Lab presentation here and here

A. Vulnerable applications practice

Download this archive and extract it. It contains three vulnerable programs (see the "programs" subdirectory). It is supposed that the three programs would be run with high privileges, which gives only them access to the "flags" subdirectory. So, please, do not read directly the flags in the "flags" subdirectory. You have to run in turn each "ctfX.exe" application and exploit some of its vulnerabilities such that to make it display the corresponding "ctfX.flag" file. Normally, the applications do not intent to display the files in "profiles" subdirectory, and consequently supposed to be run like

• "ctf1.exe user1"
• "ctf2.exe prof_user2"
• "ctf3.exe prof_user3"

Needed DLLs can be found inside the archive in compressed file "dll.zip"

B.Lab test/practice (optional):

Dezvoltati o aplicatie client/server cu urmatoarele functionalitati:

Clientul

• primeste ca input (de la tastatura de exemplu) o cale catre un fisier
• fisierul poate sa fie in acelasi folder sau intr-un subfolder relativ la folderul din care programul client a pornit
• trimite catre server o cale catre un fisier in care va fi salvat continutul fisierului original
• trimite in bucati egale continutul fisierului primit ca input
• afiseaza rezultatul transferului (success/erorare)

Serverul

• accepta conexiuni clienti (pentru simplitate puteti considera un singur client la un moment dat)
• primeste calea catre fisierul destinatie de la client (calea trebuie sa fie un catre un fisier dintr-un subfolder relativ la folderul din care a pornit serverul)
• primeste continutul fisierului de la clinet
• scrie fisierul in locatia primita de la client
• trimite rezultatul transferului (success/eroare)

Accentul in evaluarea implementarii se va pune pe urmatoarele aspecte:

• validarea parametrilor
• validarea input-ului, sanitizare, etc
• evaluarea rezultatelor apelurilor de functii
• utilizarea api-urilor safe/unsafe
• utilizarea api-urilor bounded unde este cazul
• gestionarea corecta a bufferelor
• aspectul estetic al codului

NU se evalueaza in mod direct eficienta implementarii.

Some key points from the slides

Object Handle Manipulation



    at creation/opening, the object is referred by its name



        return an object handle



    any subsequent operations are based on the object handle



    Windows API functions are inconsistent



        an error results in a NULL or an INVALID_HANDLE_VALUE (-1)



        CreateFile() returns INVALID_HANDLE_VALUE when encounters errors



        OpenProcess() returns NULL on errors







CreateProcess() is the common method to start a new process



    security issue: unquoted path containing spaces;leave the possibility for executing unintended programs



        CreateProcess(NULL, "C:\\Program Files\\My Applications\\my app.exe", ...);



ShellExecute() and ShellExecuteEx()



    determine, based on file type, which application to launch



    code audit: take care that these functions to not necessarily



    (especially in case of no executable files) run the supplied file



DLL Loading



    DLL search order



        application load directory



        current directory



        “system32” directory



        “Windows” directory



        directories in PATH



    attack way: cause the run of an application in a directory where the attacker can write (DLL) files



DLL redirection



    introduced security issue: a redirection file causes loading of an alternate set of libraries, even when a qualified path is provided in LoadLibrary()



    redirection is superseded by an application manifest



    “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs”



File Access



    Canonicalization (Normalization): “c:\nonexistent\path\..\..\file.txt” → “c:\file.txt”



File-like Objects



    eg: pipes: “\\.\pipe\pipename”



    attacking such objects requires control of the first segment of the pathname



Device Files



    types COM1-9 LPT1-9 CON CONIN$ CONOUT$ PRN AUX CLOCK$ NUL



    pathnames are searched for such special names as filename and the rest of the pathname and extension are ignored



        device file’s names could be prepended by any pathname



        device file’s names could have any extension appended



Soft link/ Hard Link / Jonction



    attack accessing any file in “c:\windows\system32”



        create a junction with the same name as the file being created,



        e.g. “c:\temp\bob_dirname” → “c:\windows\system32”



        specify a filename with enough trailing spaces to cut off the extension



TOCTOU and File Access Race Conditions



    vulnerabilities similar to those in UNIX



    limited because CreateFile() could be given parameters to check for file properties