information disclosure | IT Security Matters

30 August 2015

Today companies know their business critical information and protect them against unauthorized use and disclosure.

Cyber criminals don’t attack the business critical information, but the application systems through the vulnerabilities in the system and application software. Application and system developers make life easy for them by disclosing information about the system design caused by unhandled program exceptions and informative error messages.

Unhandled program exceptions exist in almost every web application. Candidates are URLs with parameters like

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=11&languageCd=GER

Most programmers do in-depth tests to make sure that the program retrieves exactly the information defined in the requirements specification. But what happens if an invalid value is input?

Let’s rewrite this URL and assign SiteId the value -1:

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=-1&languageCd=GER

The result is:

A negative number was assigned to an Attribute of type "Unsigned": HRS_SITE_ID.HRS_SITE_ID. (2,121) WEBLIB_XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:ax_Parameter_security PCPC:1176 Statement:19 Called from:WEBLIB_ XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:Iscript_Load XXXXXXXX Portal Statement:28

Okay, it’s not the entire program stack, but it shows that input is not fully sanitized, and gives an attacker the hint, that the site is possibly vulnerable against SQL injection attacks.

Unchecked error conditions are listed as CWE-391 in the Common Weakness Enumeration list. Programmers can easily solve this problem by adding an extra “when others” exception to the code.

The best error message is one that reveals neither information about the application system nor about the internal structure of the application:

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please excuse the inconvenience caused.

Period. For a good overview about error handling problems and mitigations see the SANS Securing Web Application Technologies (SWAT) checklist.

Have a good weekend, and fun with boundary value tests.

25 August 2015

Actually, I am preparing a post about information disclosure caused by e.g. unhandled exceptions in web applications (CWE-391). During security assessments in the past weeks I found all kind of error messages, from no error message to detailed output of the program stack and all configuration variables. A nightmare!

But when I read about the capabilities of the Vawtrak malware in Nick Lewis post “Can Vawtrak malware block enterprise security software?” I changed my mind. A malware that uses Windows Software Restriction Policies (SRP) to prevent anti-malware software from running sounds really strange, and really interesting. In his fascinating white paper “Analysis of Banking Trojan Vawtrak” Jakub Křoustek from AVG’s virus lab analyzes the program in detail.

By the way, for adding a SRP to the Windows operating system administrative privileges are required. If users work with limited privileges and if user account control set to the highest level “Always notify me” Vawtrak has a hard job to infect the computer and stop the anti-malware software.

It’s always the same old story: We get into considerable trouble because we haven’t got the basics right.

Take care!

IT Security Matters

Klaus Jochem

Tag Archives: information disclosure

Unhandled program exceptions and informative error messages – free support for Cyber Attackers

Vawtrak malware reconfigures Software Restriction Polices to compromise antimalware software

Share this:

Share this: