可觀察性指的是當系統發生問題時產生外界可注意事項的機會，可觀察性越高的軟體越容易加以測試。 攻擊軟體圍繞者可觀察性這個概念，尤其是針對遠端攻擊。 基本的概念就是盡可能收集軟體內部可能的狀態，所謂的狀態包含靜態的建構方法與動態的執行行為。 漏洞根據主要的特性加以分類以形成特定的攻擊模式，這樣的想法源自於類似的程式設計錯誤往往導致類似的攻擊手法的前提。 這樣的資訊可以同時用於防禦與攻擊軟體。 找到設計階段的錯誤不但很困難，而且無法自動化。 錯誤偵測的程式碼通常實作在每個物件與方法中，而錯誤處理的程式碼則與錯誤偵測的程式碼分隔兩地。這樣的情形造成很難確認錯誤處理與回覆是否符合安全的需求。 現代化的系統不但複雜而且會與許多不同層級的元件交互作用，高層級應用程式呼叫低層級作業系統的時機超過大多數人的想像。也就是說，環境確實是一個重要的因素，試著將程式問題的處理獨立於環境之外註定是失敗的方法。 Observability is the probability that a failure will be noticeable in the output space. The greater the observability, the easier it is to test a given piece of software. Exploiting software encompasses the idea of observability, especially when we think about remote exploits. The basic idea is to gather as much information about a program’s possible internal states as possible, both statically while it is being constructed and dynamically while it is running. Vulnerabilities are grouped together by central characteristics and give rise to particular attack patterns. This is based on the following premise: related programming errors give rise to similar exploit techniques. Such information is useful both in defending systems and in attacking them. Finding design level flaws not only hard to do, but particularly hard to automate. Error detection code is usually present in each object and method, and error-handling code is usually separate and distinct from the detection code. This makes is quite difficult to determine whether a given error handling and recovery design is secure. Modern systems are complex and involve interactions at many different levels. High-level applications call directly into very low-level OS constructs, more often than many people think. Ultimately, environment really matters, and trying to treat code separate from the environment is doomed to fail.

攻擊開始於破壞規則與架設，一個需要特別測試的重要假設就是隱含的信任關係。 軟體就是一連串的決策，軟體之中有些地方的程式碼會根據使用者的輸入作為決策的依據。 攻擊者可以小心地製造特定順序的資料以當作攻擊之用，每一個單一的資料就像開啟程式路徑上特定門鎖的鑰匙，也就是說破壞軟體就類似開鎖的動作。 完整的攻擊行為就像開啟程式路徑所需的一連串鑰匙，一次應用一個鑰匙，這些鑰匙必須依照特定的順序加以應用。 逆向工程是用來找出假設的好方法，尤其是那些可以用來攻擊的隱含性信任關係。 An attack starts with breaking rules and undermining assumptions. One of the key assumptions to test is the “implicit trust” assumption. Software is a matrix of decisions. Some of the code locations in the program make branching decisions based on user-supplied data. an attacker must carefully craft attack input as data to be presented in a particular order. Each bit of data in the attack is like a key that opens a code path door. In this way, exploiting software is like picking locks. The complete attack is like a set of keys that unlocks the internal code paths of the program, one door at a time. Note that this set of keys must be used in the precise order. Reverse engineering is an excellent approach to ferreting out assumptions, especially implicit assumption that can be leverage in an attack.

攻擊模式是用來攻擊軟體漏洞的藍圖。 特定的攻擊行為通常是將標準的攻擊模式應用到新目標所產生的結果。 了解攻擊攻擊摩是最重要的一件事就是區分注入向量跟負載。一個好的攻擊不但可以破壞原始程式碼，更可以利用漏洞執行負載的程式碼。使用的技巧就是利用系統的錯誤將負載質置入並執行之。 注入向量 注入驅動的攻擊 注入向量的目的就是把攻擊用的負載置入於特定的區域並加以啟動。 注入必須產生一定的回饋事件以便我們觀察攻擊時的行為，這樣的回饋事件可以讓我們知道攻擊行為是否成功。 An attack pattern is a blueprint for exploiting a software vulnerability. A particular exploit usually amounts to the extension of a standard attack pattern to a new target. The most important thing to understand about a basic attack pattern is the distinction between the injection vector and the payload. A good exploit will not only break the code, but will also leverage problems to execute some payload code. The trick is to use the flaw or bug to drop a payload into place and start it running. Injection vector the format of an input-driven attack. The goal of the injection vector is to place the attack payload into a target activation zone. Injection must also produce feedback events so that we can observe attack behavior. Feedback events are instrumental in determining whether an attack is succeeding.

攻擊的步驟 評估目標，主要了解有那些進入點。 網路掃描 作業系統堆疊辨識 (主要是找出作業系統的類別與版本) 埠號掃描 Traceroute 和 zone trasnfers 找出目標元件 找出這些進入點接受那些交易動作。 利用攻擊模式使得軟體執行不正常的動作，但這些動作必須合乎法律與規範。 一旦找出漏洞後，你就可以攻擊這個漏洞並存取系統 (或進行其它壞事)。 植入後門程式 移除或清理攻擊所產生的後遺症 Logical steps of an attack Qualify the target, mainly to learn what input points exist. Network scanning OS stack identification Port scans Traceroute and zone transfers Target components Figure out the kinds of transactions that are accepted at the input points. Use attack patterns to construct malformed but “legal” transactions that manipulate the software in interesting ways. Once a vulnerability is discovered, you can try to exploit it and thereby gain access to the system (or do other “evil” things). Planting backdoors Remove any trace of observable effects caused by the successful exploit.

偵測 主動 被動 掃描 獲得存取的能力 作業系統層級 應用程式層級 網路層級 拒絕服務攻擊 維持存取的能力 上傳程式或資料 下載程式或資料 修改程式或資料 隱匿、清除軌跡並安裝後門

