[SecurityRatty] tag: accesses

DEMIDS and Database Misuse Detection

Thu, 05 Jun 2008 03:44:18 +0000

DEMIDS is an early paper on how to detect errant use of a database. As an overview, the paper describes a system where misuse is ‘detected’ by the use of a distance function. It attributes a set of tables or database functions as the normal domain of a user, and everything that the user accesses outside of that specified domain has some distance factor associated with it. Tables in other schema’s are viewed as being a certain distance outside of that domain, and tables in different database further still. The further away a resource is, the more likely there is misuse. It is a basic assumption that the users are sufficiently privileged to perform the access. And it is inherent with the methodology described that the system is closely coupled to the database itself, and it performs the work of detection locally.

Anton Security Tip of the Day #15: Fear and Loathing in Event 560 (and 562 and 567)

Thu, 08 May 2008 09:37:00 +0000

Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Security Tip of the Day #15: Fear and Loathing in Event 567

This tip digs into a seemingly simple, but really VERY esoteric subject: monitoring file access and modification via a Windows event log. Now, some people - who never studied this subject - tend to have a very simplistic view of this: just enable Object Access auditing, then right-click on a file or directory, click Security->Advanced->Auditing and then pick what types of events will be logged and by what accessing entities (i.e. users or computers). OK, so this will produce some logs, that is for sure. But are they useful?

First, why are we doing this? We typically need to know the following when we audit file access in Windows (or any other OS for that matter) for security (monitoring and investigation) or compliance:

Time/date
Computer where it happened
User who touched the file
Application he used to access the file
File name + location (directory, share, etc)
Type of access (read, write, create, delete, etc)
Status (i.e. success or failure)

Can we get this from the above logs? No.

What? No!?! Really?

Yes, really. We can get some of the above, some of the time, not all of the above, all of the time. Here is an example, we are looking at event ID 560 (picture) and then at an extract from its description field.

Event:

Description (selected field):

Object Server: Security

Object Type: File

Object Name: C:\0\TestBed\simple_text_file.txt

Image File Name: C:\WINDOWS\system32\notepad.exe

Primary User Name: Anton

Primary Domain: XXXXXX

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

WriteData (or AddFile)

AppendData (or AddSubdirectory or CreatePipeInstance)

ReadEA

WriteEA

ReadAttributes

WriteAttributes

WTH is that? Well, we know that the user 'Anton' has successfully read? wrote? changed attributes? did something? with a file named "C:\0\TestBed\simple_text_file.txt" using a program named "C:\WINDOWS\system32\notepad.exe." That's the best we can get, in this case! We may try to look at event IDs 562 and 567, but this missing information (i.e. the exact action performed) will not be added.

BTW, there will be a few more dozen (sometime hundreds!) of the 560s, 562s and 567s produced - all from just opening the text file in a notepad. The above event is notable for having BOTH "notepad" and "simple_text_file.txt" in the same event; others will have either of the two.

Anything else gets in the way? Yes, lots! MS Office will write to all files, even just opened for reading (with no user modifications to the content whatsoever), which will screw up your log monitoring efforts. If the file is on a share, more information will be missing (e.g. username might be).

So, how to use Windows event logs for file access tracking?

Enable logging (as described above)
Pick events 560 (most useful) and 562, 567 (useful too)
Look for fun filenames that might be touched by the users (have a list of files and users handy)
Figure out what programs were used to access them (this is called "Image File Name" in "WinLogSpeak")
Ponder the 'Accesses' section of each event until your brain turns blue :-) or until you decide whether such access is authorized or not...

Overall, this is still very useful for file access monitoring, but the process is paaaaaainful.

BTW, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.

Technorati tags: security, tips, logging, log management

Chinese Hacktivists Waging People's Information Warfare Against CNN

Mon, 21 Apr 2008 22:25:00 +0000

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.

