Poison Null Byte

From Hakipedia
Jump to: navigation, search

The Poison Null Byte aka The Poisoned NUL Byte was originally dubbed as such by Olaf Kirch in a post in the fa.linux.security news group. By embedding NULL Bytes/characters into applications that do not handle postfix NULL terminators properly, an attacker can exploit a system using techniques such as Local File Inclusion.

The Poison Null Byte exploit takes advantage strings with a known length that can contain null bytes, and whether or not the API being attacked uses null terminated strings. By placing a NULL byte in the string at a certain byte, the string will terminate at that point, nulling the rest of the string, such as a file extension.

Severity

Relatively High

Exploit Likeliness

Moderate

Exploitation

There are a number of ways to use the Poison Null Byte exploit, including the following:

  • The termination of a filename within a string, for example, a file extension.
  • Terminating or commenting an SQL statement when dynamically executing, such as Oracle's 'EXECUTE IMMEDIATE'.

Perl PHP Null Byte Injection

rain.forest.puppy outlined in Phrack issue 55 the uses of NUL Byte Injection within Perl, and how these could be exploited. The results were very similar in PHP.

An example of a NULL byte vulnerable PHP script is as follows:

$file = $_GET['file'];
require_once("/var/www/$file.php");

While the above script appears to be secured by forcing the ".php" file extension, it could be exploited as follows: http://www.example.com/index.php?file=../../etc/passwd%00

The above NULL byte injection would result in the mandatory appended file extension (.php) to be dropped, and the /etc/passwd file to be loaded.

Adobe PDF ActiveX Null Byte Attack

Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote attackers to execute arbitrary code.

The problem specifically exists upon retrieving a link of the following form:

GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1

Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an attacker to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:

0x77F83AE5 MOV EAX,[EDI+8]    
0x77F83AE8 MOV ECX,[EDI+C]    
...    
0x77F83AED MOV [ECX],EAX

The register EDI contains a pointer to a user-supplied string. The attacker therefore has control over both the ECX and EAX registers used in the shown MOV instruction.

Successful exploitation allows remote attackers to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.

An attacker does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.

Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible.

Java Null Byte Injection

Arshan Dabirsiaghi conducted limited study in late 2007 outlining Null Byte injections in Java. Arshan discovered two methods that Java mishandles the NULL byte.

The following code was outlined at Arshan's web site as vulnerable:

String path_to_file = request.getParameter("target") + ".xls";
File f = new File(path_to_file);
deliver_to_user(contentsOf(f));

In similar PHP/C/C++ code one would be quick to use the infamous poison null byte here to view any arbitrary file on the system. But it also works in Java because the File(file_path) passes the user input to open(1) or its Windows equivalent, which is written in C.

See Arshan's test case for more information.

.NET Null Byte Injection

There are a number of .NET functions in several sections of the .NET namespace which are vulnerable to the Poison Null Byte attacks. When the .NET CLR does not handle user supplied Null bytes properly, successful injections can occur.

Null bytes are considered as data within the .NET CLR, therefore, Null bytes are not terminated within .NET strings. However, strings at the first found Null byte are terminated within function calls that are native POSIX compliant. Issues in regard to interoperability are encountered when data comprised with a Null byte is used to call a native C function directly via .NET.

A remote attack can be formed which arbitrarily terminates a parameter that is used within the vulnerable method(s), by terminating native function calls with a Null byte injection.

There are a number of known .NET functions which are vulnerable to Null Byte Injections, they are: Server.MapPath Server.Execute Server.Transfer String.Compare System.Net.Mail.SmtpMail.Send

Server.MapPath will terminate any returned string when a Null byte is injected within the filename parameter, thus nulling any data appended to the user input.

An example of Server.MapPath Null Byte injection, used by Paul Craig in his .NET Null byte injection assessment is as follows:

Sub Page_Load()
       dim name as string
       dim realname as string
       name = request("name") & ".uploaded"
       realname = Mappath(".") & "\" & name
       response.write("Mappath value of name variable: " & MapPath(name) & "<br>")
       response.write("The real value is: " & realname & "<br>")
End Sub

If the name variable is appended with a Null byte (name = c:\boot.ini%00), the string is terminated before .uploaded is concatenated.


Solutions

PHP

There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following:

$file = str_replace(chr(0), '', $string);

Perl

As with PHP, Perl has several options to deal with NUL injections. Also as with PHP, it is recommended not to escape the byte, but to completely remove it by using code similar to the following:

$data=~s/\0//g;

Adobe

Upgrade Adobe to the latest version. Or change Adobe Acrobat/Acrobat Reader settings to prevent PDF files from automatically opening when accessed via a web browser. When prompted, first save the file to disk before opening thereby closing the exploitation vector described.

This can be accomplished using the following steps:

1. Open Adobe Acrobat/Acrobat Reader 2. Go to Edit --> Preferences 3. Uncheck the "Display PDF in browser" setting 4. Click OK

.NET

The .NET issues were patched with the following patches:

KB928365 (Security Update for Microsoft .NET Framework 2.0)

KB928366 (Security Update For Microsoft .NET Framework 1.1)

Please note that these do not patch null byte issues in every instance.

References

http://en.wikipedia.org/wiki/Null_character

http://insecure.org/news/P55-07.txt

http://www.coderprofile.com/coding-article/58/null-byte-poison-how-it-works

http://i8jesus.com/?p=9

http://groups.google.com/group/fa.linux.security/browse_thread/thread/998970a5c98a1dc1/dfcf533ece792009%23dfcf533ece792009

http://capec.mitre.org/data/definitions/52.html

http://www.owasp.org/index.php/Embedding_Null_Code