diff options
Diffstat (limited to 'SEDE')
| -rwxr-xr-x | SEDE/CM1.md | 153 | ||||
| -rwxr-xr-x | SEDE/Faille XZ.md | 3 | ||||
| -rwxr-xr-x | SEDE/Introduction.md | 11 |
3 files changed, 167 insertions, 0 deletions
diff --git a/SEDE/CM1.md b/SEDE/CM1.md new file mode 100755 index 0000000..4ffed53 --- /dev/null +++ b/SEDE/CM1.md @@ -0,0 +1,153 @@ +```c +void print_msg(const char *msg) +{ + printf("There is a problem here;\n"); + printf(msg); +} +``` +- potentiel crash `null` +- potentielle insertion de commandes printf $\rightarrow$ modifs sur la stack + +Fix : +```c +void print_msg(const char *msg) +{ + printf("There is a problem here\n"); + printf("%s", msg); +} +``` + +## The LISP syndrome + +- Every call tends to evolve to do more than it's own good +- Beware of abstraction layers violations + +## Hidden Shells (injections de commandes shell) + +- e.g. `system(3)` et `popen(3)` +$\rightarrow$ Learn Unix +- use lower level features to have more control over user input + - check syscall return values + - or use `posix_spawn(3)` + +### Creepy scripts + +A script called "s" : +```shell +#!/bin/sh +file=$1 +rm $file +``` +```bash +$ ./s "my_file" +``` +```sh +#!/bin/sh +rm "$@" +``` +```shell +$ ./s ../myfile +$ ./s -rf / +``` + +- quoting is not enough +- use `cmd -- args` to stop option parsing +- if you write your own commands don't allow reorder! +- use `set -e` + +## Misconceptions + +_It's too complicated, it won't be exploited_ : false +- The IISS url overflow (bash commands injection) +- **The venetian blind** + +## Examples + +- Log4shell : faille sur Log4j, chargement et exécution de code à distance +- Hardbuild : 2014, bug openssl + +$\rightarrow$ construire l'app de TODO comme un système bancaire + +## Open VS Closed source + +- Closed source is **not** more secure +- Lots of people know how to reverse-engineer +- The "sweep under the carpet" effect : + - protection de l'image des sociétés en niant les vulnérabilités +- Accès au code source +- Example: Crafting exploits from Windows Update (http://bitblaze.cs.berkeley.edu/papers/apeg.pdf) +- Simple code should look simple: + - make stuff explicit + - depend on your compiler + - use `strlcpy` +- make the API handle sizes +## Sturgeon's law + +**90 % of all software is**: +- crap +- unimportant to optimize +- bogus +- copied and pasted +- imperfect + +## The Drepper fallacy + +- "But I don't write wrong code" : the reason for the slow adoption of `strlcpy` +- You can't fix everything +- ... therefore don't fix anything +- "Low Hanging Fruit" + +## The Unix security model - When do you check that you can access a file ? + +- at open and at exec : + - identify who you are: **uid/gid** + - don't forget supplementary groups + - only check the first entry that applies + - **if** uid == file owner, check user bits + - **else** if one group matches file group, check group bits + - **else** match other bits +- see windows and ActiveDirectory +- see PAM and its unreadable config files +- if you are **root**: + - We ignore rights + - open the file + - `fstat` to see if it worked $\implies$ pas obligé + - rights of the process + every fd I own +- **Priv Drop**: + - start as root + - do privileged operations yielding fds + - ... then change identity + - I still have the fds + - example: network server on a privileged port + - HOWTO: + - `setgroups` `setuid` `setgid` + - check that it worked + - `setuid`: + - effective id: demandé par l'application + - saved id: ancien id + - real id: owner of original process + - access controlled by effective id +- notion of **role**: + - an identity (real or imaginary) that can **do things** and **access data** + - stuff you can do + - data you can read + - data you can write +## Designing software + +- the more complex the code, the less rights it should have +- sanitize input thoroughly +- ... then you don't need more syntax checks internally +- ... put checks at the semantic level where it makes sense +- trust boundaries + +## Designing software VS Unix + +- Separate roles should run as separate users +- ... so make it simple to create users +- $\implies$never reuse users for something else +- the technical term for modern software with roles is *privilege separation* + +# Exemples + +- NATS fail : https://jameshaydon.github.io/nats-fail/ +- [[Faille XZ]]
\ No newline at end of file diff --git a/SEDE/Faille XZ.md b/SEDE/Faille XZ.md new file mode 100755 index 0000000..7448fb3 --- /dev/null +++ b/SEDE/Faille XZ.md @@ -0,0 +1,3 @@ +# Description + +-> addition d'un .o malveillant linké avec xz
\ No newline at end of file diff --git a/SEDE/Introduction.md b/SEDE/Introduction.md new file mode 100755 index 0000000..1042252 --- /dev/null +++ b/SEDE/Introduction.md @@ -0,0 +1,11 @@ +_There are more conferences for attackers than conferences for safety. That is the problem._ - Theo de Radt + +Big failles pdt le developpement +**Sureté** : prévention contre accidents involontaires +**Sécurité** : prémunir contre actions malveillantes + +## CVE +**Définition** : Common Vulnerabilities & Exposures +- Real CVEs : https://blog.qualys.com/laws-of-vulnerabilities/2019/12/04/openbsd-multiple-authentication-vulnerabilities +- https://nvd.nist.gov/vuln/detail/CVE-2016-9843 +- https://infosecwriteups.com/log4j-zero-day-vulnerability-exploitation-detection-mitigation-9667908857b4
\ No newline at end of file |