Information disclosure is one of the most abundant threats to an application and often the most overlooked. In short, information disclosure bugs involve giving too much information to individuals who are not supposed to be able to obtain that information. Some bugs are as obvious as an attacker gaining access to user credentials stored in clear text where the attacker can read them. However, some bugs are not as obvious, such as when extra data can be read only by viewing the file in a binary editor.
Although threat models and data flow diagrams should reveal some information disclosure threats, most of these bugs occur as a result of small implementation details or as side effects of intended functionality. As such, you should not rely solely on analyzing threat models and data flow diagrams to identify all the places where your application might disclose data.
Information disclosure bugs often are disregarded because the developer or program designer do not understand how an attacker could use the information obtained to help break the application. Huge mistake! Even though not all information is considered equal, if attackers can obtain some data that they should not have access to, they will try to use it against your application or service to exploit other vulnerabilities. It is important to understand how disclosing certain data can be a security problem.
For example, if a feature of an application discloses a user name when a certain error occurs, the attacker has obtained half the credentials needed to gain access to the system. Attackers can use the user name to guess the user’s e-mail address, and then use social engineering or spoofing techniques to trick the user into taking action that gives the attacker an advantage. Because many users share similar—if not the same—passwords from one application to another, a weakness in one can cause a vulnerability for all the others.
Note
We once tested a logon system for a Web site that allowed users to reset their forgotten passwords only by providing their user name. Once the user name was entered, the system would automatically change the password, and then e-mail a confirmation of the new password to the user. Not only did this feature create a potential denial of service for the user, it revealed the user’s e-mail address in association with user name and changed password.
Information disclosures can also lead to embarrassments, such as when revisions in drafts of a document can be viewed, or when the history of Web sites visited, phone calls made, e-mails sent, and so forth are revealed. Many times a user wants to keep this type of information private.
Remember, attackers can and will use any information they gain to learn details about your application to use against you. They will disassemble your binaries, probe your Web applications, and pick apart your application’s data files to gain a better understanding of how they can break the application. This chapter discusses common areas prone to information disclosure bugs, methods for identifying interesting data, and testing tips to help you shore up these types of vulnerabilities.
By now, you should have a better understanding of what information disclosure is and the problems it can cause. The vast majority of information disclosure bugs can be found in the following areas:
Data in files
Data sent over a network
All applications and services use files. This section discusses several different types of files that applications use that can disclose information. These include an application’s binary files, data files, and source files. Although you must look for different bugs in each type of file, the steps used to find information disclosure bugs are the same as follows:
Find which files are being used.
Determine how the files are stored.
Inspect the contents of the files.
Chapter 3, discusses how to find entry points into an application and which tools you could use to determine which files the application uses. A couple of great tools can help you identify which files your application uses:
Process Explorer by Sysinternals shows the files in use by a particular application.
File Monitor by Sysinternals shows all files the system tries to access.
Using these tools in conjunction with the application identifies any files that are used. Let’s look at how you can use these tools to inspect which files are used.
Process Explorer by Sysinternals gives you a great deal of information about a process, such as which files, registry keys, threads, and so forth it is currently using. This tool is useful if you want to see the files in use when running the application. After starting Process Explorer, you will see all of the running processes on the system in the upper pane and the handles they use in the lower pane. Figure 7-1 shows the handles that are used by the process msmoney.exe, which are shown after you start Microsoft Money 2005 and log on to an account.
As the output indicates, Microsoft Money creates several file handles that need to be examined for information disclosure vulnerabilities. It turns out that Money uses the user’s profile directory to store data, including temporary files, which helps protect the data.(See Figure 7-3.) If you double-click a file handle, the Properties dialog box lists detailed information about the file, including the security permissions set on the file. If files are created using weak permissions, even if the files exist for a short amount of time, an attacker can take advantage of this vulnerability.
Important
If files are created using weak permissions, even if the files exist for a short amount of time, an attacker can take advantage of this vulnerability.