逆向工程是經由觀察機器的行為而建立機器之運作規則藍圖的過程。 逆向工程師需要對硬體與軟體都有深入的了解，以及兩者之前如何相互合作。 逆向工程的優點 了解程式所使用到的系統函式 了解程式所存取的檔案 了解程式所使用的協定以及如何與其他網路上的元件進行溝通。 你可以改變軟體的結構進而改變它的邏輯流程 (常見的應用為軟體註冊機制的破解)。 你需要尋求法律部門的協助，尤其是當你代表一個尊重智慧財產的公司進行逆向工程時。 工具 除錯器 使用者模式除錯器 和新模式除錯器 錯誤注入工具 主機類型錯誤注入 網路類型錯誤注入 反組譯器 反編譯器 逆向工程的方法 白箱分析 白箱分析包含分析並了解程式原始碼。 使用靜態分析方法解析程式原始碼 (或二進位碼) 是用來攻擊某些軟體的好方法。 黑箱分析 黑箱分析指的是透過各種不同的輸入來探查正在執行中的程式。 即使沒有辦法取得二進位碼 (或原始程式碼) 依舊可以進行黑箱分析。 因為存在著理論上的限制，所以黑箱分析沒有辦法找出問題的所有可能輸入，不過黑箱分析通常能夠比白箱分析更加貼近真實環境下的攻擊行為。 灰箱分析 灰箱分析融合了白箱分析與黑箱分析。 在一般的情況下，先使用白箱分析找出可能發生問題的區域，然後再使用黑箱分析的方法找出攻擊這些區域的方法。 Reverse engineering is the process of creating a blueprint of a machine to discern its rules by look only at the machine and its behavior. A reverse engineer requires a deep understanding of both the hardware and the software, and how it all works together. Advantages of reverse engineering Learn the kind of system functions a target program is using Learn the files the target program accesses Learn the protocols the target software uses and how it communicates with other parts of the target network You can change a program’s structure and thus directly affect its logical flow It is very important to seek legal counsel, especially if you represent a company that cares about its intellectual property. Tools Debugger User-mode debugger kernel-mode debugger Fault injection tool Host-based fault injectors Network-based fault injectors The disassembler The decompiler Approaches to reverse engineering White box analysis White box analysis involves analyzing and understanding source code. Using static analysis methods on source code (or binary code) is a good approach to exploiting some kinds of software. Black box analysis Black box analysis refers to analyzing a running program by probing it with various inputs. Black box testing is possible even without access to binary code. Black box testing cannot exhaustively search a real program’s input space for problems because of theoretical constraints, but a black box test does act more like an actual attack on target software in a real operational environment than a white box test usually can. Gray box analysis Gray box analysis combines white box techniques with black box input testing. In a typical case, white box analysis is used to find potential problem areas, and black box testing is then used to develop working attacks against these areas.

反解譯與檢驗軟體時通常使用混合的方式，最佳的組合方式跟你的目標有關。 方法 追蹤輸入 雖然手動找出所有輸入點需要花費大量的時間，但是卻可以找出每一個根據使用者輸入執行判斷的程式碼位置。透過這個方法可以找出很複雜的問題。 使用靜態分析工具可以幫助分析師 (或攻擊者) 找出所有可能的輸入點並且決定哪些變數會受到外界的影響。 找出版本間的差異 程式碼涵蓋率 程式碼涵蓋率是一個重要的量測項目，或許是最重要的項目。 程式碼涵蓋率指的是監測程式的執行並了解經過了哪些路徑。 使用程式碼涵蓋率分析，你可以馬上發掘你遺漏了哪些部分。 對聰明的逆向工程師而言，程式碼涵蓋率分析是一個追蹤進度的地圖。 評估系統核心 共享緩衝區產生的資料外洩 審核混亂的存取需求 使用 API 的資源文件 A typical approach use a mixture of methods when decompiling and examining software. The best method mix depends entirely on your goals. Methods Tracing input Although determining all input points takes a great deal of time if you do it by hand, you have the opportunity to note every single code location that makes decisions based on user-supplied data. Using this method you can find very complex problems. Static analysis tools can help an analyst (or an attacker) identify all possible input points and to determine which variables are affected from the outside. Exploiting version differences Making use of code coverage Code coverage is an important type of measurement – perhaps the most important. Code coverage is a way of watching a program execute and determining which code paths have been exercised. By using coverage analysis, you can immediately learn what you have missed. Using code coverage gives the clever reverse engineer a map for tracking progress. Assessing the Kernel Leaking data in shared buffers Any buffer that is used for both public and private data has a potential to leak information. Auditing for access requirement screwups Using your API resources

程式碼逆向工程最簡單與快速的方法稱之為紅點。 程式碼的紅點包含兩個要點：一個是可能存在弱點的系統呼叫所在的位置，另外一個就是流經該位置並被處理的使用者(輸入)資料。 紅點所採用的方式跟使用者輸入完整追蹤的方式相較需要一些運氣，經驗可以幫助找到可能存在弱點的位置並且判斷哪些輸入將會在該位置被加以處理。 紅點最大的問題在於它僅能找出明顯易見的錯誤。 The easiest and quickest method for reverse engineering code is known as red pointing. Two things combine to make a red point in the target code: a weak location with a potential vulnerable system call, and user-supplied data that flow to and are processed at the location. Without performing an explicit, detailed input trace, the dynamic process outlined here is part luck. A little experience helps in finding possible weak locations and deciding what input might get processed at a given target location. The big downside to red pointing is that it tends to miss all but the most trivial of bugs.

開發人員與架構師經常做的一個假設就是軟體的使用者永遠不會有不良的意圖，很不幸地是這是錯誤的假設。 另外一個常見的錯誤就是假設如果客戶端程式的介面不允許產生某些輸入，這些輸入就不會發生。這也是錯的。 任何存在於系統外部的原始資料都不可以也不應該被信任。 因為這個緣故，隱藏欄位與利用 JavaScript 的驗證永遠不會成為安全程式設計實務的手段。 一個根本的問題在於利用黑名單的方式來過濾及移除惡意的輸入，比較好的方式應該是使用白名單的方式加以指定哪些輸入是被允許的。 攻擊者可以移除客戶端軟體並直接與伺服器溝通，然後找出伺服器會接收或拒絕哪些輸入。在過程中攻擊者依舊會偽裝成透過客戶端軟體進行連結。 One very common assumption made by developers and architects is that the users of their software will never be hostile. Unfortunately, this is wrong. Another common mistake is a logical fallacy based on the idea that if the user interface on the client program doesn’t allow for certain input to be generated, then it can’t happen. Wrong again. Any raw data that exist outside the server software cannot and should not be trusted. For this reason, secure programming practice can never include solutions based on hidden fields or JavaScript form validation. One basic problem involves the use of a “black list” to filter and remove “bad input”. A much better approach is to specify what inputs should be allowed in a “white list.” Remove the client from the communications loop by talking directly with the server. Explore to determine what the server will and will not accept as input. Masquerade as the client.

系統的元件與系統的其他部分存在於某種信任關係，這些關係可能導致”信任提昇”的可能性。也就是這些元件可能從一個低信任的區域藉由信任關係滲透到另一個高信任度的區域。 通常系統的最大弱點存在於系統的邊界，漏洞亦存在於多個系統元件溝通的地方。 安全程式設計規範充斥著最小權限的原則，而實際上大多數程式碼的問題在於無法相容於最小權限的限制，因此目前大多數的程式在執行時都擁有過大的系統權限。 將程式限制在沙箱中執行，並檢驗每個指令與動作的安全屬性是一項很有意思的技術。 有些程式會以較低權限的執行緒執行使用者的請求，這些請求理論上不是攻擊的良好目標，但是實際的情況為 很多系統因為管理不當而造成低權限的帳號可以存取檔案系統或是其他執行程序的區域。 最小權限有許多方法可以產生例外 (例如呼叫API改變自己的權限)。 有些動態連結庫不論使用者的權限為何皆會以管理者的權限加以執行。 找尋針對系統目錄或是機碼 (例如像是 HKLM 儲存了許多重要的 Windows 環境變數) 進行寫入動作的程式，這些程式通常沒有考慮到安全的議題而以過多的權限加以執行。這些程式是良好的攻擊目標，因為一旦被破解後便可以取得相當大的權限。 Certain components of a system have trust relationships with other parts of the system. Some of these trust relationships offer “trust elevation” possibilities – that is, these components can escalate trust by crossing internal boundaries from a region of less trust to a region of more trust. System boundaries often present the greatest areas of weakness in a target. Vulnerabilities also exist where multiple system components communicate. Secure programming guides are full of references to the principle of least privilege. The problem is that most code is not designed to work with least privilege. As a result, today’s software runs with way too much systemwide privilege. One very interesting technique is to run a target program in a sandbox and examine the security context of each call and operation. Some processes are smart enough to execute user requests as a low-privilege thread. The requests, in theory, cannot be used in attacks. The face is that Many system are not administered very well, and even low-privilege accounts can walk right through the file system and process space. Many approaches to least privilege have exceptions (呼叫API改變自己的權限) Certain DLLs are always executed as administrator, regardless of the user’s privilege. Look for Programs that write to the system directory or registry key (such as HKLM which stores a number of critical Windows environment variables). These are typically run with elevated privileges and have usually not been designed with security in mind. Such program are excellent exploit targets because they yield lots of power when they break.

