Linux Firewalls - Michael Rash [46]
Exploits for trust relationships
Some attacks exploit trust relationships instead of attacking application programming bugs. Such attacks look completely legitimate as far as the interaction with the application itself is concerned, but they target the trust people place on the usage of the application. Phishing attacks are a good example; the target is not a web application or mail server—it is the person interpreting a phishing website or email message.
Resource exhaustion
Like network or transport layer DoS attacks, applications can sometimes suffer under mountains of data input. Such attacks render applications unusable for everyone.
Abusing the Application Layer
Ever-increasing complexity within networked applications makes it easier to exploit application layer vulnerabilities. We saw some creative ways to abuse the network and transport layers in Chapter 2 and Chapter 3, but these techniques are almost prosaic when compared to some of the techniques levied against applications today.
While the implementations of common network and transport layer protocols generally conform to guidelines defined by the RFCs, there is no standard that controls how a particular CGI application handles user input via a webserver, or whether an application is written in a programming language (like C) that does not have automatic bounds checking or memory management. Sometimes completely new attack techniques are discovered and released to the security community—a good example is the concept of HTTP Cross-Site Cooking which involves mishandling of web cookies across domains (see http://en.wikipedia.org/wiki/cross-site_cooking).
The following sections illustrate some common application layer attacks. Certain attacks can be detected with the iptables string match extension, and an iptables rule for a specific attack is included with each example. (This is by no means a complete list of all techniques for exploiting applications.)
Snort Signatures
One of the best ways to understand application layer attacks is to browse through the Snort signature set.[29] Although recent Snort signatures are no longer distributed with the Snort source code, the Bleeding Snort project generates signatures for recent attacks in Snort format (see http://www.bleedingsnort.com).
Note
We will discuss Snort signatures in detail in Chapter 9, but here we introduce the application layer inspection capability provided by Snort. Linking iptables rules to Snort signatures is the key to getting true intrusion detection capabilities from iptables.
Consider the following Snort signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow
access"; content:"/etc/shadow"; flow:to_server,established; nocase; classtype:
web-application-activity; sid:1372; rev:5;)
This signature detects when the string /etc/shadow (in bold above) is transferred from a web client to a webserver. The webserver (and any CGI scripts that it executes) most likely runs as a user without sufficient permissions to read the /etc/shadow file, but an adversary doesn't necessarily know this before trying to request the file. Snort is looking for the attempt to read the file.
In order to make iptables generate a log message when the /etc/shadow string is seen over an established TCP connection on port 80 in the FORWARD chain, you can use the following rule:
[iptablesfw]# iptables -I FORWARD 1 -p tcp --dport 80 -m state --state ESTABLISHED -m
string --string "/etc/shadow" --algo bm -j LOG --log-prefix "ETC_SHADOW "
Buffer Overflow Exploits
A buffer overflow exploit is an attack that leverages a programming error made in an application's source code whereby the size of a buffer is insufficient to accommodate the amount of data copied into it; hence the term overflow is used when adjacent memory locations are overwritten. For stack-based