Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: Pete Herzog <lists () isecom org>
Date: Mon, 17 Jan 2011 16:12:42 +0100


On 1/14/2011 9:31 PM, Zach C wrote:
Pete, let's say one of the assets I want to protect is the code for my site running on the web server. Now, let's say 
my web server has a serious bug that allows a given attacker to read the raw contents (i.e. code) of *any* file the 
web server has access to. In this circumstance, the web server still must be able to interact with these assets by 
reading and subsequently executing them for continued operations, but it is this very same vector that is being 
exploited by the attacker. Are there any controls, besides patching, that can be applied here without inhibiting 
current operations in any way? (Switching web servers not being an option for various reasons, even though that's 
where I would go first).

I think the question calls for some more information for which I have 
to make many assumptions. The OSSTMM 3 categorized 10 op controls and 
they should be applied to each interactive point for each vector in 
places where thee is no trust. This is especially true of an 
Internet-based service where connections can come from anywhere.

One of the main reasons we published the research we did in the OSSTMM 
is because it makes very clear there is a gap in solutions to cover 
various op controls in elegant and meaningful ways. We do hope that 
the markets can fill these gaps for various systems and especially 
make them easy to apply and configure for the general public.

Your question is a good one and it's a direction we're looking to 
cover with the Applied OSSTMM for Web Apps project. Hopefully, now 
that we have the basis of our research, we can expand it into 
specific, practical scenarios.

Now without writing a how-to manual as an answer, one I don't have 
time for, I will cover these points:

There are 3 main vectors here that require controls to protect against 
your proposed scenario. The op controls that we would put in place 
will not just exist to protect against this one bug but against many 
bugs known and unknown. Mostly, when creating a web service, these are 
the types of controls you want applied from the start and not just 
when the problem appears. I also want to make clear that these 
controls are just for solving this problem and in no way institutes a 
complete array of controls for any web service environment. You would 
not do all this for one problem. However if this was done in advance, 
this bug would not be a problem and you would not need to race to 
patch it before bad things happen.

Also, before any detractors care to take this apart piece by piece, 
please remember I'm clearly saying these solutions may not work for 
all cases and in this short time, I'm not being thorough. However, I 
hope that it's enough to get you to understand how the OSSTMM breaks 
these operations down so you can think along these lines too and help 
find other and better solutions for the same problem.

Internet to Server: here we want to control the possibility and 
severity of an attack

+ Authentication: a white-list ingress and egress filtering on packet 
types and web service requests. In this case, NOT from the web service 

+ Confidentiality: SSL over HTTP will prevent cache poisoning and some 
attacks against communication in transit.

+ Privacy: the white-list authentication mechanism will have the 
benefit of allowing you to keep information about your service from 
being fingerprinted.

+ Subjugation: once again, provided by the white-list to force users 
to use these controls upon connection.

Server OS: here we want to limit the damage that can be done should 
the attack be applied.

+ Authentication: where possible create proper discretion between the 
privileges of the web service and the files it may access. Remove 
files and code you would not want seen or executed if possible. 
Specifically allow only certain files to be executed by the web 
service and assure they are designated as execute only by the web 

+ Privacy: remove or change default directories and file names where 

+ Integrity: a means for maintaining the static files remain static. 
Changes will be refused or undone immediately from a read-only source.

+ Alarm: immediate notification from the web service should any 
request outside the white-list be requested on the server itself.

+ Subjugation: least privileges designation.

Server to DMZ: here we want to prevent the attack from affecting other 

+ Authentication: Make sure that servers are configured not to be able 
to directly be accessed by other servers in the network. White-list 
administrative access if needed. Also a white-list egress filtering on 
packet types. In this case, NOT from the server itself.

+ Subjugation: once again, provided by the white-list to force users 
to use these controls upon connection.

Again, while this is not the most exhaustive or creative list, it's a 
way that controls can be considered and applied to a web service to 
prevent certain bugs from being exploitable. My goal here is to help 
you think in this type of structured, methodical approach to improve 


Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]