攻擊者一旦獲得系統的遠端存取，就可以開始尋找可以控制的檔案或機碼。同樣的，攻擊者也會尋找本地的 pipes 與系統物件。這些都是攻擊者可以用來進行下一個行動的進入點。 循序漸進的權限提昇通常可以讓攻擊者獲得管理者的權限。 有些程式不允許使用者提供自己的設定檔，但是系統的設定檔卻沒有足夠嚴謹的權限限制。 作為一個攻擊者，你必須將設定檔當作一個很明顯的偵測點，可能有安全機制會監測這些設定檔。一旦你修改設定檔以獲得權限，你應該盡快將檔案回復到原始狀態。你也可以利用工具將檔案的最後存取時間回復到當初的時間。 Once remote access to a system has been obtained, an attacker should begin looking for files and registry keys that can be controlled. Likewise, the attacker should begin looking for local pipes and system objects. All these are potential input points where an attacker can take the next step into the machine. Escalating privilege in steps will usually lead an attacker to a root compromise. Some programs will not allow a user-supplied configuration file, but the systemwide configuration file may have weak permissions. As an attacker, you must consider the configuration file as an obvious detection point. A security process may monitor the target file. If you make changes to a configuration file to gain privilege, then you should immediately clean the file when you are finished. You can also run certain utilities to set back file access dates.

在系統啟動的時候，程式可能會從多個不同的位置讀取設定，其中包括經常被忽略的環境變數。 假如你把一份新的設定檔放到原先空缺的位置，程式可能就會找到這份設定檔並忽略其他的位置。 大多數的程式並沒有安全的意識，因此不會檢查設定檔的擁有者是否合法。 During startup, a program may read from several configuration points including the often-overlooked environment variables. If you place a copy of the configuration file into a previously empty location, the target program may find your version first and forgo any further searching. Most programs are not aware of security, so no check will be made against the owner of the file.

信任關係所造成的破壞不一定是程式撰寫的問題，有可能是源自於環境本身。 例如將 perl.exe 放到網頁伺服器的 cgi 目錄下，就隱含表示 perl 執行檔的信任關係是建立在所處的目錄下，而不是這個程式可能會有甚麼行為。 假如伺服器可以執行由使用者提供的外部指令 (即使只是讓使用者提供執行檔的名稱)，使用者就可以讓系統產生意想不到的行為。這種問題的嚴重性通常跟讓攻擊者擁有 Shell 完整存取沒有兩樣。 這類攻擊常見的目標就是網頁伺服器，而且攻擊者知道利用搜尋引擎找尋可能的目標，讓這類攻擊更加容易執行。 許多網頁伺服器把傳遞參數給執行檔當作一項功能。攻擊者可以指定特定的執行檔當作目標，網頁 URL 的選項就傳遞給執行檔並且被當作指令加以執行。 Trust exploits are not always the fault of programming errors, they can also be environmental in natural. For example, by placing perl.exe in the cgi bin directory of a Web server, the trust is implied by the location of the Perl executable instead of by consideration of what the software might do. If a server runs external executables provided by a user (or even simply named by a user), the user can cause the system to behave in unanticipated ways. A problem like this is almost always as bad as giving complete shell access to an attacker. The most common targets for this kind of attack are Web servers. The attack is so easy that some attackers have been known to use Internet search engines to find potential targets. Most Web servers pass command-line options to a executable as a “feature.” an attacker can specify a target executable. Options passed a Web URL are forwarded to the target executable and are then interpreted as commands.

一些新的腳本語言會向下相容於較舊的腳本語言。 這個功能增加了問題的複雜度並使得追蹤這些不同的功能更加困難。 有時候伺服器的設定並不允許二進位檔案的執行，此時我們可以檢查伺服器是否允許腳本檔案的執行。 上傳一個不是可執行的檔案時，如果這個檔案內嵌特別的腳本指令並可以在伺服器端被引用，這樣一來就可以透過代理方式執行 CGI 木馬程式。 Some newer scripting languages have backward support for older scripting languages. This adds multiple layers of complexity and makes keeping track of all the disparate functionality difficult at best. Sometimes a server configuration will not allow execution of binary file. When this happens, check to see whether the server allow script files. Upload a file that is not considered an “executable”. This file may allow server-side “includes” of special embedded scripts that can execute the Trojan cgi by proxy.

許多無法在命令列下直接執行的檔案依舊可以被其他程序所載入並加以執行 (例如動態連結庫)。 字型檔包含用來繪製字型外觀的資訊，而字型檔在 Windows 作業系統下是一種特別的動態連結檔。 Many files that are not normally executable on the command line are still loadable by the target process (e.g. DLLs). A font file contains graphical information for rendering typefaces. Under the Windows OS, font files are a special form of DLL.

使用者的輸入直接複製到 Shell 指令所使用的參數。 Shell 具有強大的功能，而且有時候還提供用於自動化的腳本語言。 假如具有存取 Shell 能力的程式遭受攻擊，攻擊者可以透過代理的方式取得完整的命令列。 當你在 Windows 下執行 Shell 時，會跳出一個黑色的指令視窗 避免跳出視窗的方法之一就是直接修改你想要執行的指令。 另外一個避免跳出視窗的方式就是藉由指令的選項指定視窗的名稱並且保持視窗在最小化的狀態。 User input is directly pasted into the argument of a shell command. A shell is very powerful, and sometimes provides a scripting language for automation. If the program with shell access is successfully attacked, the attacker will gain full command-line shell via proxy. When you execute a shell on a Windows box, it causes a black pop-up window to appear for the command shell. One way to avoid the pop-up is to patch the program you wish to execute directly. Another way to avoid the pop-up is to execute your command with certain options that allow you to control the window name and keep the window minimized.