The list of processes shown in Figure 7-1 is not complete enough to determine all of the files used by Microsoft Money. What about files that are accessed only when the application performs certain functions? Also, Process Explorer shows only the current files in use, so some files that are opened and closed quickly are listed only intermittently. For instance, sometimes developers write data to a temporary file, and then rename the file to the destination file. They assume this practice is safe because the window of opportunity might be small for an attacker to take advantage of the temporary file—but exploiting a temporary file whose existence is brief isn’t impossible, it’s actually pretty easy. This type of race condition attack, as it is called, is discussed in more detail in Chapter 13. To help catch these issues, you can use File Monitor.
File Monitor (Filemon) is another great tool by Sysinternals that supplies the details about all the file accesses that occur on the system. Because a lot of file accesses constantly take place on a system, it is useful to apply a filter for just the application you are testing. Upon starting Filemon, the dialog box shown in Figure 7-2 will appear to enable you to configure filtering.
Figure 7-2. Filemon Filter dialog box, which can be used to reduce the amount of information that is monitored
For example, you can set Filemon to capture only the file access for the application by entering a value in the Include text box. Also, you can configure Filemon to log only certain types of file operations, and you can use the Highlight feature to indicate file operations that contain certain values such as temp, log, backup, or windows so that you might easily spot potential problems. Figure 7-3 shows the files that Money accessed when starting the application, logging in, closing the application, and having the application automatically back up the data.
As mentioned, an application might use several files while running, especially for features that cache or auto-save data. If these files contain useful information, an attacker might be able to take advantage of them. To help mitigate information disclosures in such files, check the following:
Temporary files are written to a “safe” location.
The permissions on the files are not weak.
Filenames or paths are not easily predictable.
In addition to these checks, you might have to take extra measures to ensure the file does not disclose any information. For example, even if a file is deleted or a disk is formatted, an attacker with access to the disk might be able to recover deleted data. Also, if an attacker has access to pagefile.sys and hiberfil.sys, information stored in memory that is not deleted and written over might not be safe if it was paged to disk or the system was put in hibernation.
Making sure the data is written to a safe location is the true defense against information disclosure bugs in a file. When the file has proper access controls, it makes it difficult for the attacker to obtain the data. In general, on computers that run the Microsoft Windows operating system, files that are user-specific should be written to the user’s personal profile directory. That way, the operating system sets the proper permissions on the file.
Note
Different operating systems might store a user’s personal data in a specific directory and handle permissions differently from the Windows operating system.
A logical place for developers to store temporary files is in the temporary folder. But which temporary folder? There is more than one: the user-specific temporary folder and the system temporary folders. The user-specific temporary folder generally is %USERPROFILE%Local SettingsTemp (for instance, this expands to “C:Documents and SettingsusernameLocal SettingsTemp”). The %TEMP% or %TMP% environment variables generally expand to this folder location, too. In addition, there is the system temp folder at %WINDIR%Temp and potentially others such as c: emp and c: mp. These, too, can be considered temporary folders, but they might not be safe, depending on what permissions are set on them and what the data is; they might not be safe for sensitive user data.
Insecure temporary folders can lead to several types of attacks. For example, if an application extracts a CAB file to a temporary location that has weak permissions, attackers have a window of opportunity to replace the data extracted to that location with their own data. If an administrator is using the application, the attacker might be able to exploit this bug to gain elevated privileges and then trick the administrator into running the attacker’s code.
The main point is that many times applications are designed to write data to a specific location without considering who else might have access to that location. As such, an attacker thinking maliciously might be able to take advantage of such weak access controls.
Even if files are written to a folder on which strict permissions are set, the application can change the permissions of the files at run time. Chapter 13 delves into more detail about permissions, but essentially you need to make sure the files location’s permissions are not weak.
Important
You should make sure that the file does not allow access to users who should not be able to access it. Chapter 13 discusses the principle of least privilege to help you determine who needs access.
