Re: Security Team
Hey everyone, i know i am clearly not an expert with security so i do have a question about it.
I have been hearing people say that they need to update Java because hackers have found ways in through it. The update is a "patch".
What are they "patching"
and how do they actually use these programs to get in? i thought they just did it through open ports and downloads.
Thanks a ton guys.
BEn+
"A patch (sometimes called a "fix") is a quick-repair job for a piece of
programming. During a software product's
beta test distribution or try-out period and later after the product is formally released, problems (called
bugs) will almost invariably be found. A patch is the immediate solution that is provided to users; it can sometimes be downloaded from the software maker's Web site. The patch is not necessarily the best solution for the problem and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a
binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches. "
What is patch? - a definition from Whatis.com
Most exploits/ Hacks don't gain access to your computer through ports etc. You invite them in through your browser and the existence of malicious scripts on a website you visit that uploads something to your system that exploits a vulnerability in the interface between the internet and your computer. A fairly common source of exploitation uses unchecked buffers or free memory.
Buffer overflows are a favourite exploit for hackers.
The vast majority of Microsoft's available patches fix unchecked buffer problems
"A buffer overflow is an exploit that takes advantage of a program that is waiting on a user's input. There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.
In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user's input is placed on top of it. When the stack is processed, the user's input gets sent to the return address specified by the program.
However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user's input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn't a huge problem, but it becomes a huge security hole when combined with malicious input.
For example, suppose a program is waiting for a user to enter his or her name. Rather than enter the name, the hacker would enter an executable command that exceeds the stack size. The command is usually something short. In a Linux environment, for instance, the command is typically EXEC("sh"), which tells the system to open a command prompt window, known as a root shell in Linux circles.
Yet overflowing the buffer with an executable command doesn't mean that the command will be executed. The attacker must then specify a return address that points to the malicious command. The program partially crashes because the stack overflowed. It then tries to recover by going to the return address, but the return address has been changed to point to the command specified by the hacker. Of course this means that the hacker must know the address where the malicious command will reside. To get around needing the actual address, the malicious command is often padded on both sides by NOP instructions, a type of pointer. Padding on both sides is a technique used when the exact memory range is unknown. Therefore, if the address the hacker specifies falls anywhere within the padding, the malicious command will be executed.
The last part of the equation is the executable program's permissions. As you know, most modern operating systems have some sort of mechanism to control the access level of the user who's currently logged on and executable programs typically require a higher level of permissions. These programs therefore run either in kernel mode or with permissions inherited from a service account. When a stack-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Generally speaking, this often means that the attacker will gain full control of the operating system. "
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1048483,00.html"How an Exploit Works
How an Exploit works (Linux - but works the same in Windows)
"Take any exploit downloaded from the internet that promises you an easy root shell on a remote machine, and examine its source code. Find the most unintelligible piece of the code; it will be there, for sure. Most probably, you will find a several lines of strange and unrelated symbols; something like this:
char shellcode[] =
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8a"
"\xd4\xf2\xe7\x83\xeb\xfc\xe2\xf4\xbb\x0f\xa1\xa4\xd9\xbe\xf0\x8d"
"\xec\x8c\x6b\x6e\x6b\x19\x72\x71\xc9\x86\x94\x8f\x9b\x88\x94\xb4"
"\x03\x35\x98\x81\xd2\x84\xa3\xb1\x03\x35\x3f\x67\x3a\xb2\x23\x04"
"\x47\x54\xa0\xb5\xdc\x97\x7b\x06\x3a\xb2\x3f\x67\x19\xbe\xf0\xbe"
"\x3a\xeb\x3f\x67\xc3\xad\x0b\x57\x81\x86\x9a\xc8\xa5\xa7\x9a\x8f"
"\xa5\xb6\x9b\x89\x03\x37\xa0\xb4\x03\x35\x3f\x67";
This is
shellcode, also sometimes referred to as "bytecode." Its content is not a magic word or random symbols. This is a set of low-level machine commands, the same as are in an executable file. With a shellcode, you can also reboot a system, send a file to an email, etc. The main task for an exploit program is therefore to make this shellcode work.
Take, for example, a widely known error-buffer overflow. Developers often check data that has been received as input for functions. A simple example: the developer creates a dynamic array, allocates for it 100 bytes, and does not control the real number of elements. All elements that are out of the bounds of this array will be put into a stack, and a so-called buffer overflow will occur. An exploit's task is to overflow a buffer and, after that, change the return address of system execution to the address of the shellcode. If a shellcode can get control, it will be executed. It's pretty simple."
How Shellcodes Work | O'Reilly Media
Another reference
Buffer Exploits — Security
A really good article here
Introduction to Buffer Overflow
Java Exploits
Java is inherently a secure system, because JRE uses so-called sandboxing that allows it to operate as a virtual machine to block access to other parts of the system. However as developers create JavaScript applications that require more capabilities, they begin to call up .dll files from the system. As soon as the programs reach outside the virtual machine for system files, the security protection of the sandbox is negated.
Exploit code can be embedded in a small Java application that launches from a browser window and can deliver a malicious payload very quickly.
New Java exploits brewing - vnunet.com
"An example of a Java exploit for Java VM (not to be confused with JavaScript). This means that, in order to run the exploit, a vulnerable Java VM has to be installed on the machine.
The exploit comes in a small class file:
$ file java.class
java.class: compiled Java class data, version 46.0
$ md5sum java.class
0b67d360d5b1839820c0a39810b40498 java.class
As you probably know, Java class files contain bytecode, which is a machine language for the Java virtual machine. Luckily, bytecode has *a lot* of extra information which makes decompilation much easier (and viable, when comparing to x86 machine code, for example).
After analyzing the exploit, I found out that it’s using an old vulnerability (CVE-2007-0243) that has been patched since January. Mark also wrote about this vulnerability
here. According to the CVE article, Sun JRE 5.0 Update 9 or earlier, SDK and JRE 1.4.2_12 or earlier and SDK and JRE 1.3.1_18 or earlier are all vulnerable. The vulnerability allows an applet to gain privileges through a GIF image.
This is exactly what our exploit does – it creates a malicious image that is then displayed on the victims machine. This causes a memory corruption which leads to code execution."
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Some exploits can still attack a system with the latest patches etc IF the system contains elements of a previous Java installation that include .Dll's the malicious code can call. You should always uninstall older versions and clean their folders.
Norm
D