Sexing up the logs

Thu, 03 Apr 2008 00:00:00 +0000

The title of this blog is false - a pure marketing ploy. Quite simply there is nothing sexy about logs. Few of us take any enjoyment out of reviewing them but there are plenty of mandates around telling us that we have to. For example, section 10 of the PCI DSS states: Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Section A.10 of ISO27001 states: Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. The importance of keeping logs is also called out in Basel II, SOX, and so on. For anything you want to know about logs there's only one resource. That of self-proclaimed "security warrior" Anton Chuvakin. His latest blog is on the "top eleven reasons to hate logs." I recommend reading back through Anton's archive - there's a wealth of good guidance. Let's remember that we don't "do security" just for the sake of compliance. Compliance is a side-effect of having a well planned security governance regime. The top level objectives are about protecting data assets (the CIA triad of confidentiality, integrity, and availability). Where does the review of log files come in and what risks are we mitigating? Well, logs support analysis processes - we learn a lot about what's going on within our systems. Reviewing security event logs provides us with increased situational awareness of our environment, while storing logs enables us to perform trend analysis and observe behaviour on systems over time and identify anomolies. Here's an example. Let's say that every morning at 9am you would expect to see log output stating a successful startup sequence for a particular device or application. If one morning this log entry fails to appear then you have an anomoly to investigate. Of course the issue might not be security related, or it might be. The fact is that some anomolous behavious causes you to investigate and find out what the problem is. Another example is when you consider what is normal system user behaviour. If the log files show that an individual who usually accesses an account during office hours and a weekend from London is now accessing the account in the middle of the night from Elbonia then there's another anomoly for you to investigate. Suspicious behaviour or just on holiday? A review of the logs will likely reveal additional activity that lets you determine which it is. There's much more to talk about on this topic - consolidating logs and getting them into a format that makes them easier to review is probably foremost in the minds of some, deciding what to log and how long to keep records for will be of interest to other.

Student hacks Broward Schools and accesses personal information

Mon, 24 Mar 2008 10:22:48 +0000

Technorati Tag: Security Breach

Date Reported:
3/23/08

Organization:
Broward County Public Schools

Contractor/Consultant/Branch:
None

Victims:
District employees and students

Number Affected:
38,000

Types of Data:
"Social Security numbers, addresses, birth dates, names and other personal information"

Breach Description:
"A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records."

Reference URL:
South Florida Sun-Sentinel

Report Credit:
Joel Marino, South Florida Sun-Sentinel

Response:
From the online source cited above:

A high school senior accused of hacking into a Broward School District database may have downloaded more than just the private information of 38,000 district employees as originally suspected, according to court records.

Investigators also found information about students at the high school he attended, a host of password hacker programs and credit card generators — or software that can falsify credit card information — in a school computer used in February by Michael Wasa, 18, of Tamarac, a search warrant said.
[Evan] Why aren't these computers locked-down? High school students (for the most part) are very "high risk" users. The computers should be well hardened and internet access should be restricted to acceptable site visits.

He was suspended March 6 pending expulsion, but no charges or arrests have been made, said district spokesman Keith Bromery. Investigators also are trying to determine if Wasa worked alone.

A student at J.P. Taravella High in Coral Springs, Wasa was taking several computer classes at the Atlantic Technical Center in Coconut Creek when police say he first accessed the district's database a month ago.

A teacher at the technical school became suspicious of illegal activity after she was unable to access a classroom computer Wasa used on Feb. 26.

The school's information technology team found decrypting software had been downloaded, allowing the user to break into a database and collect teacher and student information from the entire Broward County school system.

School administrators asked Wasa about the hacking on March 4. The records say Wasa "readily admitted he hacked into the school board servers without authorization."
[Evan] Naïve.

He was asked to turn in a thumb drive, which he said contained emergency contact information for Taravella's 3,000 students.

Wasa also is suspected of collecting the Social Security numbers, addresses, birth dates, names and other personal information of district employees ranging from teachers to bus drivers. "There's still no reason to believe that there was criminal intent or that he did anything with the information he was able to retrieve," Bromery said.
[Evan] Breaking into the school's computer systems is against the law. Michael Wasa also had "credit card generators" in his possession. Yet, "There's still no reason to believe that there was criminal intent"?!

