Know your vulnerabilities
By Joe Guerra, M.Ed, CySA+, C|EH, Cybersecurity Instructor, Hallmark University
Software is omnipresent, even in areas you wouldn’t envision
Software so effortlessly meshes into the cloth of modern life that it blends into our everyday existence without notice. We constantly work with software in everyday of our lives that has technology embedded in it, from our tedious everyday actions—as we drive to the job in our automobiles, as we purchase groceries at the local market, as we withdraw money from the local bank, and even when we listen to our tunes or call a friend. Therefore, software needs the attention of security in its development.
Software security risks are ubiquitous. And in an age of cybersecurity risks, they affect everyone — people, organizations, nations, etc.
I probably don’t need to devote much time convincing you that security flaws in software are normal and that it is imperative to look out for them. However, many developers do not comprehend how prevalent the issue of insecure software really is.
Cyberattacks have been in the news the past decade. Duqu and Stuxnet had the industry talking in 2010 and 2011. And cyberattacks have only expedited since then. WannaCry struck vital systems in 2017, including Britain’s National Health Service. And GitHub was struck by a denial of service (DoS) attack in early 2018.
These attacks were done with the revelation of exploiting a vulnerability in the software. A software vulnerability is a bug, error, or fault present in the software or in the Operating System. The issue of software vulnerabilities has advanced at an unstoppable rate as software/firmware is everywhere. Of course, all technology has vulnerabilities. The concern is whether or not they’re subjugated to exploits to cause harm.
Software vulnerabilities are illuminated by three ultimate factors.
- Presence – The existence of a flaw in the software.
- Control Access – The possibility that hackers acquire access to the flaw.
- Exploitability (Risk) – The capability of the hacker to take gain of that flaw via tools or techniques.
Every day, numerous organizations are seeing vulnerabilities in their code exploited.
Software is at the origin of all collective computer security complications. If your software act ups, a number of miscellaneous sorts of difficulties can crop up: dependability, accessibility, security, and safety. The additional kink in the security condition is that an attacker is aggressively attempting to adjust your software to misbehave. This surely brands security as a tricky proposition.
There are many software glitches out there and your software vulnerabilities will be different than someone else’s. So it is imperative to get involved and examine your own software that you are utilizing. In order to build or examine secure software, it is indispensable to have an understanding of software vulnerabilities. Here, are three examples of some of important, and dangerous, vulnerabilities.
SQL injection is a technique in which SQL code is introduced or attached into application/user input constraints that are later executed to a back-end SQL server for implementation and execution. Any process that builds SQL statements could possibly be susceptible to this type of attack, as the assorted environment of SQL and the approaches available for building it provide a treasure of coding selections. The main form of SQL injection comprises of direct insertion of code into limits that are combined together with SQL code and implemented.
In this instance, you are going to try to insert your own SQL commands by attaching them to the input parameter val. You can execute this by affixing the string ‘OR ‘1’= ‘1 to the URL:
- http://www.targetvictim.com/products.php?val=100’ OR ‘1’=‘1
The SQL command that the PHP code forms and performs will reveal all of the products in the database irrespective of their price. This is the result of you altering the rationality of the query. This happens because the attached command results in the OR operand of the query always returning true, that is, 1 will always be equal to 1.
Here is the SQL code that was built and performed:
WHERE Price < ‘100.00’ OR ‘1’ = ‘1’
ORDER BY ProductDescription;
There are countless methods to exploit SQL injection vulnerabilities to attain numerous goals; the achievement of the attack is usually very dependent on the fundamental database and interrelated systems that are under attack. Occasionally it can take a tremendous amount of skill and persistence to exploit a flaw to its full effect.
OS Command Injection flaws happen when software implements user-manageable information in a command, which is controlled under the shell command terminal. If the data is unrestricted, an attacker can utilize shell metacharacters to modify the command that is intended to be executed. This fault is programming language independent.
There is a multitude of avenues to exploit a command injection:
- injecting the command enclosed in backticks, for example `id`
- readdressing the result of the first command into the second | id
- executing another command if the first one works: && id (where & needs to be encoded)
- Executing another command if the first one flops (and making sure it does: error || id (where error is just here to cause an error).
It’s also feasible to implement the same value technique to operate this type of detection. For example, you can substitute 123 with echo 123`. The command enclosed in backticks will be performed first, and return precisely the same value to be implemented by the command.
In programming, a buffer is a zone that is utilized to stock data temporarily during the application execution. The size of the buffer is typically fixed. Once the application exits, the contents of the buffer are also cleared.
In a buffer overflow attack, the buffer is occupied with additional data than it can hold or handle, producing the application to operate abnormally. Hackers implement this type of attack to acquire reverse shells into a target computer by inserting shellcode as the payload.
Buffer overflows are usually implemented when the attacker figures out you have no controlled allocation of your memory.
Lets’ look at a classic example in C programming:
The program below gives a situation where an application expects a password from the user and if the password is accurate then it applies “root privileges” to the user.
The program runs as expected if you supply the correct credentials.
However, in this program lies the undiscovered flaw of the possibility of a buffer overflow attack. The gets() function in C does not account for implementing checks for the array size. This means that we can write a longer string larger than the buffer size. Now, can you comprehend through this basic example of the damage that can arise with this type of loophole?
The origins of software defects
From where do these problems arise? Developers writing custom applications for corporations to utilize internally or on the web, programmers employed at software development firms that create money-making off-the-shelf programs, programmers employed in the public domain, and those freelancing coding and emancipating flawed code—all agonize from the same ultimate dilemma: They all suffer from the same human condition that “they don’t know any better “ because they were “never taught” how to write secure and resilient code for their applications.
Software is inherently insecure in various types of vulnerabilities unless the developer makes a mindful effort to avert these vulnerabilities. If the programmer forgets to include suitable “output encoding procedures” and “input validation techniques”, the application will surely be vulnerable to certain exploits. The software may appropriate and suitable for its purpose just as the developer intended it to perform, but it may never have been verified and validated to see how it works when it’s being served malicious input or is directly attacked.
About the Author
Joe Guerra, M.Ed, CySA+,C|EH, Cybersecurity Instructor, Hallmark University .Joe Guerra is a cybersecurity/computer programming instructor at Hallmark University. He has 13 years of teaching/training experience in software and information technology development. Joe has been involved in teaching information systems security and secure software development towards industry certifications. Initially, Joe was a software developer/instructor working in C and Python projects. He is constantly researching attack techniques, forensic investigations and malware analysis. He is focused on training the new generation of cyber first responders at Hallmark University.
Joe can be reached online at (Jguerra2@hallmarkuniversity.edu) and at our University website http://www.hallmarkuniversity.edu/