Secure Coding mailing list archives
Re: (Shellcode Injection)
From: Crispin Cowan <crispin () immunix com>
Date: Sun, 14 Dec 2003 23:13:02 +0000
Jeffrey W. Baker wrote: On Sat, 2003-12-13 at 12:05, Crispin Cowan wrote: The malicious code often spawns a shell, and so it is called "shellcode". Observations: * The malicious code does not always have to be injected, it can also be in the program's text segment, colloquially known as "return into libc" attack. * Inducing the program to jump to the malicious code can be effected in a variety of ways, including buffer overflows, printf format string attacks, and other type safety violations endemic to the C and C++ languages. I too-narrowly defined the problem by employing the word "shellcode". What I really meant to bring to the reader's attention was the class of vulnerability wherein a user-supplied string is interpreted as an action. Such attacks are not always thwarted by using a type-safe language. It's perfectly common to see a Java program that builds a SQL query such as query = "select * from table where column = '" + param + "'"; But if param is '; drop database foo; select 1 where '' = ' You now have a big problem, type safety notwithstanding. True: code injection can happen in any context where code and data intermingle, and type safety is lacking. This is particularly true of both PERL CGI code, and SQL. In the example that Jeffrey provides, the Java is type safe, but the SQL is not, enabling the attacker to pass an SQL injection attack through the Java application to the SQL interpreter. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- Re: (Shellcode Injection), (continued)
- Re: (Shellcode Injection) ljknews (Dec 13)
- Re: (Shellcode Injection) Crispin Cowan (Dec 13)
- Re: (Shellcode Injection) ljknews (Dec 14)
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Re: (Shellcode Injection) Crispin Cowan (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 13)
- The right tool for the right job, quit beating on the C language Dana Epp (Dec 14)
- Re: The right tool for the right job, quit beating on the C language ljknews (Dec 14)
- Re: (Shellcode Injection) Louis Solomon [SteelBytes] (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Message not available
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)