History of some Vulnerabilities and exploit techniques

History of some Vulnerabilities
.. And exploit techniques

whoami
Peter Magnusson
omegapoint.se

History of some Vulnerabilities
Intro
Lessons from 1974 & 1988
Buffer Overflows
Injections
XSS Cross Site Scripting

- intro -
History of some Vulnerabilities &
Exploit techniques

This is just a tribute. Couldn't remember
The Greatest Song in the World, no, no.
This is a tribute, oh, to
The Greatest Song in the World
Tenacious D – Tribute
http://www.youtube.com/watch?v=_lK4cX5xGiQ

• Defenders practicing STFUNDA
• Limited shared knowledgeSecret closed
mailing lists etc
• Often pointless/boringVendor/CERT style
info
• Attackers practicing STFUAttackers not
Bragging
What we know we don't know

1970-1988
1988-
1994
1994-
2009
2009-
Dark Ages Golden Days Cloudy days

1970-1988
1988-
1994
1994-
2009
2009-
Dark Ages Golden Days Cloudy days
securitydigest.org – liberating archives from old closed mailing lists 
(I haven't had nearly as much time to read this stuff as I would like to)

1970-1988
1988-
1994
1994-
2009
2009-
Early Days, .mil

1970-1988
1988-
1994
1994-
2009
2009-
CERT & vendors: "A potential security vulnerability
has been identified in X where, under certain
circumstances, user privileges can be expanded via Y
Morris Worm

1970-1988
1988-
1994
1994-
2009
2009-
Golden days! Bugtraq, Full Disclosure etc takes off
1998 – 2000 : It is not just OS/utilities any more…

1970-1988
1988-
1994
1994-
2009
2009-
No Free Bugs, APTs, Crimeware, 0-days, Spearphising

1970-1988
1988-
1994
1994-
2009
2009-
CERT & vendors: "A potential security vulnerability
has been identified in X where, under certain
circumstances, user privileges can be expanded via Y
Golden days! Bugtraq, Full Disclosure etc takes off
No Free Bugs, APTs, Crimeware, 0days galore
Morris Worm
Early Days

Great Historical Resources
• http://seclab.cs.ucdavis.edu/projects/history/
CD/
– Computer security as a discipline was first studied in the early 1970s, although the issues had
influenced the development of many earlier systems such as the Atlas system and MULTICS.
Unfortunately, many of the early seminal papers are often overlooked as developers (and sometimes
researchers) rediscover problems and solutions, leading to wasted time and development effort.
• http://securitydigest.org/
– This site is dedicated to preserving the history of early computer security digests and mailing
lists, specifically those prior to the mid 1990's. This includes the Unix 'Security Mailing List', through
to the Zardoz 'Security Digest' to the Core 'Security List', i.e. those preceeding BugTraq. These forums
are a valuable insight into the embryonic development of the field of computer security, especially as
it relates to the Internet, and the development of the Doctrine of Disclosure.
• http://seclists.org/
– Any hacker will tell you that the latest news and exploits are not found on any web site—not even
Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure
mailing lists such as Bugtraq.

- Lessons from 1974 -
Exploit techniques

1974 – Kager, Schell, USAF
USAF were amazing at computer security in the 1970ies!!!

- Lessons from 1988 -
Exploit techniques

Morris Worm was BIG! in 1988
• Infected most of internet
– Cross compiled for two main targets
• Exploited Buffer Overflow
• Exploited DEBUG backdoor in sendmail
• Exploited cracking weak passwords
• Basically, it was amazing & threatening.

1988 reactions to the Morris Worm
"So I've decided to take my work back underground,
To stop it falling into the wrong hands. "
– Prodigy, Music for the Jilted Generation, 1994
http://www.youtube.com/watch?v=kJ6jApzrExY

1988 #1. Create Restricted Mailing List
With the old security mailing list the only requirement was an OK from the
root of the system (other than home computers). I would like to suggest that
there would be a trusted group of people to
start the mailing list (mabye start with phage@purdue). People would need
someone who was on the list already to vouch for
them, an OK from the person's home root, and that their name be
circulated to the mailing list to see if anyone objects. I am suggesting these
additional requirements because I know of people (now in retrospect) that
shouldn't have been on the old list
who would not qualify with these additional requirements. I would also
suggest that there are no aliases (i.e. postmaster@moby.foo.bar) but mail
would be sent to individuals only.