利用像是分號這類的字元可以用來將多個指令組合在一起，思考不周的程式將會執行全部的指令。 標準化的入侵偵測系統可以偵測到這類的攻擊，尤其是當指令包含像是 /etc/passwd 這種顯而易見的檔案名稱。一個聰明的攻擊手法就是將指令變成對作業系統而言不是那麼明顯易見，例如使用不同的編碼方式就會有所幫助。 當使用這類攻擊方式後，要記得盡快將 log 檔案內的相關內容加以清除。請注意有時候可以利用注入的方式來清除 log 檔案。 一個 carriage return 字元通常也是 Shell 用來分隔指令的合法字元。 Using the semicolon or other off-nominal characters, multiple commands can be strung together. Unsuspecting target programs will execute all the commands. A standard IDS will catch an attacker making use of this pattern, especially with giveaway filenames such as /etc/passwd. A wise approach is to use the more obscure commands on the target OS. Alternate encoding tricks can help here. If this pattern is used, clean the log files as soon as possible. Note that sometimes the injection hold itself can be used to clean the log files. A carriage return character is often a valid delimiter for commands in a shell.

注入的指令有時候必須經過多個層次的解析，因此中介字元有時候必須經過雙重跳脫。如果沒有做好適當的跳脫，可能在錯誤的層次就已經被過濾掉了。 反斜線正是必須考量多層次過濾的良好例子。反斜線可以用來跳脫字串裡的字元，也可以用來分隔 NT 檔案系統的目錄階層。 範例 利用注入建立文字檔 利用 debug.exe 將資料注入到兩進位檔 注入與 FTP 注入與遠端 xterms 注入與 TFTP 利用注入新增一個使用者 利用注入對程序進行排程 利用 pipes, ports 以及權限 已開啟資源的處理代碼有時候會被子程序所繼承，也就是說如果一個受保護的資源被開啟後，子程序將有可能在無意間不受限制地存取該資源。 A command injection will sometimes pass through several parsing layers. Because of this, meta-characters sometimes need to be “double escaped.” If they are not properly escaped, then the wrong layer man consume them. The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. Examples Building text files with injection Building binary files using debug.exe with injection Injection and FTP Injection and remote xterms Injection and TFTP Adding a user with injection Scheduling a process with injection Pluming pipes, ports, and permissions Handles to open resources are sometimes inherited by the child process. If a protected resources is already open, the child process will have unfettered access to the resource, perhaps by accident.

存取控制清單是一種很常見的安全機制，然而存取控制清單因為過於複雜而導致在實務上很容易失敗。 公開伺服器上的檔案系統是一個忙碌的地方，各式各樣的資料置放於上面。 暫存檔案應該儲存在一個祕密的區域，以避免他人的窺視。 備份檔案不應該放在所有使用者都可以存取公開區域。 軟體系統中常常使用到檔案系統的函式呼叫。在很多的情況下，使用者輸入的資料被用來指定檔案名稱或是其他資料。如果沒有適當的安全控制就很容易導致攻擊者可以將各式各樣參數傳遞到檔案系統這類常見的攻擊手法。 這類攻擊的基本形式 檔案名稱 目錄瀏覽 ACL are a commonly encountered security mechanism. ACL are, in fact, so complicated that they tend to fail in practice. The file system of a public server is a busy place. All kinds of data get left around. Temporary files should be stored in a secure area away from prying eyes. Backup files should not be left sitting out in the open for anyone to snatch up. File system calls are very common in software applications. In many cases, user input is consumed to specify filenames and other data. Without proper security control this leads to a classic vulnerability whereby an attacker can pass various parameters into file system calls. The basic forms of this attacks Filenames Directory browsing

有些程式語言在解析時會將 NULL 之後的資料加以移除。 在某些情況下，特別是使用腳本語言時，攻擊字串通常會跟在 NULL 字元後面。使用不同的表示法來表示 NULL字元時可能導致發生字元的轉換。 Depending on the parsing in the scripting language, NULL may remove postfixed data when an insertion is taking place. In some cases, especially when a scripting language is used, the attack string is supposed to be postfixed with a NULL character. Using an alternate representation of NULL (i.e., %00) may result in a character translation occuring.

通常程序的 CWD (目前工作目錄) 指定為子目錄之一，你可以透過相對路徑的方式將之指定到其他不在目前目錄之下的路徑。 相對路徑有一個”很好”的特性，那就是當你移動到檔案系統的根目錄後，多餘的上層路徑會被自動忽略。 Usually the CWD (current work directory) for a process is set in a subdirectory. You can supply a relative path that traverses out of the current directory and into other, more interesting subdirectories. A nice feature of the relative path is that once you hit the root of the file system, additional moves into a parent directory are ignored.

假如攻擊者可以控制環境變數，通常可以造成嚴重的危害。 攻擊者可以在驗證前改變程序所使用的環境變數，重點是要在驗證程式碼執行前就改變環境變數。 另外一個可能性就是在驗證之後的會期中，一般使用者可以透過修改環境變數的方式達到權限的提升。 If an attacker can control environment variables, the attacker can often cause serious harm to a program. The attacker supplies values prior to authentication that alter the target process environment variables. The key is that the environment variables are modified before any authentication code is used. A related possibility is that during a session, after authentication, a normal user is able to modify the environment variables and gain elevated access.

在多數的情形下，軟體通常伴隨各式各樣的預設參數，而這些預設參數通常並不是以安全的角度加以考量。攻擊者可以利用這些不良的設定值進行攻擊。 許多程式設計師會為了方便而在系統中安排許多”隱藏的變數”，隱藏的變數就像口令一樣。 有時候這類的問題並不是程式設計師的意圖，而是來自於平台或程式語言本身的設計。 In many cases, software may come preset with various parameters set by default. In many cases, the default values are set with no regard for security. An attacker can leverage these broken defaults during an attack. In the interest of convenience, some programmers may integrate “secret variables” into their applications. A secret variable works like a code word. Sometimes these types of problems are not intentional on the part of programmers, but rather come “by design” in a platform or language.

有些伺服器會指定一個特殊的號碼給使用者，方法包含使用 cookie (在使用HTTP協定的系統)、將會期代號內嵌於 HTML 的 href 參數、或是使用資料結構中的數值。不管使用方法為何，問題在於這個號碼 (會期代號) 通常是被完全信任的。 會期代號不應該會被輕易地的猜測或預測，可以預測的數字會讓攻擊者的攻擊行為輕鬆許多。 驗證的多重路徑 假如網頁伺服器屬於網域的一部份，攻擊者可以利用網站進行網域的驗證。在這種情形下，即使攻擊者無法存取網域伺服器的 445 埠號，依舊可以進行暴力式 (或其他線上密碼攻擊) 的密碼破解。 會期代號攻擊的一個變型就是當系統允許使用者指定想要存取的資源。如果使用者可以指定其他使用者的資源，系統可能就會有遭受攻擊的危險。 大多數軟體使用 API 函式時並沒有檢查回傳碼以判斷是否有錯誤的情況發生。當呼叫失敗時如果程式依舊根據呼叫成功的方式加以執行，將會產生意想不到的事情。 未初始化的變數或是緩衝區可能被加以利用，攻擊者如果先行在記憶體內放置資料然後再造成指令呼叫的失敗，那麼這些未初始記憶體內可能就包含了攻擊者輸入的資料。 Some servers assign a special ID to a user. This may be in the form of a cookie (as in HTTP systems), an embedded session ID in HTML href’s, or a numerical value in a structure. The problem is that the session ID is fully trusted. Session ID should not be easy to guess or to predict. Predictable numbers make life as an attacker much easier. Multiple path of authentication If a web server is part of a domain, an attacker might be able to get the web server to perform authentication against the primary domain controller. As such, an attacker can indirectly use brute force against the domain even though port 445 is blocked. A variation on the session ID attack exists when an application allows the user to specify a resource they wish to access. If the user can specify resources belonging to other users, then the system may be open to attack. Much software uses services and libraries of API calls, yet many programs do not check return codes for error. This can lead to interesting problems in which a call fails but the code assumes that is has succeeded. Uninitialized variables and garbage buffers may be used. If the attacker “seeds” the memory before causing a call failure, the uninitialized memory may contain attacker-supplied data.

