Chapter 11  ■ Attacking Application Logic  363

364

Chapter 11 

■

Attacking Application Logic

The Assumption

The developers were certain that they had devised a robust defense against

command injection attacks. They had brainstormed every possible character

that might assist an attacker, and had ensured that they were all properly

escaped and therefore made safe.

The Attack

The developers forgot to escape the escape character itself.

The backslash character is not normally of direct use to an attacker when

exploiting a simple command injection flaw, and so the developers did not

identify it as potentially malicious. However, by failing to escape it, they pro-

vide a means for the attacker to defeat their sanitizing mechanism altogether.

Suppose an attacker supplies the following input to the vulnerable function:

foo\;ls

The application applies the relevant escaping, as described previously, and

so the attacker’s input becomes:

foo\\;ls

When this data is passed as an argument to the operating system command,

the shell interpreter treats the first backslash as the escape character, and so

treats the second backslash as a literal backslash — not an escape character but

part of the argument itself. It then encounters a semicolon that is apparently

not escaped. It treats this as a command separator and so goes on to execute

the injected command supplied by the attacker.

HACK STEPS

Download 5,76 Mb.

Do'stlaringiz bilan baham: