COMMON VULNARABILITIES

• Buffer Overflow

  • Depends on the machine, operating system, programming language, and software under attack

  • It is used to crash a program, make the program malfunction, or control the execution of a program.

  • Requires reverse engineering to analyze, machine instruction of a program as well as the dynamic behavior such as process stack, values at register etc.

  • Languages lacking of internal array boundary checking mechanisms are prone to have buffer overflow vulnerability. (memcpy(), strncpy(), memset() functions in C/C++)

  • Attacker writes some meaningless string (in fact is a sequence of binary instructions) to a memory space on the stack, make it overflow the allocated space and write beyond it including the return address (on the stack) of the function.

  • The meaningless string may be be a piece of code loading a certain dll responsible for creating user accounts and give necessary credentials as parameters to the function.

  • When the function execution finishes and the jump (return) address is designated as the location of the next instruction to execute.

  • How to avoid from the attack?

    • The programmer could always make necessary checks

    • A language that internally does boundary checking such as Java could be used

    • Programmer can make sure the libraries used are safe

    • Some systems (Mac OS X, FreeBSD) designates executable space, does not allow data on any other space to be executed.

• Code Injection

  • Usually appears in WWW applications

  • Depends on providing executable strings in the form fields or URL parameters

  • Caused by a configuration mistake and/or a naïve programmer

    • <?php

    • $name=$_GET["name"];

    • $welcome=”Hello $name how are you today”

    • eval("\$ welcome = \$welcome;"); 

    • echo $welcome

    • ?>

  • How to avoid from the attack?

    • Programmer must be careful about using functions like eval(), fopen() etc.

    • The strings obtained from user must be freed from special characters like, double quotation, less than, greater than by replacing them with the ir ascii values for example.

• SQL Injection

  • Depends on providing SQL statements that will return true in any case

  • Caused by programmers mistake

  • SELECT username FROM UserList WHERE name='somename' AND pass='somepass'

  • What if the fields are obtained from a form and the attacker provides "' OR '1'='1"

  • SELECT username FROM UserList WHERE name='somename' AND pass='somepass' OR '1'='1'

  • How to avoid from the attack?

    • Always check the string provided by the user for some special characters like quotation marks

• Finding Backdoor

  • Sometimes system administrators put a netcat backdoor in their system. While scanning a system with netcat you may find some unknown service running at a weird port number.

  • Sometimes you have to scan the system again after you took some action, be cause the action you took may result in another unknown service.

• Apache Indexing

  • If enabled Apache indexing allows you to move around the folders/files on the system.

  • Whenever you got that chance move around the file system to see some unusual files

  • One problem is; you cannot see the source code of the executables like .asp, .php files. However sometimes there are backup files generated by editors and you can view the content of those files as a result source code of the executables.

  • By analyzing the source code you can get ideas for example how to upload an executable php or asp file that you created and after uploading when you request that file its content will be executed.

• Hacking Webmin

  • Webmin is a tool used to manage a system via WWW.

  • Since it is used to configure both the operating system and tools such as web server, database server etc. it has root priviledges.

  • It is known that a version of the webmin cannot handle very long strings with a lot of (..) parent directory in the url.

  • Hackers exploit this by providing a very long URL string appended with a file path that they want to obtain. Webmin cannot handle the the string and returns the content of the file that the hacker intended to get.

• Username Password Guessing

  • Some people do not set a password to their accounts or use easy to guess passwords.

  • Some other people use default usernames such as “admin”, “administrator”, “sa”

  • It worths to give a try with using default usernames and no password.

  • One of my professor's computer was hacked because his user name was Administrator and did not set any password.

  • Especially if you success to login to a software running with root priviledges such as MS-SQL server or MySQL they both allow you to execute an external system command. Then maybe you can create an account for yourself.