客戶端軟體是存在於伺服器與使用者檔案系統或家用網路之間唯一的一道介面。 我們在此討論的用戶端攻擊及用戶端注入攻擊跟一般所謂的用戶端安全並不一樣，我們考慮的是用戶端不能信任伺服器的情況。 用戶端軟體內嵌於網頁瀏覽器、桌面應用程式、媒體播放器、或者是連結網路的終端設備，現今的這些用戶端軟體幾乎都具備擴充性並且能夠執行所謂的 mobile code。這是一個很強大的功能，也正因如此變成了攻擊者可以利用的管道。 作為一個線上系統的使用者，你必須考慮使用同一個系統的其他使用者。每次當你瀏覽一個網頁或檔案時，你可能正在閱讀由其他使用者所提供的資料。也就是說，你的用戶端軟體正在讀取的資料來自於不可信賴的來源。 利用惡性的服務攻擊用戶端軟體存在於現實的生活中。如果你使用標準化的用戶端軟體(如IE)，你就必須小心這類的攻擊行為。 A client program is often the only layer between a server and an innocent user’s file system or home network. When we discuss client-side attack and client-side injection, we refer to an entirely different kind of “client-side security.” in this case, we are talking about a client that doesn’t trust the server. Today, clients are embedded in web browsers, desktop applications, media players, and inside networked devices. Modern clients almost always include built-in extensibility and accept mobile code as input. This is powerful stuff-and it’s precisely this power that can be harnessed by an attacker. As a user of an on-line system, you must consider the other people who are using the same system. Every time you view a Web page or read a file, you might be reading data that are supplied by another participant. Thus, your client program is reading data from potentially untrusted sources. Attacking client programs with intentionally malicious services is a face of life. If you use standard clients, you should be aware of this kind of attack.

用戶端的根本問題之一在於控制用戶端程式的資料與一般性資料混雜在一起。 以在 UNIX 環境下使用的 “talk” 協定為例，talk 伺服器允許使用者透過聊天頻道與其他使用者對話。問題在於某些字元組合對終端機而言屬於控制字元。 除了終端軟體與用戶端程式會將資料轉換成圖片或是將文字格式化後顯示在螢幕上外，幾乎目前市面上所有的印表機也都具備有處理跳脫字元的能力。 使用者可能張貼一封包含惡意 Javascript 指令碼的訊息到網站上，管理者如果之後嘗試登入系統並檢視這篇文章，就有可能觸發這段惡意的程式碼而洩漏資料。因此，系統有可能接受惡意資料後再將資料回傳到原系統，我們稱之為反射性問題。 One root of client-side problems is that the data controlling a client program often become mixed up with regular user data. Consider the “talk” protocol that is used in UNIX environment. The talk service allow one user to talk to another over a chat channel. The issue is that certain character sequences are interpreted as control codes by the terminal. Of course, terminal software and client programs are not the only software that convert data into pictures or formatting for text on a screen. Almost every printer on earth has the ability to interpret various escape codes. One way engineers have tried to solve the in-band signal problem is to detect which direction the data are flowing. The logic goes that control codes are only OK if the server supplies them. Them problem with this thinking is that data get moved around all the time. Over time, there is no telling where the data may be sitting or who they came from. A user might post a message to a server that includes hostile Javascript code. An administrator might then log into the system five days later and view that message, thereby triggering the hostile code that sends data out. Thus , a system may accept data and then retransmit it back out of the system. This is known as the reflection problem.

範例: 鍵盤緩衝區注入攻擊 Example: Keyboard Buffer Injection

跨網站腳本攻擊已經變成了安全的熱門話題，但是實際上跨網站腳本攻擊只是用戶端程式 (網頁瀏覽器) 解析頻內訊息的一個例子。 兩種跨網站腳本攻擊的形式 Reflected (非永久性) 跨網站腳本攻擊 <a href=“trusted.site.com/cgi-bin/post_message.aspx?&ltscript&gtalert(‘hello!’)&lt/script&gt”>Get the prize!</a> Stored (永久性) 跨網站腳本攻擊 假如我們將文字資料儲存於資料庫，攻擊者可以將包含指令碼的文字儲存在內。儲存的指令碼可能像是<script>alert(“hello!”);</script> 跨網站腳本攻擊不只是網站的問題，有許多的多媒體檔案也內含URL，包含像是 MP3 音樂檔、影片、postscripts、甚至是試算表。 Cross-site scripting (XSS) has become a popular subject in security, but XSS is really only yet another example of in-band signals being interpreted by client software (web browser). Two types of XSS Reflected (non-persistent) XSS <a href=“trusted.site.com/cgi-bin/post_message.aspx?&ltscript&gtalert(‘hello!’)&lt/script&gt”>Get the prize!</a> Stored (persistent) XSS If a database stores text records, an attacker can insert a record that contains Javascript. The Javascript might be something like<script>alert(“hello!”);</script> The corss-site problem is not confined to Web sites only. There are many media files that contain URLs, including MP3 music files, video files, postscripts, PDFs, and even spreadsheet files.

指令碼不一定要包含在 <script> 標籤之內，指令碼可以存在於其他的 HTML 標籤中，像是 <img> 標籤 (例如 <img src=javascript:alert(‘hello’!’)>。 Script does not need to be inserted between <script> tags. Instead, script can appear as part of another HTML tag, such as the <img> tag. (e.g., <img src=javascript:alert(‘hello!’)>

不管資料的使用方式與位置為何，只要是來自客戶端的資料，都應該當作不可信賴。 No matter the context or where data are positioned, if the data are from the client, they should clearly be untrusted.

當網頁的內容包含檔案名稱且這些檔案的名稱來自於使用者時，如果這些檔案名稱的字元沒有有效地加以過濾，就有可能產生 XSS 的攻擊。一個例子就是網站伺服器提供檔案系統的目錄瀏覽的功能。 An unfiltered, user-controlled filename can be used to construct client HTML. Perhaps HTML text is being built from filenames. This can be the case if a Web server is exposing a directory on the file system, for example. If the server does not filter certain characters, the filename itself can include an XSS attack.

