Difference between revisions of "Resource Injection"

From OWASP
Jump to: navigation, search
m (Add to Injection subcategory)
 
(14 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Resource Injection
+
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 +
This attack consists of changing resource identifiers used by an application in order to perform a malicious task. When an application permits a user input to define a resource, like a file name or port number, this data can be manipulated to execute or access different resources.
 +
<br>
 +
In order to be properly executed, the attacker must have the possibility to specify a resource identifier through the  application form and the application must permit its execution.
  
This attack consists in allow a user to alter/pass resource identifiers may enabled an attacker access or modify another any system resources protected
+
The resource type affected by user input indicates the content type that may be exposed. For example, an application that permits input of special characters like period, slash, and backslash is risky when used in methods that interact with the file system.
 
+
There are two conditions for this attack be realize, the first way is system resource identifier specified for an attacker; the second way is a attacker specifying a resource, take permission enough, thing that would not be possible.
+
 
+
Note: The resource injection attack involves resources stored on filesystem, like the path manipulation attack, even so they are separated by differenties categories, see path manipulation attack for more details this  technique
+
+
 
+
 
+
 
+
==External references==
+
http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1734
+
http://cwe.mitre.org/data/definitions/99.html
+
http://capec.mitre.org/data/index.html#Definition
+
http://www.fortifysoftware.com/vulncat/
+
 
+
G. Hoglund and G. McGraw. Exploiting Software. Addison-Wesley, 2004.
+
 
+
  
 +
The resource injection attack focuses on accessing other resources than the local filesystem, which is different attack technique known as a [[Path Manipulation]] attack.<br>
  
 +
== Risk Factors==
 +
TBD
  
 
==Examples ==
 
==Examples ==
  
‘’Example 1’’
+
===Example 1===
 
+
The following examples represent an application which gets a port number from an HTTP request and creates a socket with this port number without any validation. A user using a proxy can modify this port and obtain a direct connection (socket) with the server.
This is code is a java class whose is vulnerable to a resource injection:
+
<br><br>
1. #import java.io.*;
+
2.
+
3. #public class ResourceInjection {
+
4.        
+
5. #    private static void test() {
+
6.
+
7. #        String fileName = null;
+
8. #        int    checkInteger  = 0;
+
9. #
+
10. #        try {
+
11. #            BufferedReader inStream = new BufferedReader (
+
12. #                                          new InputStreamReader(System.in) );
+
13. #           
+
14. #            System.out.print("Please enter a filename: ");
+
15. #            fileName = inStream.readLine();
+
16. #         
+
17. #        }  catch (IOException e) {
+
18. #            System.out.println("IOException: " + e);
+
19. #            return;
+
20. #        }
+
21. #   
+
22. #        File myFile = new File("/var/tmp/" + fileName);
+
23. #       
+
24. #        if (myFile.delete())
+
25. #            System.out.println ("deleted file");
+
26. #
+
27. #       
+
28. #    }
+
29. #
+
30. #    public static void main(String[] args) {
+
31. #        test();
+
32. #    }
+
33. #}
+
Pay attention to line 15, the variable “fileName” received a name of file from user, in the line 22 is deleted a file whose has the name like a value of the “fileName”.
+
Suppose the user pass like parameter for “FileName” this value: “../../tomcat/conf/*.xml” the system will execute the operation with this file and to become inactive.
+
 
+
 
+
 
+
 
+
 
+
‘’Example 2’’
+
 
+
The following code uses a port number read from a CGI request to create a socket.
+
  ...
+
  char* rPort = getenv("rPort");
+
  ...
+
  serv_addr.sin_port = htons(atoi(rPort));
+
  if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0)
+
  error("ERROR connecting");
+
  ...
+
 
+
The kind of content that may be dangerous depending to the kind of resource that the user specify on the input. For example, data containing special characters like “.”, “/”, “\” may be represent some dangerous when used in operations that interact with the filesystem. In the same way that data contains URLs may create remote connections
+
 
+
 
+
‘’Exampe 3’’
+
This java class used in a input from an HTTP request delete a file. The developer has not considered the possibility that an attacker modify a file name like ass  "../../tomcat/conf/server.xml", which causes the application will not function
+
String rName = request.getParameter("reportName");
+
File rFile = new File("/usr/local/apfr/reports/" + rName);
+
...
+
rFile.delete();
+
________________________________________
+
  
‘’Example 4’’
+
'''Java code:'''
This code uses a input file name from command line to specify which file to open end echo back to the user. If the user specify any soft link to the files, they can use the program to read the first party of any file on the system
+
C++ Example:
+
ifstream ifs(argv[0]);
+
string s;
+
ifs >> s;
+
cout << s;
+
  
 +
String rPort = request.getParameter("remotePort");
 +
...
 +
ServerSocket srvr = new ServerSocket(rPort);
 +
Socket skt = srvr.accept();
 +
...
  
