| About Blog Cheatsheets Defense Links Offense |
| Offense |
| Code Audit Exploit Hacking Input Validation Metasploit Methods Nmap OSSTMM Test OWASP Webtest Pentest Physical Pentest Backtrack Pentest SQL Inject |
Code Audit
|
Relevant Code setuid/setgid programs, deamons and servers (not limited to root privileges only), frequently running system programs, programs called from scripts, calls of system libraries (libc), call of protocol libraries (ssl, kerberos), kernel sources, administrative tools, cgi scripts, plugins for servers (php, apache) |
|
Common Vulnerabilities non-bounds checking functions, using bounds checking in the format string instead of bounds checking of functions, input gathering in for/while loops, internal replacements of common data manipulation functions, pointer manipulation of buffers may interfere with later bounds checking, calls like execve(), execution pipes, system() and similar (non static arguments!), repetitive low-level byte operation (insufficient bounds checking), string operations (breaking strings apart and indexing them, strtok), logging and debug message interface functions without mandatory security checks, bad or fake randomness, insufficient checking for special characters in external data, read and other network calls without timeouts, command line arguments (getopt), environment variables (getenv), system calls with foreign input (read, recv, popen), file handling, library weaknesses (format bugs, glob bugs), kernel weaknesses (network, sockets), system facilities (syslog, ident, nfs) without proper checking |
|
Architecture Vulnerabilities process calls external process on same host, process calls external dll, process calls into function on remote host, all data translations, areas of asymmetry, often authentication and authorization, often key management, all user input and output |
|
Rare Vulnerabilities one-byte overwriting of bounds (strlen, sizeof), sizeof on non-local pointer variables, comparing signed and unsigned variables |
|
Methods 1) Fault Injection riot + faultmon 2) Fuzzing spike, peach, sharefuzz, sulley, fuzzer list 3) Automated Source Code Analysis looking for vulnerable functions rats, flawfinder, its4, splint, cppcheck, prefast (WDK), fxcop, findbugs, pmd, jslint, pixy, phplint, yasca 4) Manual Source Code Analysis cscope, cbrowser, ctags, cqual, eresi 5) Binary Analysis Decompile or Disassemble ida pro free, ollydbg (ollydbg.ini), immunitydbg, valgrind, bugscam |
|
Top-Down Approach command line parameters: argv environment variables: getenv keyboard input/stdin: read(), scanf(), getchar() and gets() random number functions: rand() and random() network data: read(), recv() and recvfrom() portable functions: popen(), execlp() and execvp() win32: _wsystem() and theShellExecute() stack overflows: strcopy(), strcat(), sprintf(), vsprintf() and gets() safe stack functions: strncpy(), strncat(), snprintf(), and fgets() dangerous stack functions (lenght checked?): scanf(), scanf(), fscanf(), sscanf(), vscanf(), vsscanf(), and vfscanf() other stack functions: realpath(3), getopt(3), getpass(3), streadd(3), strecpy(3), and strtrns(3) formatstrings: printf(), fprintf(), vprintf(), snprintf(), vsnprintf() and syslog() race conditions: access(), chown(), chgrp(), chmod(), mktemp(), tempnam(), tmpfile() and tmpnam() shell metacharacter vulnerabilities: exec(), popen() and system() heap overflows: malloc and free |
|
Bottom-Up Approach deep understanding of length looped functions incorrect bounds checking off-by-one non-null termination skipping null-termination issues signed comparison integers different-sized integer conversions double free uninitialized variables use after free multithreading |
|
Memory Protection Mechanisms non-exec/nx = non executable stack w^x memory = either writeable or executable memory canary values/canaries = random numbers inserted (win) aaas = ascii armored address space (big endians) aslr = address space layout randomization heap = heap randomization and heap cookies other = kernel and pointer protection seh = structured exception handling (win) safeseh = prevent overwriting seh structures (win) sehop = exception chain checker (win) dep = data execution prevention (win) /GS = canary values/canaries (win) |