Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (Shellcode Injection)

From: Crispin Cowan <crispin () immunix com>
Date: Sun, 14 Dec 2003 23:13:02 +0000

Jeffrey W. Baker wrote:


On Sat, 2003-12-13 at 12:05, Crispin Cowan wrote:
 

The malicious code often spawns a shell, and so it is called "shellcode". 
Observations:


   * The malicious code does not always have to be injected, it can also
     be in the program's text segment, colloquially known as "return
     into libc" attack.
   * Inducing the program to jump to the malicious code can be effected
     in a variety of ways, including buffer overflows, printf format
     string attacks, and other type safety violations endemic to the C
     and C++ languages.
   

I too-narrowly defined the problem by employing the word "shellcode". 
What I really meant to bring to the reader's attention was the class of

vulnerability wherein a user-supplied string is interpreted as an
action.  Such attacks are not always thwarted by using a type-safe
language.  It's perfectly common to see a Java program that builds a SQL
query such as

        query = "select * from table where column = '" + param + "'";

But if param is 
        

        '; drop database foo; select 1 where '' = '

You now have a big problem, type safety notwithstanding.

True: code injection can happen in any context where code and data 
intermingle, and type safety is lacking. This is particularly true of 
both PERL CGI code, and SQL. In the example that Jeffrey provides, the 
Java is type safe, but the SQL is not, enabling the attacker to pass an 
SQL injection attack through the Java application to the SQL interpreter.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/
Previous By Date Next
Previous By Thread Next

Current thread: