Blind Attack Methodologies Come of Age.
While current vulnerabilities are still a threat, a new
breed of so-called “blind” vulnerabilities is coming of age. This new strain of
threats are not as blatant or easily executed but can be just as dangerous as
traditional exploits in the hands of an attacker.
Until recently, the only popular instance of this class
of vulnerabilities was Blind SQL Injection. Blind SQL Injection can have the
same consequences as SQL Injection. The main difference in the two methods is
that instead of sending a SQL statement, Blind SQL Injection attacks use a
series of True and False statements to determine if the vulnerability exists.
While Normal SQL Injection attacks only work when the application returns
detailed error messages, Blind SQL Injection works by looking for subtle changes
in the behavior of the application itself, such as links no longer working after
an attack string was submitted. For more information on this, refer to the
Blind SQL White paper available at http://www.spidynamics.com/support/whitepapers/Blind_SQLInjection.pdf.
Blind SQL Injection is a rather well known attack now. But
the “blind” methodology for detecting vulnerabilities by behavioral changes
instead of receiving known error messages extends beyond Blind SQL Injection. A
few days ago, a new vulnerability was disclosed in a popular PHP based
application. This vulnerability allowed an attacker to discern the existence of
files based on error messages by giving a new path for a file instead of the
default. With this kind of vulnerability, an attacker could brute force
existent directories or files to discover valid usernames, temporary files,
directory structures, or other information that could lead to the escalation of
other vulnerabilities if not to complete compromise of the
system.
These kinds of attacks are possible because of a
combination of input validation and logical flaws in the way error handling is
done. While the application doesn’t display an error message allowing the attacker to
know something worked, the subtle changes caused by the attack are detectable
and reveal the same weaknesses. Unfortunately, due to the nature of logic based
vulnerabilities, it is difficult for modern vulnerability scanners to discover
these kinds of unknown issues and so they completely fail to detect this class of threats. This occurs because traditional methods of detecting
vulnerabilities are based matching some known pattern of letters (string
matching). Without knowing the subtle ways the application might react,
scanners simply don’t know what to look for. With these new attacks
methodologies, new types of detection become necessary. Here at SPI Labs, we’ve
got a few ideas…
Erik is Sr. Director of Products for the Application Security Center.