像是Microsoft Excel、Word、或是IE這類用戶端軟體可以執行程式碼，而這些程式碼可能來自於不可信賴的來源。因此，它們建立了一個可供病毒與蠕蟲生存的環境。 現今的瀏覽器大多進化到利用所謂的沙箱技術來執行 mobile code，也就是說瀏覽器本身就是一個執行許多不可信賴程式的大容器。這其實不是甚麼大問題，但是因為瀏覽器通常沒有辦法將作業系統有效地隔離，所以導致問題的發生。 在使用 Microsoft 技術的情形下，這類問題的嚴重性比其他系統來的更高。DOM/DCOM 提供了許多可供惡意程式與作業系統之間耦合的方式。 將本地檔案名稱輸入原本接受 URL 的 ActiveX 函式時，許多相對路徑的問題將會因此衍生。 這類用戶端軟體或元件在腳本與作業系統之間提供了一個信任區域，這也是攻擊者可以發動攻擊的地方。因此大多數用來攻擊伺服器的方法也可以在此應用，只是現在我們主要是針對用戶端本身。 Client programs such as Microsoft Excel, Word, or Internet Explorer are capable of executing code that is downloaded from untrusted sources. Because of this, they create an environment in which viruses and worms can thrive. The modern web browser has evolved into an execution sandbox for mobile code. The browser is thus a fat client that runs largely untrusted code. This might not be such a big problem, except that the browser is usually not properly segmented from the host OS. In the case of Microsoft technology, the problem is many times worse than with other systems. The COM/DCOM technology (sometimes packaged as ActiveX) exposes enormous couplings between host system services and potentially malicious code. Take any ActiveX function that accepts a URL and supply a local file instead. Many of the relative path problems can be directly applied. In a way, the layer between scripts and the OS provides yet another trust zone where classic input attacks can be launched. As a result, most of the generic tricks that apply to server input can be applied here as well, with the twist being that this time we target the client.

常見的通訊軟體也提供了用戶端注入攻擊的機會。例如呼叫器、簡訊服務、以及電子郵件系統。 被注入的內容可能存在於信件標頭或是內容的任何一個部分，像是信件標題、接收者、甚至是主機的DNS名稱。 信件標頭中可以包含中介字元，而這些中介字元被用戶端軟體 (像是電子郵件閱讀軟體、網頁瀏覽器、或是 log 分析軟體) 接收後可能會產生意想不到的後果。 Pervasive messaging systems also present opportunities to extend the idea of client-side injection. Consider pagers, SMS messaging, and e-mail systems. The content to be injected into a message may exist in any part of the mail header or body. This may include the e-mail subject, recipient field, or even the resolved DNS name of a host. Meta-characters can be supplied in an e-mail header and may be consumed by the client software (e.g., e-mail readers, which might be web browsers , or log parsers) to interesting effect.

內容為主的攻擊從隱密的方式 (例如利用內嵌的惡意postscript指令造成印表機的損毀) 到比較明顯的形式 (使用標準化協定所內含的功能來執行惡意的內容) 都有。 攻擊者可以利用ZIP、RAR、TAR檔案內的相對路徑，然後解壓縮到父目錄。 Content-based attacks range from the arcane (embedded malicious postscript that can literally kill a printer by burning it out) to the more obvious (using embedded functionality inside a standard protocol to run malicious content). An attacker typically makes use of relative paths in ZIP, RAR, TAR archive, and decompresses to get to parent directories.

當一個有漏洞的用戶端軟體連結至惡意的服務時，這個惡意的服務可以嘗試辨別用戶端軟體的種類與版本，這是fingerprinting的一種變型。一旦用戶端軟體被正確的識別後，這個惡意的服務可以傳送將會產生緩衝區溢位的回應給用戶端軟體。通常這類攻擊不只是用來讓用戶端軟體無法運作，攻擊者會利用這種攻擊將病毒碼或是後門程式注入到用戶端。 If a vulnerable client attaches to a hostile service, the hostile service can attempt to identify the type and version of the client that is connecting. This is a variety of fingerprinting. Once the client is properly identified, the hostile server can issue a response that exploits a buffer overflow in the client. Typically this kind of attack is not designed simply just to crash the client. Attackers using this technique can inject a virus or backdoor into the client.

實際運作的軟體如果僅能正常地運作在正確的資料以正確的順利答道的情況下，將是非常容易受到攻擊的。然而因為問題的複雜度，不太可能透過從外部的檢驗而得知這樣的攻擊是否可行(也就是說需要從內部加以檢驗)。 白名單或者是完整列出所有可接受的輸入遠佳於黑名單的方式，這就是所謂的最小權限。 在多數的情況下，過濾器僅考慮到特定的指令表示方法。但是事實上同一個指令可以使用多種不同的(編碼)方法加以表示。 我們把所有軟體當作一個系統，所有的軟體都是這個大系統的一個子系統，這些子系統與其他子系統存在著一定的關係。當以這樣的角度思考時，我們必須將所有子系統之間的通訊當作惡意輸入的可能來源。 理論上攻擊目標的系統並不在存在所謂的邊界，一個好方法就是製造出人為的界線。最簡單的出發點就是實際運作於特定機器上的程序本身。 Software programs in the wild are subject to exploit if just the right input arrives in just the right order. But, because of the complexity of the situation, it is very likely not possible to examine the software externally and determine whether such an exploit is possible. White listing, or exhaustively listing/defining all acceptable inputs, is a superior approach to black listing. This is a version of least privilege. In many cases a filter only considers one particular way to format a command. The fact is that the same command can usually encoded in thousands of different ways. Thinking of all software as a system. Most targets are subsystems of a larger system. Each subsystem also exists in relationship with other subsystems. When thinking about subversion in this way, one must always consider the communication between systems as another layer of crafted input. In theory, there is not actual end to an exploitable application that is targeted. One great technique is to create artificial partitions with which to measure success. The easiest place to start is the executing process-the image of the software as it looks on a particular machine at runtime.

一個很有名的分類例子就是網站伺服器利用檢查檔案的最後幾個字元以決定檔案的種類。有很多手法利用這樣的問題來達成目標，例如在擋案名稱後加上特定字串、增加 . 字元、或是其他字元。 一個實際的例子就是在檔案名稱後加上 ::$DATA 字串，網站伺服器會根據最後幾個字元加以判斷。因此當你發出 /index.asp::$DATA 的請求時，網站伺服器無法辨別這是一個 asp 的檔案，而會直接輸出 asp 檔案的原始內容。 A very famous set of classification problems occurs when a Web server examines that last few characters of a filename to determine what kind of file it is. There are many ways to take advantage of these kinds of problems – appending certain strings to file names, adding dots, and so forth. One web server misclassification bug is exercised by appending the string ::$DATA to the end of a filename. The web server code looks at the last characters in the string and sees ::$DATA. As a result, if you request /index.asp::$DATA, the web server fails to detect that what is being requested is an ASP file, and happily returns the contents of the file.

