LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

May 07, 2009

Command Injection In Java on Windows: 100% Proven that it is 100% Possible (in Certain Cases)

By Dan Cornell

So Alex Smolen's blog post about command injection in Java and .NET has had me writing some little test cases over the past couple of days (Java command injection, .NET command injection).  When I ran some tests in Java on OS X it looked like simple approaches to command injection weren't effective.  Fantastic!

But wait a minute.  WebGoat has a command injection lesson.  And it is written in Java.  What gives?

So I went and dug through the WebGoat 5.2 code and found that they're playing a little bit of dirty pool - they look through the attack payloads passed in and run some checks and do some other stuff.  Oh, and they make calls to cmd.exe which can chain further calls.  So you actually can inject commands in Java on Windows if you're calling the right original executable.  Not good!

So I updated the previous test code to check for the operating system and run different commands on UNIX versus Windows.  And after some tweaking of the intended.bat and exploit.bat batch files I got new results that did allow me to run multiple commands via a single call to System.getRuntime().exec().  Yikes!  Batch files and commands using cmd.exe can be command injected.

I've uploaded updated test code here:

http://www.dancornell.com/files/JavaCommandInjection_v1_1.zip

So:

  • Command injection in Java on OS X: seemingly hard and merits further testing, but be careful if you are making calls to shells like /bin/sh
  • Command injection in Java on Windows: not hard if you are running a command that can load other commands - like cmd.exe or batch files (which run via cmd.exe)

The reason I got into Java in the first place was "write once, run anywhere"  That might never have worked as well as Sun had promised, but it was a great goal and Java does it much better than C/C++.  Seeing the results of this testing makes for a great lesson: "Do the right thing - even if you think you don't have to."  Also known as: "Defense in depth."

As is often the case, "Doing the right thing" in this case means:

  • Positively validate inputs - type, length, composition, business rules
  • Properly encode outputs when they get sent to interpreters

Successful testing finds bugs, but cannot prove a lack of bugs.  In this case the test code demonstrates that you can cause command injection by including "&" and perhaps "&&" characters in your commands if the original executable supports chaining other calls.

The test system is running Windows XP SP2 and the Java environment is Java SE Runtime Environment (build 1.6.0_11-b03) Java HotSpot(TM) VM (build 11.0-b-16, mixed mode, sharing)

Next up: more testing.

--Dan
dan _at_ denimgroup.com

May 07, 2009 in .NET Users Group, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Java, Open Source, OWASP, Security, Static Analysis, Visual Studio, Web Application Security, Web/Tech | | Comments (2) | TrackBack (0)

May 06, 2009

Command Injection in .NET: 82% Proven that is 98% Impossible

By Dan Cornell

So I decided to also slap together a .NET version of the Java command injection testing thing I posted yesterday in response to Alex Smolen's blog post on .NET and Java command injection.  It is up online here:

http://www.dancornell.com/files/DotNetCommandInjection.zip

.NET looks to be similarly resistant to command injection.

Also, "Jordan" posted a comment to the previous post:

One quick way to verify Java isn't vulnerable is to see which native functions it's using. On Linux, use strace -f java [...]/Main on your test app and look for exec or system. Yup, we see execve -- safe calls.

I suppose you could do it that way.  If you wanted the easy way to find out what was actually going on.  But then you wouldn't get to write any crudimentary Java code - and what fun would that be?  That's actually a great idea.

Does that mean that you don't need to validate input that is being sent to command interpreters on Java and .NET?  No.  Failing to do this can still give attackers control over command line arguments and filenames.  Plus there may be other ways to break out of this that my 60 lines of Java or C# test code and 15 test cases didn't find.  (What a surprise that would be!)  Sleep a little better at night.  But not too well.

--Dan
dan _at_ denimgroup.com

May 06, 2009 in .NET Users Group, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Java, Microsoft, Open Source, OWASP, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 27, 2009

Houston TechFest Slide Deck Online

By Dan Cornell

The slide deck from my talk at Houston TechFest is now online: Static Analysis Techniques for Testing Application Security.  Also see my previous post about the trip there.

--Dan
dan _at_ denimgroup.com

January 27, 2009 in .NET Users Group, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 26, 2009

The Road to Houston TechFest

By Dan Cornell

I was up in Houston last weekend for the rescheduled Houston TechFest.  The hurricane delayed this from the original date, but the event was still packed.

I flew into Houston for the day to give my talk on Static Analysis Techniques for Testing Application Security.  Unfortunately, when I was headed to my early-morning flight, I noticed that the airport had been overrun by birds:
IMG_0193
Yikes!  I didn't know who my pilot was, but I wasn't convinced he would be able to successfully land a 737 in the San Antonio River.  After all, the Hudson is a little wider than the Riverwalk...

Fortunately I made it to Houston all right and checked in with the TechFest folks.  The event was at the University of Houston so I went to the bottom of the student center where the event was being held to try and get some work done before my talk.  I soon found myself trapped between a bunch of martial arts students:
IMG_0195
And some folks playing "Magic - The Gathering" :
IMG_0196
No offense to the "Magic - The Gathering" crowd, but I had to cast my lot with the martial arts folks.  Cards representing elven chain mail and whatnot are no match for a crowd of folks ready to break actual bricks with their hands.

Fortunately everyone got to remain friends and I made it to my talk unscathed.

There was a great group there and we had some great questions such as:

  • Does the fact that most .NET static analysis tools rely on decompiling MISL make .NET, as a language, less secure than Java? (Both Java bytecodes and .NET MSIL are pretty easy to decompile, so there aren't a ton of differences there.  .NET static analysis tools usually use MSIL binaries because .NET code exists in a variety of languages and it is easier to write one parser/decompiler for MSIL that will work for all .NET languages wheras Java bytecode is almost always compiled from Java source code, thus making Java source or Java bytecode reasonably equally attractive choices for tool builders.)
  • Are there any subsets of PMD rules that are best for running security checks? (There are security-specific PMD checks, but they are mainly related to API misuse.  I don't know of any collection that includes the explicit security rules along with rules from other categories that often have security implications.)

One thing I talked about Saturday that was relatively new was the OWASP Open Review Project (ORPRO) which provides advanced static analysis capabilities for open source projects.

Overall it was a great session and I will be posting the slide deck shortly.

--Dan
dan _at_ denimgroup.com

January 26, 2009 in .NET Users Group, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Science, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 06, 2007

MSDN Magazine: Security Issue

November07coverlg

By Dan Cornell

This month's MDSN Magazine issue is the annual Security issue.  There are some great articles in there on:

Check it out!

-Dan
dan _at_ denimgroup.com

November 06, 2007 in .NET Users Group, Application Security Tools, ASP.NET 2.0, Dan Cornell, Denim Group, Information Security, Microsoft, Security, Visual Studio, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)