1988 - #2. Security Repository
The are a number of sites who don't have source, yet
they want holes fixes. For some problems, it is easy
enough to patch a binary with adb, but for other problems that is not enough.
I would suggest a ftp site on the Internetthat would
keep binaries to patched programs. I would suggest Sun-3, Sun-4, and Vaxen
binaries. Possibly other machines (i.e. Pyramid, Sequent, Encore, HP) if there
seems to be enough of an interest.

1988 - #3. Get Vendors Involved
There should be at least one rep. from each
major UNIX box vendorwho would be responsible for
get fixes into releasesoftware. This doesn't seem to be
much of a priority with vendors right now. I think we should collectively
scream bloody murder until the see a
bit more responsiveness from our friends.

1988 - #4. Hole List
I think it *might* be a good idea to develop a list of
security holes that should be
checked. This list should have a very limited
circulation. This list should not live on the same machine as
the security mailing list of the archives. It should be mailed from a
system other than it's home (otherwise that machine become a prime
spot for breaking). On the other hand, having such a list might be too
risky.

What went wrong?
• 1970: USAF sats computer security cannot be
solved by secrecy
• -1988: Secret mailing lists with secrecy!
• 1988-: More secrecy!
– BAD: Focus on secrecy rather than information
– BAD: Everything seems adhoc, eg no search for
known vulns in products.
– Good: stated need for vendors, patches,
checklists.

1994: FULL DISCLOSURE
Secrecy didn't work
Vendors weren't proactive
Because the past had been repeated
20 years later, implementing 1974 advice

- Buffer Overflows -
Exploit techniques

Buffer Overflow
1972 1988 1996 2001 now
Computer Security Technology Planning Study:
"The code performing this function does not check the
source and destination addresses
properly, permitting portions of the monitor to be overlaid
by the user. This can be used to inject codeinto the
monitor that will permit the user to seize control of the machine."

Buffer Overflow
1972 1988 1996 2001 now
Morris Worm
Buffer Overflow in fingerd (gets) used to exploits
VAX unix.
Exploit payload executed /bin/sh

Buffer Overflow
1972 1988 1996 2001 now
Smashing the Stack For Fun and Profit
The first big easily understood guide on how to exploit.
Covered the popular Intel x86 machine code.
Now everyone learned buffer overflows!

Buffer Overflow
1972 1988 1996 2001 now
Code Red & other Windows Worms
Buffer Overflows hits Windows hard.
Again and again.
Bill Gatesposts Trustworthy Computing Memo in January 2002

Buffer Overflow
1972 1988 1996 2001 now
Mitigation Wars Buffer Overflows partially mitigated in
many modern operating systems (except embedded software which often is without
mitigations). Advanced exploits circumvents mitigations.
Most application developers do .NET and Java which are mitigated.
Offense: heap spraying, Info leaks, ROP, …
Defense: Stack Canaries, SafeSEH/SEHOP, DEP, ASLR, ROPGuard

Buffer Overflows
1972
First Documented (?)
Computer Security
Technology PS
1988
Rediscovered
VAX exploit
Morris Worm
1995
Rediscovered
Intel X86 exploits
Smashing the Stack for
Fun and Profit
2001
Massive exploitation
Windows worms
Trustworthy
Computing Memo
2013
Mitigation Wars
ASLR, NX, …
Infoleaks, ROP, Sprayi
ng

- Injections -
Exploit techniques

Injection
2000
JavaScript
Injection
(XSS)

Georgi Guninski security advisory #1, 2000
[…] But the following JavaScript is executed: <IMG
LOWSRC="javascript:alert('Javascript is executed')">
[…] for example displaying a fake login screen
[…] also possible to read user's messages, to send
messages from user's name and doing other mischief.
[…] It is also possible to get the cookie from
Hotmail, which is dangerous.

