CC V

by H1kari, BasharTeg, CommPort5

Sample code available here.
You must also download the template session capture file available here.

5b. Automatic Exploit Discovery -
1. Identify classifications of common software bugs as specifically as possible
2. Name a theoretical example of each bug, ideally in "ASCII over TCP" protocols
3. Describe an algorithm for automating remote detection of those bugs in client-server software. Assume that you have a working copy of server software, captured images of valid transactions and reasonable hardware. Ideal situations will need no knowledge of the protocol grammar beyond word and seperator characters.

The Answers -

a1. Failure to validate input buffer lengths
a2. In POP3 authentication, username input may not be length-validated.
a3. Most buffer overflows can be detected in ASCII protocols by replaying a captured session repeatedly, replacing one word each time with a 4097 character word.
- check for disconnect

b1. Fencepost a.k.a. Off by one counting errors
b2. In POP3 message retrieval, there could be an off-by-one error in the number of retreivable messages.
b3. Off-by-one errors can be detected by replaying a captured session with each numeric client-side word replaced with each previously seen numeric server words.
- check for different response

c1. Null Pointers, Dereferencing, Page Fault
c2. In POP3, deleting or retreiving message 0 without checking, or executing commands out of order might cause null pointers to be used.
c3. Null Pointers can be detected by replaying a captured session and executing the commands in a different order, or by replacing numerical words with 0 or negative numbers.
- check for disconnect

d1. Race Conditions
d2. In POP3 race conditions may occur when mail is received or removed and counters are modified while being read or written to by other connected clients.
d3. Race Conditions can be detected by replaying a captured session in a control process and executing other captured sessions with the commands put in various orders at the same time and looking for unexpected results. (e.g., run your control process without a second test process, then re-run with the test process running concurrently and check for deviations with the results).
- check for deviations

e1. Using uninitialized variables/memory
e2. In POP3 validation of protocol order may not be checked, sending your password before username or executing commands out of order may cause uninitialized variables to be used.
e3. Using uninitialized variables/memory can be detected by replaying a captured session with the client-side commands put in different order.
- check for disconnect

f1. Poorly implemented input matching
f2. In HTTP, failure to check filenames that might attempt a directory traversal ".." or unexpected characters or strings passed to cgi applications.
f3. Poorly implemented input matching can be detected by replaying a captured session with each word replaced with unexpected input characters depending on the protocol. (e.g. "..", file globbing characters -- "*, ?, +, [, ]", regex matching characters -- "+, *, ?, ^, $, (, ), {, }, [, ]", format string vuln characters -- "%s, %d, %p, %n, etc", common exec exploitation characters -- ";, <, >, |, ", '", null and non-ascii characters)
- check for different response

g1. Memory leaks (not freeing dynamically allocated memory)
g2. In POP3, if memory for each message is not freed and numerous messages are read, it could cause denial of service.
g3. Memory leaks can be detected by replaying a captured session and repeating a command numerous times while checking latency and availability.
- check for latency or disconnect

h1. Mixing signed and unsigned number variables
h2. In HTTP, sending an negative number as the byte count (Content-Length) for a POST, assuming the httpd uses a signed variable with the byte count. (which would check out fine if the program checks to see if the content-length is < the bytes read) And in turn if it set the length variable for the POST buffer to the negative number, it could cause the processing function to read more data than is supplied.
h3. Improper mixing of signed and unsigned number variables can be detected by replaying a captured session with all numerical words inverted to their negative equivalent, or positive equivalent if negative.
- check for different response

i1. Failure to resolve escapes before validating
i2. In HTTP, failure to resolve unicode, specialchars, and other http escaped characters before input matching.
i3. Failure to resolve escapes before validating can be detected by replaying a normal session as well as all input matching sessions with all characters escaped.
- check for different response