0
Posted October 3, 2009 by Spyros in Security
 
 

The Null Byte Poisoning Attack Explained

dynamite[11]
dynamite[11]

By embedding NULL Bytes/characters into applications that do not handle postfix NULL terminators properly, an attacker can exploit a system using techniques such as Local File Inclusion. (Local File Inclusion is a vulnerability that exists on Windows, regardless of the type of webserver used. It enables malicious users to include files, readable by the webserver and located on the same volume and execute PHP contained within those files. Also, an attacker may also be able to inject PHP code into the webserver logs, leading to code execution even if no upload was executed).

The Poison Null Byte exploit takes advantage of strings with known lengths and whether or not the API being attacked uses null terminated strings. By placing a NULL byte in the string at a particular byte, the string will terminate at that point, nulling the rest of the string, such as a file extension.

Although there are many ways to perform a Poison Null Byte Exploit, some of the common ways include, the termination of a filename within a string, a.k.a. a file extension and terminating or commenting an SQL statement when dynamically executing, such as Oracle’s ‘EXECUTE IMMEDIATE’.

Attacks:

An example of a NULL byte vulnerable PHP script would be:

$file = $_GET['file'];

require_once("/var/www/$file.php");

In Perl/PHP, the above NULL byte injection would cause the file extension .php to be dropped and null, and the /etc/passwd file to be loaded.

In Java, it would be:

String path_to_file = request.getParameter("target") + ".xls";
File f = new File(path_to_file);
deliver_to_user(contentsOf(f));

(I believe that’s two ways…)

.NET probably has the most vulnerability to Null Byte injections, since there are a number of .NET functions in several sections of the .NET namespace which aer vulnerable to the attack. When the .NET CLR does not handle user supplied Null bytes properly, successful injections occur.
Null bytes are considered as data within the .NET CLR, therefore, Null bytes are not terminated within .NET strings, however strings at the first found Null byte are terminated within function calls that are native POSIX compliant.
There are a number of known .NET functions which are vulnerable to Null Byte Injections, they are: Server.MapPath Server.Execute Server.Transfer String.Compare System.Net.Mail.SmtpMail.Send

A common example of a Server.MapPath Null Byte injection would be:

Sub Page_Load()
dim name as string
dim realname as string
name = request("name") & ".uploaded"
realname = Mappath(".") & "" & name
response.write("Mappath value of name variable: " &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; MapPath(name) &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; "<br>")
response.write("The real value is: " &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; realname &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp; "<br>")
End Sub

Server.MapPath will terminate any returned string when a Null byte is injected within the filename parameter, which will null any data appended to the user input. If the name variable is appended with a Null byte (name = c:oot.ini%00), the string is terminated before .upload is concatenated.

Solutions:

In PHP, one of the common ways to prevent Poison Null Byte injections would include escaping the NULL byte with a backslash, although, the most recommended and common way would be to completely remove the byte by using:

$file = str_replace(chr(0), '', $string);

In Perl, well, it’s basically the same as PHP, best to completely remove the byte rather than escape it:

$data=~s/?//g;

The .NET issues were patched with security updates KB928365(.NET Framework 2.0) and KB928366 (1.1).

There’s also a Poison Null Byte injection method with Adobe PDF ActiveX, exploitation of a buffer overflow in the ActiveX component packaged with Adobe System’s Inc.’s Acrobat/Acrobat Reader that allows remote attackers to execute arbitrary code. Although, I don’t know much about it, but apparently it was patched with the latest version.

Poison Null Bytes are typically used with other exploits such as Directory Transversal and SQL Injections (which I hope to write about as soon as I can find time during my classes).

This is a guest post by Nadeem S. aka Kr0w, thank you Nadeem !


Spyros