Injection
1998
SQL Injection
RFP: NT Web
Technology
Vulnerabilities
2000
JavaScript
Injection (XSS)

"And I didn't invent SQL injection.
I may have been one of the first to publicly explain it in tutorial fashion, but it
existed for as long as SQL itself existed; it was just that few people saw the
security implications of it. But that may be because SQL wasn't ubiquitous
like it is today, so it had limited impact in limited circles."
http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/

Injection
1994
Major domo
os command
injection
1998
SQL Injection
RFP: NT Web
Technology
Vulnerabilities
2000
JavaScript
Injection (XSS)

Injection
1988
(Sendmail DEBUG
feature/backdoor)
1994
Major domo os
command
injection
1998
SQL Injection
RFP: NT Web
Technology
Vulnerabilities
2000
JavaScript
Injection (XSS)

Injection
1985
Unquoted shell…
1988
(Sendmail DEBUG
feature/backdoor)
1994
Major domo os
command
injection
1998
SQL Injection
RFP: NT Web
Technology
Vulnerabilities
2000
JavaScript
Injection (XSS)

- XSS Cross Site Scripting -
Exploit techniques

1995
JavaScript
introduced
Same Origin
Policy

1995
JavaScript
introduced
Same Origin Policy
199x
Browser
vulnerability
research
(Guniniski et al)
Silly XSS-ish abuse
of Guestbooks
and similar

1995
JavaScript
introduced
Same Origin Policy
199x
Browser
vulnerability
research
(Guniniski et al)
Silly XSS-ish abuse
of Guestbooks
and similar
2000
Guniniski:
JavaScript
Injection in
hotmail
Microsoft: Cross
Site Scripting
(Michael Barrett,
Marvin Simkin and
Toby Barrick
~1999?)
CERT: Malicious
HTML Tags
Embedded …

1995
JavaScript
introduced
Same Origin Policy
199x
Browser
vulnerability
research
(Guniniski et al)
Silly XSS-ish abuse
of Guestbooks
and similar
2000
Guniniski:
JavaScript
Injection in
hotmail
Microsoft: Cross
Site Scripting
(Michael
Barrett, Marvin
Simkin and Toby
Barrick ~1999?)
CERT: Malicious
HTML Tags
Embedded …
2002
Larholm: IIS
allows universal
CrossSite Scripting
(2005 Klein: DOM
Based XSS)

1995
JavaScript
introduced
Same Origin Policy
199x
Browser
vulnerability
research
(Guniniski et al)
Silly XSS-ish abuse
of Guestbooks
and similar
2000
Guniniski:
JavaScript
Injection in
hotmail
Microsoft: Cross
Site Scripting
(Michael
Barrett, Marvin
Simkin and Toby
Barrick ~1999?)
CERT: Malicious
HTML Tags
Embedded …
2002
Larholm: IIS
allows universal
CrossSite Scripting
(2005 Klein: DOM
Based XSS)
2010
Content Security
Policy

RANT
What infosec guys do best?

<rant></rant>
• Security pros are brilliant at not knowing what
security knew 10-20 years ago.
– Security by secrecy have not worked very well
– Dealing with trust & "need to know" on an internet
scale is hard.
• Security wasted 20+ years in addressing the
insane level of Buffer overflow problems.
• Vendors aren't doing enough has been said since
at least 1988. SDL is bringing some change since
2003 !

<rant></rant>
• Easy to rant about the past.
– What about today?
• AppSec – YOU make the software, no vendor.
– That's a big change.
• What contemporary fails will people rant
about in 2043?

TAKE AWAY
What you might consider learning
from this exercise

Try to avoid wasting 20 years of
knowledge again
Take Away

Don't be the next "vendor" claimed
to do nothing preemptively. Work
on reducing your vulnerabilities.
Take Away

History of some Vulnerabilities and exploit techniques

More Related Content

Viewers also liked (14)

Similar to History of some Vulnerabilities and exploit techniques (20)

Recently uploaded (20)

History of some Vulnerabilities and exploit techniques

Editor's Notes