在請求加上額外的字元，且這些字元不會影響原先請求的有效性，這些字元就稱之為 Ghost 字元。 Ghost characters are extra characters that can be added to a request. The extra characters are designed not to affect the validity of the request.

分隔字元也需要特別注意，分隔字元用來分隔指令或是請求中的文字。一個常用於攻擊 API 的技巧是加上其他的指令並設法使其執行。 在不可以信任的輸入想要找出指令的分隔字元以避免插入額外的指令是相當困難的。 許多系統必須同時接受兩種格式的斜線 (/ 與 \)，也因此給予攻擊者許多可以干擾過濾器的可趁之機。 這個模式的目的是用來找出特定版本的伺服器軟體之問題，同樣的問題可能不存在其他的版本中。 Delimiting characters are also special. They are used to separate commands or words in a request. When attacking a target API call, one commonly used technique involves adding extra commands and causing them to execute. Spotting a command separator in untrusted input is usually a dead giveaway that someone is attempting to insert extra commands. Many system are required to understand both forms of the slash (backslash and forward slash). This gives the attacker many opportunities to discover and abuse a number of common filtering problems. the goal of this pattern is to discover server software that only applies filters to one version, but not the other.

許多過濾器可以找出中介字元，但是如果這些中介字元經過跳脫後則可能會被忽略掉。 以 / 當做前導字元對解析器來說通常表示後面的字元有特殊意思，這就稱之為跳脫。 有兩種以上不同的方式可以表示同一個字元往往導致過濾器執行上的問題，進而造成攻擊的可能性。 Many filters look for all meta-characters, but may miss some if they are “escaped.” Providing a backslash as a leading character often causes a parser to believe that the next character is special. This is called an escape. Having two alternate ways to encode the same character leads to filter problems and opens avenues to attack.

當軟體在把資料交付給後續程式處理前如果進行轉換，這就是一個好的攻擊目標。 如果系統中某些元件並不支援 unicode ，對攻擊者來說就是一個可以開始進行攻擊的目標。在這種情況下，攻擊者可能試著透過輸入 unicode 字串以期過濾機制或分類機制失效而無法判斷實際的請求。這將造成過濾器失去功用並造成應用系統無法正確地處理請求。 Cases where one part of the software converts data before the data are passed on to the next part also make good targets. The advantage to an attacker begins when some of the components of the system are not unicode aware. In this case, the attacker may provide a unicode string in the hopes that a filtering mechanism or classifying mechanism will fail to understand the request. This can result in slipping past a content filter and/or possibly causing the application to route a request incorrectly.

UTF-8 成為攻擊目標的理由與 unicode 一樣。 UTF-8 makes a decent target for the same reasons that unicode does.

在許多案例中，URL 字串內的字元可以使用 %16進位 加以表示，這樣的表示方式造成了很多過濾器的常見問題。 還有其他種類的表示方式，包含 ucs-2 unicode、HTML 跳脫字元編碼、甚至是字元大小寫的問題、以及空白與 TAB 字元的轉換。這些不同的編碼方式造成很多”有趣的”現象。 In many cases, a character can be encoded as %HEX-CODE in URL strings. This has led to a number of classic filtering problems. Many other examples of alternate encoding exist. These include ucs-2 unicode, HTML escape codes, and even such trivial changes involving character case problems and converting spaces to tab characters. All these encoding situations lead to possible encoding fun.

IP 位址區段可以使用多種不同的方式加以表示。 這些不同的 IP 位址表示方式會造成必須正確顯示埠號與 IP 位址的過濾器或其他安全措施在執行上產生問題。 Microsoft 的 IE 瀏覽器允許使用多種的數值表示法來代表 IP 位址 (例如以 347959674 表示 207.46.238.122)。 IP address ranges can be represented using alternative methods. Alternate encoding of IP numbers poses problems to filters and other security measures that need to interpret values properly such as ports and IP addresses. The Microsoft Internet Explorer package allows specification of the IP address in a variety of number formats (e.g., 3475959674 instead of 207.46.239.122).

前述的各種技巧可以以不同的形式加以組合。 Ultimately, all of the tricks described earlier can be combined in various ways.

攻擊者利用干擾 log 檔案的方式以躲避偵測在真實案例中是很常見的，這是避免產生可信任之法律證據的有效方法。 跳脫字元通常在記錄到 log 檔案前會先加以轉換。 只有”會有其他行為”的分析工具會遭遇到這類攻擊行為，像是 grep 這類簡單的工具通常不會遭遇這類問題。但是，即使是簡單的工具本身也可能會有可被攻擊的漏洞。 There are many real-world examples in which attackers confuse the log file to escape detection. This is an excellent technique to avoid creating trusted forensic evidence. Escape characters are often translated before being printed to the log file. Note that only log analysis tools that “do stuff” with active content will be susceptible to attack like this. Simple tools like grep are unlikely to suffer from such problems. Of course, even simple tools may have bugs or flaws that can be exploited.

伺服器的軟體對於緩衝區溢位攻擊擁有越來越強的防禦能力，因此緩衝區溢位攻擊可能會漸漸轉向嵌入式系統。 我們通常假設 Java 不會產生緩衝區溢位的問題，這種說法絕大部分是正確的。除了 JVM 可能產生問題外，大部分 Java 系統產生的緩衝區溢位問題都來自其他支援用的程式碼： 將 Java 與 C/C++混用 預存程序與動態連結庫 將過長的參數輸入程式中並觀察執行結果以期發現緩衝區溢位的問題是一個天真的做法(對系統開發團隊而言)，部分所謂應用程式安全的工具就是利用這種簡單的做法。 比較好的做法是使用靜態分析工具找出會有緩衝區溢位問題的 API 。一旦透過這個方法找到了疑似的問題，你就可以利用黑箱測試的方法攻擊這些問題點。 緩衝區溢位有兩種類別 Stack 溢位 負數通常也待表示很大的正數 無號數/有號數不正確對應 有號數質與記憶體的管理 格式化字串的漏洞 Heap 溢位 Heap 記憶體包含許多被分配出去的記憶體區塊。每一個記憶體區塊都包含一個標頭，被用來描述區段的大小以及其他資訊。假如 Heap 緩衝區遭受到溢位，攻擊者可以覆寫後面的記憶體區塊，當然也包含這些記憶體區塊的標頭。 緩衝區溢位是一個非常棘手的問題，透過一些額外的工作可以減少需修正的機會。緩衝區溢位可能會造成程式函式指標被修改、或是破壞重要的資料結構。 An interesting upshot of this fact is that as server software becomes more robust against the buffer overflow attack, the brave new frontier of buffer overflows is more than likely to shift to embedded systems software. It’s widely assumed that Java is immune to buffer overflow problems. To a large extent this is true. The JVM itself aside, many buffer overflow problems in systems that include Java come about because of supporting code. Using Java and C/C++ together Stored procedures and DLLs One naïve approach for finding buffer overflows is simply to supply long arguments to a program and see what happens. Some of the “application security” tools use this simplistic approach. A much better way to test for buffer overflows is to find API calls that are vulnerable by using static analysis techniques. Once you find some potential vulnerabilities with static analysis, you can use black box testing to attempt to exercise them. Two types of buffer overflows Stack overflow Negative values equal large values Signed/unsigned mismatch Signed values and memory management Format string vulnerabilities Heap overflow Heap memory consists of large blocks of allocated memory. Each block has a small header that describes the size of the block and other details. If a heap buffer suffers from overflow, an attack overwrites the next block in the heap, including the header. Buffer overflow is really a deadly problem. Simple hacks to fix it can be avoided with some amount of extra work. Buffer overflows can be used to alter code, function pointers, and corrupt critical data structures.