 +
<br>
 +
'''.Net code:'''
  
==Related Threats==
+
int rPort = Int32.Parse(Request.get_Item("remotePort "));
 +
...
 +
IPEndPoint endpoint = new IPEndPoint(address,rPort);
 +
socket = new Socket(endpoint.AddressFamily,
 +
SocketType.Stream, ProtocolType.Tcp);
 +
socket.Connect(endpoint);
 +
...
  
 +
===Example 2===
 +
This example is same as previous, but it gets port number from CGI requests using C++:
  
 +
char* rPort = getenv("remotePort ");
 +
...
 +
serv_addr.sin_port = htons(atoi(rPort));
 +
if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0)
 +
error("ERROR connecting");
 +
...
  
==Related Attacks==
+
===Example 3===
Path Manipulation
+
This example in PLSQL / TSQL gets a URL path from a CGI and downloads the file contained in it. If a user modifies the path or filename, it’s possible to download arbitrary files from server:
Injection Attacks
+
...
 +
filename := SUBSTR(OWA_UTIL.get_cgi_env('PATH_INFO'), 2);
 +
WPG_DOCLOAD.download_file(filename);
 +
...
  
 +
==Related [[Threat Agents]]==
 +
* [[:Category:Logical Attacks]]
 +
* [[:Category: Information Disclosure]]
  
==Related Vulnerabilities==
+
==Related [[Attacks]]==
Category:Input Validation Vulnerability
+
* [[Path Traversal]]
 +
* [[Path Manipulation]]
 +
* [[Relative Path Traversal]]
 +
* [[:Category:Injection Attack | Injection Attacks]]
  
 +
==Related [[Vulnerabilities]]==
 +
* [[:Category:Input Validation Vulnerability]]
  
==Related Countermeasures==
+
==Related [[Controls]]==
Category:Input Validation
+
* [[:Category:Input Validation]]
  
 +
==References==
 +
* http://samate.nist.gov/SRD/view_testcase.php?tID=1734
 +
* http://cwe.mitre.org/data/definitions/99.html
 +
* http://capec.mitre.org/data/index.html#Definition
 +
* http://www.fortifysoftware.com/vulncat/
 +
* G. Hoglund and G. McGraw. Exploiting Software. Addison-Wesley, 2004.
  
  
==Categories==
+
[[Category: Injection]]
 +
[[Category: Attack]]

Latest revision as of 18:17, 8 December 2011

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 12/8/2011

Description

This attack consists of changing resource identifiers used by an application in order to perform a malicious task. When an application permits a user input to define a resource, like a file name or port number, this data can be manipulated to execute or access different resources.
In order to be properly executed, the attacker must have the possibility to specify a resource identifier through the application form and the application must permit its execution.

The resource type affected by user input indicates the content type that may be exposed. For example, an application that permits input of special characters like period, slash, and backslash is risky when used in methods that interact with the file system.

The resource injection attack focuses on accessing other resources than the local filesystem, which is different attack technique known as a Path Manipulation attack.

Risk Factors

TBD

Examples

Example 1

The following examples represent an application which gets a port number from an HTTP request and creates a socket with this port number without any validation. A user using a proxy can modify this port and obtain a direct connection (socket) with the server.

Java code:

String rPort = request.getParameter("remotePort");
...
ServerSocket srvr = new ServerSocket(rPort);
Socket skt = srvr.accept(); 
...


.Net code:

int rPort = Int32.Parse(Request.get_Item("remotePort "));
...
IPEndPoint endpoint = new IPEndPoint(address,rPort);
socket = new Socket(endpoint.AddressFamily, 
SocketType.Stream, ProtocolType.Tcp);
socket.Connect(endpoint);
...

Example 2

This example is same as previous, but it gets port number from CGI requests using C++:

char* rPort = getenv("remotePort ");
...
serv_addr.sin_port = htons(atoi(rPort));
if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0) 
error("ERROR connecting");
...

Example 3

This example in PLSQL / TSQL gets a URL path from a CGI and downloads the file contained in it. If a user modifies the path or filename, it’s possible to download arbitrary files from server:

...
filename := SUBSTR(OWA_UTIL.get_cgi_env('PATH_INFO'), 2);
WPG_DOCLOAD.download_file(filename); 
...

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References