Archive for June 12th, 2008

12
Jun

I feel fuzzy

   Posted by: Joshbw    in Security Tools

Apple just released an update for quicktime, no surprise there. Doing some digging I found the five security issues patched:

Playing maliciously crafted QuickTime content in QuickTime Player may lead to arbitrary code execution

Viewing maliciously crafted Indeo video media content may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted AAC-encoded media content may lead to an unexpected application termination or arbitrary code execution

Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution

Five exploits, all in how a variety of media (video, audio, and picture) parses code. This tells me two things pretty much immediately- 1) Apple does not do a great deal of Fuzz testing on their formats, but researchers are happy to do so for them and 2) if I do fuzz testing on quicktime myself I will probably find something exploitable as well.

Fuzzing is a horribly brute force method for security testing. It requires a lot of work to wire things to adequately monitor an application (you want to see memory spikes, process spikes, and all of the myriad of crashes) and automate the loading of media. Regardless, it is very effective at breaking parsing and validation code. Microsoft requires 100,000 iteration on all parsed formats. For complex formats (office docs, media files), they basically never stop. Apple would be well served by doing the same (or caring about security at all).

Fuzzing is also applicable to web apps. They process an immense amount of data from end users, and other than specific known attacks done by pen testers, most companies don’t seem to test for various malformed input. The problem is that it is very hard to detect where and why something failed when fuzzing a remote machine. It would be nice to see a good distributed testing harness that can monitor the application state on the server and produce decent debugging logs.

~ Joshbw

No Comments
12
Jun

User generated output

   Posted by: Joshbw    in Browser/Web Security

We all encounter websites that accept user generated comments and this is often a a source of cross site scripting. In the past couple of weeks I have contacted two larger websites about this. In many cases there is a simple solution- whitelist input validation (which becomes slightly more complex if supporting internationalization) and output HTML entity encoding.

In ASP.Net a simple call to System.Web.HttpUtility.HtmlEncode will handle the output encoding for you. I actually like PHP’s htmlentities function a bit more, as you have control over how quotes are encoded and can additionally choose a character set (I very rarely can praise PHP over ASP.net, but they deserve credit for that). Java apparently doesn’t have a native method for entity encoding, which is dumb, but the nice folks at OWASP have provided a method. One caveat, like much of the OWASP material it is very UTF-8 centric, so it is less than optimal for international support and alternate character sets.

The problem is that many websites like customers to be able to supply some HTML that does render. Social networking sites love all the nice HTML based output that a billion online quizzes generate, and users like to be able to have some formatting other than plaintext (wiki does this right with their custom markup). That shoots whitelist validation of characters right down, and prevents entity encoding. Instead it requires custom parsing to validate which tags are used, and further parsing to make sure they aren’t used in a dangerous way. For example <a href=”something” onmouseover=”alert(’Give me a cookie’);”>this is pertinent </a> needs to be parsed to make sure that nothing malicious was in the legitimate attack. It isn’t as simple as just blacklisting any use of on* to stop events, since many of these sites want style tags to be used as well (I can’t imagine why, someone can do serious defacement this way), and good ol’ IE has this nice Expression value that can execute javascript inside of the style (the problem with this microsoft, is that the only people who use it anymore are people misusing it).

When one includes all of the myriad of ways to use encoding to obfuscate attacks, accepting selective HTML, especially if you accept more than just UTF-8 input, results in a seriously complex validation engine. Complexity is the enemy of security. Both of the websites I contacted (having used an isolated test area impacting only me- remember kids, it isn’t ok to do web vulnerability testing where you can ever impact another user) accepted some HTML tags and had flaws in how they validated them.

~Joshbw

No Comments
Back to top