must be encoded in order to be accepted.
  
 
===Example 2===
 
===Example 2===
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.  
+
This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by the admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed.  
The following example stores a malicious PHP code that will deface index.html page when administrator browses admin_iplog.php.
+
The following example stores a malicious PHP code that will deface the index.html page when an administrator browses admin_iplog.php.
 
  GET /board/index.php HTTP/1.0
 
  GET /board/index.php HTTP/1.0
 
  User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>
 
  User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>
  
==External references==
+
==Related [[Threat Agents]]==
http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt
+
* [[Internal software developer]]
http://cve.mitre.org/docs/plover/SECTION.9.21.html#CODE.STAT
+
http://marc.info/?l=bugtraq&m=105379741528925&w=2
+
http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html
+
  
==Related Threats==
+
==Related [[Attacks]]==
[[:Category:Command Execution]]
+
* [[Server-Side Includes (SSI) Injection | Server Side Includes]]
 +
* [[ Direct Dynamic Code Evaluation ('Eval Injection')]]
  
==Related Attacks==
+
==Related [[Vulnerabilities]]==
*[[Server-Side Includes (SSI) Injection | Server Side Includes]]
+
* [[:Category:Input Validation Vulnerability]]
*[[ Direct Dynamic Code Evaluation ('Eval Injection')]]
+
  
==Related Vulnerabilities==
+
==Related [[Controls]]==
[[:Category:Input Validation Vulnerability]]
+
* [[:Category:Input Validation]]
  
 +
==References==
 +
* http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt
 +
* http://marc.info/?l=bugtraq&m=105379741528925&w=2
 +
* http://archives.neohapsis.com/archives/bugtraq/2005-06/0002.html
  
==Related Countermeasures==
 
[[:Category:Input Validation]]
 
  
 
[[Category:Injection]]
 
[[Category:Injection]]
 
[[Category:Attack]]
 
[[Category:Attack]]
 +
__NOTOC__

Latest revision as of 07:40, 7 April 2009

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision: 04/7/2009

Description

A Direct Static Code Injection attack consists of injecting code directly onto the resource used by application while processing a user request. This is normally performed by tampering libraries and template files which are created based on user input without proper data sanitization. Upon a user request to the modified resource, the actions defined in it will be executed at server side in the context of web server process.

Server Side Includes is considered a type of direct static code injection. It should not be confused with other types of code injection, like XSS (“Cross-site scripting” or “HTML injection”) where the code is executed on the client side.

Risk Factors

TBD

Examples

Example 1

This is a simple example of exploitation of a CGISCRIPT.NET csSearch 2.3 vulnerability, published on Bugtraq ID: 4368. By requesting the following URL to the server, it’s possible to execute commands defined on the ‘’’’setup’’’ variable.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE


For the classic example, the following command can be used to remove all files from “/” folder: csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Note that the above command must be encoded in order to be accepted.

Example 2

This example exploits a vulnerability on Ultimate PHP Board (UPB) 1.9 (CVE-2003-0395), which allows an attacker to execute random php code. This happens because some user variables, like IP address and User-Agent, are stored in a file that is used by the admin_iplog.php page to show user statistics. When an administrator browses this page, the previously injected code by a malicious request is executed. The following example stores a malicious PHP code that will deface the index.html page when an administrator browses admin_iplog.php.

GET /board/index.php HTTP/1.0
User-Agent: <? system( "echo \'hacked\' > ../index.html" ); ?>

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References