Written by R a v e N for BSRF (http://blacksun.box.sk)
"Input Validation Attacks". Some of you may be startled by this term. But, to
tell you the truth, it's quite simple, and fun too. Here, let me explain.
What's an IVA?
IVA stands for an Input Validation Attack. I'll try to make this as simple as
possible, so even the ones of you who don't have any programming experience
would still understand.
Suppose you have a program that receives input. That could be practically
anything. In fact, almost every application that you know receives some sort
of input. When you tell your browser where to go, you're giving it input. When
you play a computer game and you tell your figure to move to the left, that's
input. When you type in your password, that's input too. So, what happens when
a program doesn't validate the input that you give it correctly?
Suppose, for example, that if you typed your input, and then a certain
character and afterwards a command and it will be executed? Or maybe, if you
type a password that's too long, the program will go amok and let you in
without the password. Or maybe it'll let you in if you won't type anything
The program didn't validate the input correctly - it didn't make sure that the
user is typing what he is supposed to type. So let's make a long story short -
there is a bug or a hole in the program or it's implementation that involves
certain input, and the program doesn't make sure that such input is not given,
thus allowing us to exploit the hole. Now for a few examples, to clear things
up and to show you how this can be done and exploited.
The best possible real example that I can think of is the PHF hole. Yes, PHF!
Some of you may already recognize this hole. Yeah, yeah, we know it's dated
back in 1996, but let's forget about it for a second and concentrate on how
Let's imagine we're back in 1996. PHF is a CGI script that comes standard with
the Apache Web Server - the world's most popular web server (and it still is
until this very day). Everything is doing just fine, until Jennifer Myers
found out that the PHF script will accept the newline character and issue
commands to the command line with the webserver's privileges. This means that
if httpd (the HTTP Daemon, i.e. the program that listens on port 80 (by
default) and waits for HTTP connections. The term daemon isn't limited to
Internet-related issues, and is better explained in other BSRF tutorials) is
running as root (which is a very stupid thing to do. Web servers should run
from a very restricted account), every command can be executed with root
Basically, to get the password file, all you had to do is to type this:
Then you will get the password file, as if you had console access to a root
terminal and typed in cat /etc/passwd (if the file is shadowed, you can also
get /etc/shadow. After all, you have root permissions). From this point, all
you have to do is to run a password cracker and wait.
Smarter crackers would issue different commands. For example, they could
create an .rhosts file on root's home directory and add their hostname and
username, and then use rlogin to remotely login to that system (if such a
service is running and is not firewalled. But then again, an admin that is
stupid enough to run httpd as root would probably also have it running
unrestrictedly as well). Refer to rlogin's manual page for further
Analyzing the attack
That's awfully long, isn't it? Let's take it piece by piece.
There's not much to explain here - this part tells your web browser who to
This part tells your browser to request for the file called phf, under the
cgi-bin directory, which is under the root directory (it's the main directory,
similar to c:\ in the DOS / Windows world).
Passes input to phf, the cgi script.
So far this is normal input, which the program (and the programmer) is
This is the fun part. &0a is the new line metacharacter. It tells PHF to
start a completely new command line.
The command to execute. Tells PHF to run the following command:
The cat program is a standard Unix program that dumps the contents of a file
to the "standard output" (stdout). This usually means your computer monitor,
unless the output is redirected (to the printer, to a file, or in this case,
through a TCP/IP socket and straight down to our browser).
&20 is another metacharacter, which stands for a blank space, which is also
called a "white space" (it is used instead of real spaces because httpd cannot
accept spaces in URL requests).
How to prevent such attacks
First of all, make sure that everything runs with privileges that are as
restricted as possible, and can only access files that it should and has to
have access to (and if so, minimize access. For example: a web server needs to
be able to read html, gif, jpg, cgi scripts or other files that belong to the
web site, but does not require writing access to them). That way you can
minimize or completely eliminate any possible damage.
Also, as a developer, you must take security into mind when you code your
programs, and also test them under unexpectable conditions. In other words,
when you test a car, you test it for all sorts of strange situations and wild
crashes, and drive it through different kinds of terrains. You can't just make
sure that it can drive and then send it out to the market, otherwise people
will realize that although the car works just fine in normal conditions, it
doesn't handle unexpected ones properly, and will eventually switch to another
Thank you for reading. You can catch up with other BSRF tutorials at
blacksun.box.sk - just find the tutorials page. And remember, if you have a
question, we have an excellent message board, and you can post your question