English | Deutsch | Español

Ding-dong ditching pyromaniacal kleptomaniacs or never trust user input

May 17, 2017

One of the oldest abbreviations in the acronym-rich terminology of information technology is called IPO and stands for Input – Process – Output. However, the problems already start for the security-savvy developer with the first letter of this abbreviation: with the input of data.

BY MARKUS HEID AND SEBASTIAN SCHÖNHÖFER, VIRTUAL FORGE

Every user input poses the risk of giving a malicious user the opportunity to manipulate the system. One possible countermeasure is to validate the input with respect to allowed values.

The English terms for such manipulations are as follows:

  • Injections: These involve the introduction of commands which execute actions. They may range from read-only actions down to modifying and destructive actions. In the context of SAP applications, for example, we see the following:
    • OS Command Injection: This is the attempt to execute unplanned commands directly at operating system level.
    • SQL Injection: This involves manipulating database queries through inputs to ensure that they perform unplanned actions.
  • Traversals: This is the attempt to obtain information about the content of a file system via the input of path or file names.
    • SAP systems involve the widespread use of directory traversals with which the user can determine the file to be read or written.
    • If a traversal is executed via a browser, this is known instead as forceful browsing.

To illustrate the type of impact this can have, we must first leave the IT world and consider the following incident: the first performer is Mr. Miller who, after a really unpleasant working day at the bank, comes home to his apartment in a multi-story building. So, Mr. Miller has just opened his beer after work and has settled into his TV chair to watch an episode of his favorite series when the doorbell rings. Feeling disgruntled, he hauls himself out of the chair, goes to the intercom, lifts the handset and presses the door opener without asking who is there. He thinks: "It's probably only a courier, the meter-reading service or the elderly lady from the 3rd floor who is always mislaying her key...." If it is actually for him, then the person will knock on his door.

However, the person who rang Mr. Miller's doorbell is neither a courier nor the meter-reading service, and definitely not the elderly lady from the 3rd floor. The person bears the name Lui Cipher, among others, and Mr. Miller is not the one he wants to visit. Lui uses the stairs to reach the top floor. The penthouse on that floor is home to Dr. Edward Smith, Managing Director of a very innovative hidden champion from Franconia. Dr. Smith is a man of principle and is of the opinion that everyone knows and trusts each other in the building. That's why he never locks his apartment door.

Lui Cipher is of course delighted with this principled attitude because he can now just open the door to Dr. Smith's apartment and walk straight into his study. In addition to the secret agreements on conditions with suppliers, he also finds the blueprints for an innovative new product which, once patented, will give an unimagined competitive advantage.

Cipher quickly copies the documents and is about to leave the apartment. On his way towards the door, he discovers a box of matches and a fireplace lighter. Since opportunities should be taken whenever they arise, Lui Cipher decides to just torch Dr. Smith's apartment by means of these two objects, and thus destroy the originals of the documents, among other things.

The week after this incident, Lui Cipher calls Dr. Smith and demands EUR 1 million for a copy of the damning files. Smith reluctantly agrees. While the Managing Director is still waiting for Cipher to keep his side of the deal, he receives the following bad news:

  • His employer's largest competitor, a company from the U.S., has registered a patent for this very innovation whose blueprints have been destroyed.
  • The supplier is very annoyed because details of the generous delivery conditions have appeared in the media and now the supplier's other customers want to have the same conditions.

Lui Cipher is by no means an honest thief and keeping promises is not necessarily one of his strengths, but maximizing profit by selling stolen information several times is indeed in his nature.

Here is a breakdown of the significance of the story's protagonists and their actions in terms of a computer system:

  • Lui Cipher: an end user of our system, either a careless internal employee or a hacker – on behalf of the competitor at worst.
  • Mr. Miller opens the front door without asking: an application component whose source code continues to process user input without checking it.
  • The route up the stairs: similar to navigating through the server's file system, which is a successful directory traversal.
  • Dr. Smith's apartment: an unprotected directory containing important files in the file system.
  • Reading and copying the secret documents: reading applications with insufficient protection via authorization checks.
  • Match and fireplace lighter: dangerous operating system commands such as the unconditional deletion of files, for example.

What open apartment doors do you have in your SAP systems? The free SAP risk assessment by VIRTUAL FORGE shows, for example, the secret paths through your custom source code or the premises to which too many residents have access.

Sign up today: Free SAP Risk Assessment



@Virtual_Forge on Social Media:

social_twitter_active.png social_linkedin_active.png social_google_active.png