Melissa Grimm, a district project manager, told the district's audit committee that the student hacked Pinnacle, an electronic grade book. Both Grimm and Bromery said the payroll has not been affected.
[Evan] Pinnacle Gradebook is made by Excelsior Software. I don't know of any known vulnerabilities and/or exploits for Pinnacle so I wonder if it was just poorly secured in the first place, much like the desktop computer was.

Coconut Creek police, the Broward Sheriff's Office and a district investigations unit are reviewing the case; even the U.S. Secret Service has volunteered to help, said Joe Melita, head of the district's special investigative unit.
[Evan] Sheesh, this has to be intimidating to a high schooler.

"It's a serious matter any time the protection of employee records comes into question," Melita said. "This affects a lot of employees, so we want them to feel comfortable that their information is secure.
[Evan] But their information is NOT secure.

Commentary:
Michael Wasa may have hacked into the school's systems because he was curious, maybe he thought it would be challenge that he could brag about, or maybe he actually had more sinister plans to use the personal information for criminal gain. The fact that he had "credit card generators" in his possession lends some credence to the latter.

Schools that provide computers for their students need to make sure that adequate information security are not forgotten on those computers. For instance, there is no need for a student to have unrestricted internet access, local administrative rights, the ability to install software, etc.

Pinnacle Gradebook is a widely used tool by many schools throughout the county, along with Infinite Campus. I applaud these schools for their intent to provide better school/teacher/parent communication by capitalizing on technology, but equally important are potential security implications.

Past Breaches:
Unknown

Stolen laptop contained unencrypted Fallon Community Health Plan information

Fri, 25 Jan 2008 08:54:27 +0000

Technorati Tag: Security Breach

Date Reported:
1/24/08

Organization:
Fallon Community Health Plan

Contractor/Consultant/Branch:
Unknown vendor

Victims:
Fallon Senior Plan and Summit ElderCare customers

Number Affected:
29,800

Types of Data:
Names, dates of birth and Medicare identification numbers*

*"Medicare identification number" is the generic term for any number, other than the National Provider Identifier, used by a provider or supplier to bill the Medicare program, which usually consists of the person's or his or her spouse's Social Security number.

Breach Description:
Three laptops were stolen from a Boston office used by an unnamed Fallon Community Health Plan vendor. One of the three laptops contained sensitive personal information belonging to Fallon Senior Plan and Summit ElderCare customers. The computer was originally though to be encrypted, but a subsequent investigation has proven this to be false.

Reference URL:
Worcester Telegram
Boston Herald story
Boston Business Journal story

Report Credit:
Bob Kievra, Worcester Telegram & Gazette

Response:
From the online sources cited above:

Fallon Community Health Plan said this afternoon the names, dates of birth and Medicare identification numbers of approximately 30,000 Senior Plan members was on a laptop computer stolen earlier this month from a Boston-based vendor of the HMO.
[Evan] I have been unable to determine the vendor from the 4 or 5 news reports I have read. If you know for certain, please comment.

members with Fallon Senior Plan and Summit ElderCare coverage

"I deeply regret that this incident occurred,'' said President and Chief Executive Officer Eric H. Schultz. "I sincerely apologize for the inconvenience and trouble this theft may cause our members.''

Mr. Schultz said the laptop containing Fallon's information was one of three computers stolen from a Boston office on either Dec. 31 or Jan. 1.

The vendor discovered the theft Jan. 2 and originally said the material had been encrypted. But the health plan, with the assistance of a forensic technologist, came to the conclusion Jan. 14 that the information was not protected.
[Evan] I wonder why the vendor thought that the information had been encrypted. Do they encrypt some laptops, and not others? It is a good idea to encrypt all laptops (and mobile devices) rather than try to determine which ones may have confidential information on them and which ones do not.

the data was not password protected or encrypted, in violation of the company's policies
[Evan] I assume that we are talking about FCHP's policies. Kudos to FCHP for including password protection and encryption in policy. Does FCHP have Vendor/Third-Party access policy and/or regularly audit their vendors for compliance?

