Once Upon A Bit

Today’s case-study is pretty short – you are going to get its intention in a matter of seconds.
We are going to talk about observation, and about the slight difference between a no-bug to a major security issue.

Every security research requires respectful amounts of attention and distinction. That’s why there are no successful industrial automatic security testers (excluding XSS testers) – because machines cannot determine all kinds of security risks. As a matter of fact, machines cannot feel danger or detect it. There is no one way for a security research to be conducted against a certain targets. The research parameters are different and varies from the target. Some researches end after a few years, some researches end after a few days and some researches end after a few minutes. This case-study is of the last type. The described bug was so powerful and efficient (to the attacker), that no further research was needed in order to get to the goal.

A very famous company, which, among all the outstanding things it does, provides security consulting to a few dozens of industrial companies and  start-ups, asked us to test its’ “database” resistance. Our goal was to leak the names of the clients from a certain type of collection – not SQL-driven one (we still haven’t got the company’s approval to publish it’s name or the type of vulnerable data collection).

So, after a few minutes of examining the queries which provide information from the data collection, I understood that the name of the data row is a must in order to do a certain action about it. If the query-issuer (=the user who asks the information about the row) has permissions to see the results of the query – a 200 OK response is being returned. If he doesn’t – again – a 200 OK response is being returned.

At first I thought that this is a correct behavior. Whether the information exists in the data collection or not – the same response is being returned.
BUT THEN, Completely by mistake, I opened the response to the non existent data row in the notepad.

The end of the 200 OK response contained an unfamiliar, UTF-8 char – one that shouldn’t be there. The length of the response from the non existent data row request was longer in 1 bit!

At first, I was confused. Why does the response to a non-existent resource contains a weird character at the end of it?
I was sure that there is a JS code which checks the response, and concludes according to that weird char – but there wasn’t.

This was one of the cases where I cannot fully explain the cause of the vulnerability, because of a simple reason – I don’t see the code behind.

The company’s response, besides total shock to the our fast response, was that “apparently, when a non-existent resource is being requested from the server, a certain sub-process which searches for this resource in the data collection fires-up and encounters a memory leak. The result of the process, by rule, should be an empty string, but when the memory leak happens, the result is a strange character. The same one which is being added to the end of the response.

Conclusion
Making your code run a sub-process, a thread or, god forbid, an external 3rd-party process is a very bad practice.
I know that sometimes this is more convenient and it can save a lot of time, but whenever you are using another process – you cannot fully predict its results. Remember – it can crush, freeze, force-closed by the OS or by some other process (anti-virus?).
If you must use a thread or sub-process, at least do it responsibly – make sure the OS memory isn’t full, the arguments that you pass to the process, the process’s permission to run and its possible result scenarios. Don’t ever allow the process to run or execute critical commands basing on user input information.

14 thoughts on “Once Upon A Bit

  1. 361339 319362you are in point of fact a very good webmaster. The internet site loading velocity is remarkable. It seems that you are performing any distinctive trick. In addition, The contents are masterpiece. youve done a terrific activity on this topic! 757197

  2. 612116 778926BTW, and I hope we do not drag this too long, but care to remind us just what kind of weapons were being used on Kurds by Saddams army? To the tune of hundreds of thousands of dead Talk about re-written history 682312

  3. 411554 556259This style is steller! You certainly know how to maintain a reader amused. Between your wit and your videos, I was almost moved to start my own weblog (properly, almostHaHa!) Great job. I actually enjoyed what you had to say, and a lot more than that, how you presented it. Too cool! 227689

  4. 299523 674105excellent work Superb weblog here! Also your internet web site a whole lot up quickly! What internet host are you the usage of? Can I get your associate link on your host? I want my site loaded up as quickly as yours lol 640022

  5. 230467 982533excellent work Superb weblog here! Also your internet web site a whole lot up quickly! What internet host are you the usage of? Can I get your associate link on your host? I want my site loaded up as quickly as yours lol 789114

  6. Информация которая вас интересует тут [url=http://soldierweapons.ru/newsi/]http://soldierweapons.ru/newsi/[/url] и если хотите написать шнягу какую то, то лучше не пишите.

  7. viagra buy pakistan – where can i buy viagra yahoo answers – where can i buy viagra yahoo
    viagra sale uk only [url=http://mensmedstoresildenafil.org/#viagra]Viagra Online Sales[/url] viagra buy no prescription
    buy viagra hawaii – viagra buy forum – where do i buy viagra yahoo
    how to buy cheap viagra – viagra sale jamaica – viagra online australia cheap
    where can i buy viagra yahoo – viagra cheap fast delivery – do need prescription order viagra

  8. Заходите на наш сайт, ваще супер все!
    [url=http://master-invertor.ru/welders-repair/] ремонт [/url]
    [url=http://master-invertor.ru/welders-rent/] Аренда сварочной техники [/url]
    [url=http://master-invertor.ru/spotter-repair/]восстановление[/url]

  9. С октября 2016 года, был поставлен эксперимент на гемблинг тематику, с использованием дорвеев, белых сайтов и спам арсенала.

    Цель:

    За короткий срок 6 мес, изучить возможность заработка в гемблинг нише.
    Проверить софт.
    Выявить лучшую партнерскую программу в гемблинге (игровых казино).
    Конечно, какой доход в гемблинге.

    Смотри продолжение на [url=http://seoprogon.ru]seoprogon.ru[/url]

  10. Лотерейный рынок перестал быть монопольным и любой гражданин может участвовать в мировых лотереях. Помогаем игрокам разобраться и купить билет в мировые лотереи официально из России и СНГ.
    Описание супер-розыгрышей Испанских Лотерей Navidad Sorteo Loteria de Navidad.
    Через наш партнерский сайт Вы можете участвовать в любую государственную лотерею. На Мега Лоттери: [url=http://www.mega-lottery.ru]как играть в зарубежные лотереи[/url] официально для Европы и России.

Leave a Reply

Your email address will not be published. Required fields are marked *

*