攻擊者改變像是聲音、影片、圖片或是字型這類的資源擋，有時候甚至直接使用支援二進位編輯模式的編輯器加以編輯即可。攻擊者可能改變標頭、用來指定字串長度的資訊，或者是其他資訊。 The attacker modifies a resource file, such as a sound, video, graphic or font file. Sometimes simply editing the target resource file in a hex editor is possible. The attacker modifies headers and structure data that indicate the length of strings, and so forth.

在這類例子中，攻擊目標是讀取格式化的設定資訊卻沒有有效檢查參數或標籤的程式。攻擊者可以製造一個內含過長字串的惡意 HTML 網頁或是設定擋，進而造成緩衝區溢位。 In this case, the target is a program that reads formatted configuration data and parses a tag or variable into an unchecked buffer. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

Symbolic links 與設定檔的攻擊模式採用類似的方法，只不過 symbolic 多經過了一層轉換的關係。 有時候 symbolic link 可能會造成存取到不在限制範圍之內的檔案。 Symbolic links provide similar avenues of attack as configuration files, although they are one level of indirection away. A symbolic link can occasionally provide access to a file that might otherwise be out of bounds.

MIME 機制是被設計用來在電子郵件中傳遞與解讀各種不同格式的資訊。當資料在各種 MIME 格式中來來回回加以轉換時，就有可能產生會遭受攻擊的問題點。 The MIME system is designed to allow various different information formats to be interpreted and send via e-mail. Attack point exist when data are converted to MIME-compatible format and back.

用戶端與 HTTP 伺服器端設計不良的 Cookie 處理機制都可能造成緩衝區溢位的攻擊。 Poor design of cookie handling systems leaves both clients and HTTP daemons susceptible to buffer overflow attack.

在這個攻擊中，主要是利用過長的參數以期造成過濾器的失效。一旦過濾器失效，而且處於開放的狀態，就失去了保護的功用。 In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. If the filter fails “open”, you win.

這個攻擊模式用來決定是否特定的環境變數可以用來造成程式不正常地運作。 This attack pattern involves determining whether a particular environment variable can be used to cause the program to misbehave.

函式庫以及共享的模組也可能遭遇緩衝區溢位的問題，所有使用這些函式庫或共享模組的軟體將因此產生漏洞。 這類問題將會對整個系統的安全產生廣泛性的影響，通常會有多個軟體程序受到影響。 Libraries or shared code modules can suffer from buffer overflows too. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.

在 Shell 下使用的命令列工具可能被當作提昇權限至管理者等級的管道。 Command-line utilities available in a number of shells can be used to escalate privilege to root.

有一些常見的字串操作會改變字串的長度，問題通常發生在程式於進行轉換的過程中忘記改變字串緩衝區的大小。 當外界提供的參數被函式擴充為較大的字串，但是程式卻沒有考慮到這樣字串長度增加的行為，此時就提供了攻擊者一個攻擊基礎。 There are a number of common operations on strings that will change the size of the string. The problem we’re discussing occurs if the code performing the conversion does not resize the buffer that the string lives in. If supplied parameters are expanded into a larger string by a function, but the larger size is not accounted for, an attacker gains a foothold.

Syslog函式經常遭到誤用，使用者輸入的資料被當作格式化字串加以處理。這是一個常見的問題，而且已經有不少被公開的漏洞跟此有關。 The syslog function is typically misused, and user-supplied data are passed as a format string. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

軟體 安全

軟體 安全 攻擊模式 Part 3

破壞程式 可觀察性 攻擊模式 設計與實作階段的錯誤 錯誤偵測與處理 環境與程式密不可分

攻擊軟體

Attack patterns 攻擊模型 攻擊軟體漏洞的藍圖 應用標準攻擊模式到新的目標 注入向量與負載

Logical steps of an attack 攻擊步驟 找尋進入點 找尋進入點的交易 利用攻擊模式進行攻擊 進行破壞

CEH 攻擊步驟

逆向工程 建立系統運作的藍圖 白箱分析 黑箱分析 灰箱分析

逆向工程的方法 追蹤輸入 找出版本間的差異 程式碼涵蓋率 評估系統核心 共享緩衝區產生的資料外洩 審核混亂的存取需求 使用 API 的資源文件

紅點 兩個要點 存在弱點的系統呼叫 被處理的使用者輸入 需要一些經驗與運氣 適用於顯而易見的錯誤

攻擊模式 攻擊 伺服器端軟體

Make the Client Invisible

Target Programs That Write to Privileged OS Resources

Use a User-Supplied Configuration File to Run Commands That Elevate Privilege

Make Use of Configuration File Search Paths

Direct Access to Executable Files

Embedding Scripts within Scripts

Leverage Executable Code in Non-executable Files

Argument Injection

Command Delimiters

Multiple Parsers and Double Escapes

User-supplied Variable Passed to File System Calls

Postfix NULL Terminator

Postfix, NULL Terminate, and Backslash

Relative Path Traversal

Client-Controlled Environment Variables

User-Supplied Global Variables (DEBUG=1, PHP Globals, and so Forth)

Session ID, Resource ID, and Blind Trust

攻擊模式 攻擊 客戶端軟體

Analog In-Band Switching Signals (aka “Blue Boxing”)

Manipulating Terminal Devices

Simple Script Injection

XSS diagrams

Embedding Script in Nonscript Elements

XSS in HTTP Headers

HTTP Query Strings

User-Controlled Filename

Passing Local Filenames to Functions That Expect a URL

Meta-characters in E-Mail Header

File System Function Injection, Content Based

Client-side Injection, Buffer Overflow

攻擊模式 產生 惡意的輸入

Cause Web Server Misclassification Cause Web Server Misclassification

Alternate Encoding the Leading Ghost Characters Alternate Encoding the Leading Ghost Characters

Using Slashes in Alternate Encoding

Using Escaped Slashes in Alternate Encoding

Unicode Encoding

UTF-8 Encoding

URL Encoding

Alternative IP Addresses

Slashes and URL Encoding Combined

Web Logs

攻擊模式 緩衝區溢位

Overflow Binary Resource File Overflow Binary Resource File

Overflow Variables and Tags

Overflow Symbolic Links

MIME Conversion

HTTP Cookies

Filter Failure through Buffer Overflow

Buffer Overflow with Environment Variables

Buffer Overflow in an API Call

Buffer Overflow in Local Command-line Utilities

Parameter Expansion

String Format Overflow in syslog()

謝謝您 cyril.hcwang@gmail.com