The vendor was using the data to ensure that Medicare claims were being appropriately processed

The HMO said Thursday it will offer a year’s free credit monitoring to those affected.

Those individuals have also been mailed letters notifying them of the incident, and FCHP has alerted regulatory authorities to the theft.

Commentary:
A vendor that accesses confidential information and stores it on mobile media without proper protection is inexcusable. I am perplexed. Doing business with a vendor that won't (or can't) provide evidence supporting how they will protect confidential information is taking unnecessary risk.

Past Breaches:
Unknown

Unauthorized access to University of Georgia server affects 4,250

Wed, 09 Jan 2008 12:32:57 +0000

Technorati Tag: Security Breach

Date Reported:
1/9/07

Organization:
University of Georgia

Contractor/Consultant/Branch:
None

Victims:
Current graduate students living in family housing AND former students and applicants.

Number Affected:
4,250

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Sometime between December 29th and December 31st, 2007 a "hacker" using a computer "with an overseas IP address" was able to access a University of Georgia server used to store confidential personal information belonging to certain current and former university students. 4,250 individuals are affected by this breach.

Reference URL:
Associated Press report on ajc.com
WNEG Channel 32 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

University of Georgia officials are trying to contact more than 4,000 current, former and perspective residents of a university housing complex after a hacker was able to access a server containing personal information, including Social Security numbers.

The security breach happened sometime between Dec. 29 and Dec. 31

a computer with an overseas IP address was able to access the personal information including Social Security numbers, names and addresses of 540 current graduate students living in graduate family housing and 3,710 former students and applicants
[Evan] These investigations are typically difficult to track to a specific source. We have seen "hackers" use insecure computers overseas as proxies. If a proxy is used in a country that does not cooperate with law enforcement in the United States, then the investigation typically stalls due to the fact that logs and other forensic evidence is not available.

University officials know what country the hacker was operating in, but would not comment on it, UGA spokesman Tom Jackson said.

Workers took the server off-line as soon they discovered the problem.

There was no evidence the hacker used or recorded the information, said Stan Gatewood, UGA's chief information security officer.

"It seemed to be one of those things where the door was opened, but no one walked in," Jackson said. "But still everyone needs to be notified."
[Evan] If "no one walked in", then why is there mention of a "hacker" using "a computer with an overseas IP address"? The two statements don't jive.

But notifying all the affected people could be difficult because many are former students from outside the country, Jackson said.
[Evan] Probably more difficult than it would have been to secure the information in the first place.

Commentary:
If we can't be reasonably certain that the attacker did not access the information, then we are left with the assumption that the attacker did. There is little chance that the university will find out who the attacker is with any certainty. It is easy to be anonymous with the use of proxy servers (bots, open proxies, etc.), especially going through foreign countries.

What was the purpose of storing this information on a server that was accessible through the internet? I also wonder what other controls were placed around access to this server.

This isn't the first time that an "overseas hacker gained access" to University of Georgia confidential information resources (see below). Same "hacker"? Food for thought.

Past Breaches:
February, 2007 - Overseas hacker accesses University of Georgia database

DHS notified the Greenville County School District of compromise

Mon, 07 Jan 2008 06:08:03 +0000

Technorati Tag: Security Breach

Date Reported:
12/20/2007 (backdated from writing on 1/7/08)

Organization:
Greenville County School District

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
Not disclosed*

*The Greenville County School District has an estimated 9,089 employees

Types of Data:
Names, Social Security numbers, and telephone numbers

Breach Description:
The U.S. Department of Homeland Security notified the Chief Information Officer of the State of South Carolina of suspicious activity involving Greenville County School District data. A malicious program had been installed on a computer used by the school district's benefits department that captured sensitive personal information belonging to certain school district employees.

Reference URL:
News Channel 7 Story
WYFF Channel 4 News Story

Report Credit:
News Channel 7

Response:
From the online sources cited above and letter sent to affected individuals:

Greenville County Schools was informed by the Chief Information Officer of the State of South Carolina (SC CIO) that the U.S. Department of Homeland Security has identified suspicious activity involving district data.

