Im reading in an address from user-space and using RtlCopyMemory() to copy data over to my output buffer and although I have it working, it lacks any safe guarding against invalid addresses being read which will throw a bug check in my face.
I know that I need to use SEH to do this but I am not sure what exceptions I need to be handling or if RtlCopyMemory even throws any exceptions. If not, how can I check that the address is valid before I pass it into RtlCopyMemory()?
Read about ProbeForRead and ProbeForWrite, additionally I suggest you the following reading:
http://download.microsoft.com/download/d/1/d/d1dd7745-426b-4cc3-a269-abbbe427c0ef/sys-t774_ddc08.pptx
and
http://www.codeproject.com/Articles/9575/Driver-Development-Part-Introduction-to-Implemen
Related
(Sorry, if this is a dumb question....)
Veracode reports my website has a security issue which relates to use connection string from web.config.
Here is my code.
Public Function ExecuteScalar(ByVal sql As String) As Object
Dim obj As Object = Nothing
Try
Dim connStr as String = ConfigurationManager.ConnectionStrings("mydatabase").ConnectionString
Using conn As New SqlConnection(connStr) '''Veracode reports the issue come from this line
conn.Open()
If conn IsNot Nothing Then
'''execute my sql
End If
End Using
Catch ex As Exception
Throw ex
End Try
Return obj
End Function
Veracode said:
This call to
system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1()
allows external control of system settings. The argument to the
function is constructed using user-supplied input, which can disrupt
service or cause an application to behave in unexpected ways. The
first argument to !newinit_0_1() contains tainted data from the
variable connStr. The tainted data originated from earlier calls to
system_web_dll.system.web.httprequest.get_item,
system_data_dll.system.data.common.dbdataadapter.fill,
system_data_dll.system.data.sqlclient.sqlcommand.executescalar, and
fmmobile8_dll.virtualcontroller.vc_wcfentry.
Remediation:
Never allow user-supplied or otherwise untrusted data to control
system-level settings. Always validate user-supplied input to ensure
that it conforms to the expected format, using centralized data
validation routines when possible.
The same isuse was reported by CWE: http://cwe.mitre.org/data/definitions/15.html
OK, the suggestion from Veracode said that I should check the format of connection string before using it to create SqlConnection object.
I also asked Google professor about how to check format of connection string. But the returned results said that we should create SqlConnection object, then open it.
If the response is OK, the connection string also means a valid format. Otherwise, the connection string is invalid.
Unfortunately, Veracode does not accept this answer.
So, my question is that:
Should we check the format of connection string before creating SqlConnection object (as Veracode said)? If yes, how?
The problem is not the format of the connection string, it's that it may be controlled by somebody not intended. For instance an attacker may be able to change your web.config and have your application connect to a fake database to serve fake data. Note that such an attacker might be internal to your organization (a disgruntled IT ops employee), or an external attacker that already gained some level of access.
So the question is whether you trust your web.config file according to your threat model. Probably you do for several reasons (you have good processes to mitigate risks), in which case this would be "mitigated by design" in Veracode terms.
Basically it's just a warning to raise attention that web.config is in a sense external to your application and can be changed by more people than you would initially think of, and changing it by unintended people may lead to unwanted results.
I've had a similar issue with Veracode and they told me to make sure the Web.config file was encrypted.
You can do this via some command line prompt actions on the server where the application is deployed.
aspnet_regiis -pe "connectionStrings" -app "/" -site 1
or if you wanted to expand your security to the appSettings section
aspnet_regiis -pe "appSettings" -app "/" -site 1
You get the site number by opening IIS and going to the Advanced Settings for the site. It is the field labeled "ID"
Here is a MSDN article explaining in more detail:
https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
I have a function that can take any io_data and nothing else, because it's going to send it over a http connection. At the moment I have an is_binary guard clause but this is too restrictive.
So is there a guard clause that checks if something is io_data or not?
e.g.
def do_the_stuff(content) when is_iodata(content) do
# e.g.
IO.puts(content)
end
There's no specific guard for that. Usually libraries use
when is_binary(iodata) or is_list(iodata)
There is no way to catch invalid iodata terms in a guard. is_binary(content) or is_list(content) is as close as you get.
If you want to check that the term is valid iodata before sending it, you can call IO.iodata_length, and check that it doesn't raise an error. This is cheaper than converting the iodata to a binary, but does impose a cost that wasn't there before. It might not be worth it, considering that the underlying library should raise an error if the data is invalid.
i'm deserializing some XML Data i get from a WebService using the XmlSerialzier. This worked quite good until now, but since some days i get an FormatException while the Serializer parses the XML.
Is there any Chance to get the Value/Element/Tagname the Serialzer tried to parse when the Exeption was thrown? I haven't found anything in the Exception Details.
Thanks and Greetings
Kornelis
If the format exception doesn't give you enough information to solve the problem, you can go one step further and debug the specific code that produces the problem. The XmlSerializer works by generating a assembly at runtime which is responsible for serializing/deserializing the type you want. This generated code can be debugged in the following way (check link).
I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...
I trying to capture pageLoad event in progressListener, in onLocationChange i check URI of fresh page, and in case URI = about:blank i got
Error: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.host]
As i understand this URI don't have host at all.
How can i check that host is available without raw parsing and exception catching? Is there any conventional way to check that atribute is present?
Your best bet is to filter certain protocols (filter on scheme). It's best to use a whitelist in this case of the protocols you care about.
In general there's no way to know for sure without doing a try/catch, but currently an nsIStandardURL is the only sort of URI that will have a host.
When I faced this problem my solution was:
To indicate an observer flag aWebProgress.NOTIFY_LOCATION
aWebProgress.addProgressListener(this.listener, aWebProgress.NOTIFY_LOCATION);
Before I had aWebProgress.NOTIFY_LOCATION and there was an exception you desc