Meta

Architecture

Lecture

Homework

Please see the attached specification document for the Client Request Access Protocol. We believe this protocol to be severely flawed and require your assistance in identifying specific vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can (with a minimum of three vulnerabilities).

Required Reading

Code Audits 101

Lecture

Homework

Find and describe three flaws in a sample application (sample usage). Assume the application runs on Linux and is compiled with gcc.

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application
  • Calculate a CVSS score for the bug

This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. There are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Required Reading

Code Audits 102

Lecture

Homework

Find and describe three flaws in the Siberia crimeware pack (pw: infected).

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application
  • Calculate a CVSS score for the bug

Crimeware packs, or web exploit kits, are simple web applications that fingerprint visitors and attempt to exploit their browser in order to drop a malicious payload. The operator of the crimeware pack accesses it through an admin panel which displays statistics and enables configuration changes, such as modifying the payload that gets sent upon successful exploitation.

The Siberia kit contains live exploit code and will likely set off AV, however, none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilities having been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM.

Required Reading

References

Code Audits

Vulnerability Classes

Example Vulnerabilities

Archive

Fall 2010

In the first homework, students are provided a protocol specification document which contains a number of architectural security issues. The objective for the homework is for the students to identify these issues and informally describe as many of them as they can identify (with a goal of three bugs).

The second homework this semester was broken up into two tasks:

The first task is to download a copy of the Apache HTTPD 2.3.8 source code and find a function dealing with authentication or authorization (password management, verification, cookie, etc). This may be a little tricky, since the Apache code often doesn't call functions directly.

  • Provide the full path, name and line number to the authentication or authorization function
  • Provide the full path, name and line number for a file which refers to this function

The second task is to find 3 bugs in htpasswd.c (assuming it is run on Linux and is compiled with gcc).

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application

Background: htpasswd.c is used to update flat-files that store usernames. When you provide the htpasswd application with the correct username/password to authenticate to it, you are allowed to add usernames to a given flat-file userlist. Users in that userlist are then allowed to access whatever service that passwd file applies to.

The third homework was to find and describe three flaws in a sample application. Assume the application runs on Linux and is compiled with gcc.

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application
  • Calculate a CVSS score for each bug

This network service simulates a text-based terminal-application. The general purpose of the application is to act as a "news server," or text file service. There are two types of user: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Fall 2009

  • Code Audits 101 video and slides
  • Code Audits 102 video (slides not available)