Unknown to the School District or that employee, a malicious program had been electronically transmitted into a Benefits Department computer by an outside source.

An investigation has identified your personal information as part of the data theft.

Greenville County Schools is one of several government entities recently affected by the compromise of personal information reported to the SC CIO. Local law enforcement, the State Law Enforcement Division (SLED), and the US Secret Service are conducting an investigation.
[Evan] Wouldn't be nice to know who the "several government entities" are? It appears that the data in the breach was compromised through a virus. I can only imagine the number of school computers nationwide that are infected.

When the Benefits Department computer was used to access state insurance information, the malicious software program captured your name, social security number, and telephone number.
[Evan] Captured and transmitted, or just captured?

We continue to work with state and federal law enforcement regarding this matter. You will be notified when additional information is available. If you have questions, please contact me at 355-1182.
[Evan] The "me" is James S. McCutcheon, Director of Disbursement Services

From the FAQ included with the breach notification:
Q. Why did this happen to me?

A. This is a random crime. We have no reason to believe that any specific individual was targeted.

Q. How did The U.S. Department of Home Land Security detect this incident?

A. The U.S. Department of Homeland Security continually monitors “.gov” internet traffic for possible criminal and terrorist activity. The Benefits Department accesses a “.gov” website to manage benefits information.

Victim Reaction:

"As a former employee, what amazes me is that the news just broke, and the district offices are closed! There is no one for me to contact about whether my records may have been stolen as well. If it wasn't for this site, I wouldn't know about their recommended steps." - Will

Commentary:
This is an interesting breach in the fact that the Department of Homeland Security (DHS) noticed and reported it. I assume that the DHS runs network IDS/IPS and this is how it was detected. IDS/IPS takes a considerable amount of tuning and attention. A good IDS/IPS specialist follows-up on anomalies rather than just tuning the alert out. Good work on the part of DHS.

Past Breaches:
Unknown

PrincipalPermissionAttribute and Static ctor Leads to DoS

Mon, 03 Dec 2007 06:03:00 +0000

I recently heard a colleague lamenting that he was having difficulty using PrincipalPermissionAttribute at the class level in a certain scenario under WCF. I recommended caution in my guidebook, because of the nasty type load exception that you can run into if the first request to the class is denied by the attribute.

Be careful about using this attribute at the class level. If the class to which you apply it happens to have a static constructor (or, even worse, if it may get one in the future), realize that this attribute applies to the static constructor as well! Why is this a problem? Well, if a static constructor throws an exception, the class is latched into a mode where each future attempt to call the static constructor leads to the previous exception being rethrown (Brumme, 2003). So, if the first caller to use the class doesn't satisfy the permission demand, no callers in the entire AppDomain will be able to use that class!

Here's a simple console app you can compile that demonstrates the danger.

using System;
using System.Security.Principal;
using System.Security.Permissions;
using System.Threading;
[PrincipalPermission(SecurityAction.Demand, Role="SuperUser")]
class Sensitive {
    static Sensitive() {
        Console.WriteLine("Inside static constructor");
    }
}
class Program {
    static void Main(string[] args) {
        becomeSuperUser();
        tryUsingSensitiveClass();
        becomeNormalUser();
        tryUsingSensitiveClass();
    }
    static void tryUsingSensitiveClass() {
        try {
            new Sensitive();
            Console.WriteLine("{0} OK!!",
                Thread.CurrentPrincipal.Identity.Name);
        }
        catch (Exception x) {
            Console.WriteLine(
                "{0} failed due to a {1}",
                Thread.CurrentPrincipal.Identity.Name,
                x.GetType().Name);
        }
    }
    static void becomeNormalUser() {
        Thread.CurrentPrincipal = new GenericPrincipal(
            new GenericIdentity("Bob"), null);
    }
    static void becomeSuperUser() {
        string[] roles = { "SuperUser" };
        Thread.CurrentPrincipal = new GenericPrincipal(
            new GenericIdentity("Alice"), roles);
    }
}

Here's the output of the above program, exactly as written. Notice that the call order is such that the privileged user accesses the protected class first, so things work as you'd expect:

Inside static constructor
Alice OK!!
Bob failed due to a SecurityException

Here's the output when I switch the order and have the normal user try to use the class first. The type is locked down and after that, even privileged users can't access it:

Bob failed due to a TypeInitializationException
Alice failed due to a TypeInitializationException

If you remove the static ctor, things work as expected:

Bob failed due to a SecurityException
Alice OK!!

Does this mean that you should never use PrincipalPermissionAttribute on a class? Maybe not, but you should probably put a comment on the class warning future devs to avoid adding a static ctor on it.

Auditing open source software

Mon, 08 Oct 2007 12:13:00 +0000

Written by Chris Evans, Security Team

Google encourages its employees to contribute back to the open source community, and there is no exception in Google's Security Team. Let's look at some interesting open source vulnerabilities that were located and fixed by members of Google's Security team. It is interesting to classify and aggregate the code flaws leading to the vulnerabilities, to see if any particular type of flaw is more prevalent.

JDK. In May 2007, I released details on an interesting bug in the ICC profile parser in Sun's JDK. The bug is particularly interesting because it could be exploited by an evil image. Most previous JDK bugs involve a user having to run a whole evil applet. The key parts of code which demonstrate the bug are as follows:
TagOffset = SpGetUInt32 (&Ptr); if (ProfileSize < TagOffset) return SpStatBadProfileDir; ... TagSize = SpGetUInt32 (&Ptr); if (ProfileSize < TagOffset + TagSize) return SpStatBadProfileDir; ... Ptr = (KpInt32_t *) malloc ((unsigned int)numBytes+HEADER);

Both TagSize and TagOffset are untrusted unsigned 32-bit values pulled out of images being parsed. They are added together, causing a classic integer overflow condition and the bypass of the size check. A subsequent additional integer overflow in the allocation of a buffer leads to a heap-based buffer overflow.

gunzip. In September 2006, my colleague Tavis Ormandy reported some interesting vulnerabilities in the gunzip decompressor. They were triggered when an evil compressed archive is decompressed. A lot of programs will automatically pass compressed data through gunzip, making it an interesting attack. The key parts of the code which demonstrate one of the bugs are as follows:
ush count[17], weight[17], start[18], *p; ... for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;

Here, the stack-based array "count" is indexed by values in the "bitlen" array. These values are under the control of data in the incoming untrusted compressed data, and were not checked for being within the bounds of the "count" array. This led to corruption of data on the stack.

libtiff. In August 2006, Tavis reported a range of security vulnerabilities in the libtiff image parsing library. A lot of image manipulation programs and services will be using libtiff if they handle TIFF format files. So, an evil TIFF file could compromise a lot of desktops or even servers. The key parts of the code which demonstrate one of the bugs are as follows:
if (sp->cinfo.d.image_width != segment_width || sp->cinfo.d.image_height != segment_height) { TIFFWarningExt(tif->tif_clientdata, module, "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",

Here, a TIFF file containing a JPEG image is being processed. In this case, both the TIFF header and the embedded JPEG image contain their own copies of the width and height of the image in pixels. This check above notices when these values differ, issues a warning, and continues. The destination buffer for the pixels is allocated based on the TIFF header values, and it is filled based on the JPEG values. This leads to a buffer overflow if a malicious image file contains a JPEG with larger dimensions than those in the TIFF header. Presumably the intent here was to support broken files where the embedded JPEG had smaller dimensions than those in the TIFF header. However, the consequences of larger dimensions that those in the TIFF header had not been considered.

We can draw some interesting conclusions from these bugs. The specific vulnerabilities are integer overflows, out-of-bounds array accesses and buffer overflows. However, the general theme is using an integer from an untrusted source without adequately sanity checking it. Integer abuse issues are still very common in code, particular code which is decoding untrusted binary data or protocols. We recommend being careful using any such code until it has been vetted for security (by extensive code auditing, fuzz testing, or preferably both). It is also important to watch for security updates for any decoding software you use, and keep patching up to date.