On November 6, 2005, Thomas Wolff discovered a vulnerability in fetchmail, a Linux utility used to retrieve and forward e-mail on remote systems. In this information disclosure bug, the fetchmail program would write user names and passwords to its configuration file before closing it and properly setting permissions for the owner on that file. This race condition allowed an attacker to view its contents before the proper permissions were set.
If, for instance, an application has an auto-save feature that writes temporary data to the hard drive without the user’s knowledge, the file might be compromised if an attacker is able to determine its existence and access it. You must ensure filenames and paths are not predictable to prevent this sort of information disclosure bug.
Predictable names essentially are ones that can easily be guessed, such as for files created sequentially (file01.txt, file02.txt, etc.) or that use a simple naming scheme like username_date.txt (for example, bryan_20050101.txt).
Although there are application programming interfaces (APIs) that can be used to create random filenames, such as CreateTempFile, sometimes developers do not use them. And although a filename might look random, it might be predictable. For instance, an application might create a temporary file using the tick value of the system. If so, an attacker could exploit this vulnerability by guessing the tick count of the system. Also, if the attacker has permissions to list the folder contents, using random filenames would not improve security because the attacker could repeatedly enumerate the directory to obtain the random filenames. If an attacker does not have the ability to enumerate a folder, be sure not to use a predictable folder name.
When a file is created, it might contain data the user might not have expected to be included. You should inspect the contents of files that your application produces and also the application’s program files. If the application is writing data to an unsafe location that uses weak permissions, that is a security bug, even if the practice doesn’t seem to disclose information directly. Here are some examples of the kinds of data a file might disclose, depending on the file type:
Application binary files
Internal machine names
Internal Web sites
“Secrets” used in encryption algorithms
Hard-coded user names and/or passwords
User’s personal information
Application version
Deleted data
Machine name
Application source files
Author information
Bug IDs
E-mail addresses
Internal machine names
Comments that indicate bugs (“// HACK”, “// TODO”, “// BUG”, etc.)
When a file is created, sometimes metadata is saved along with it. For instance, most digital cameras store extra data from the camera in the picture itself. You can sometimes see this data by opening the picture file’s Properties dialog box and viewing the Advanced Summary. Figure 7-4 shows an example of metadata stored in a JPEG taken with a digital camera. You might not think this is a big deal, but metadata could contain more sensitive data in different types of files.
A Microsoft Office Word document could also contain metadata that discloses such information as the author name, e-mail addresses, machine name used to create the file, and phone numbers. Many times the application injects this information automatically for the user without the user’s knowledge. Imagine if you created such a Word document for your application to describe the End User License Agreement and shipped it with your product. Your private information as the author would be disclosed unintentionally.
You can view a file’s properties in Windows Explorer, although this might not display all of the metadata that the file contains. Even worse, if you have used the Track Changes feature in Word, even data that is deleted from the document is still embedded in the file and can be viewed. To prevent this sort of unintentional information disclosure, you must check the file’s binary data itself to be sure it does not contain metadata.
Several tools are available to enable you to examine the contents of a file:
Strings by Sysinternals is used to view the strings in a file.
A hex editor, such as WinHex, enables you to view the binary contents of a file.
eDoc by eTree is an editor you can use to view or edit document files, such as Word documents.
Even a simple Word document that contains only the word world as its contents contains a lot of information. Figure 7-5 shows the output of running Strings on such a file.
Figure 7-6 illustrates the object linking and embedding (OLE) structure of a Word file with an embedded text file using eDoc. As you can see, not only can you see the contents of the file, but also the path information about the file that was embedded. You can also reveal this information using Strings or by viewing the data in a hex editor.
Instead of a Word document, what happens if you use another type of container, such as a ZIP file? Figure 7-7 shows the file opened in the hex editor WinHex. Notice that you can see the contents of the text file, too.
Even though your application might use different structures to store data, once the format is understood, an attacker might be able to extract the information. Encryption could be used to help protect the file, but weak encryption or obfuscation attempts are guaranteed to be broken eventually by an attacker.
When testing network applications for information disclosures, you should ask a few questions about your application:
Are any requests and responses unexpected?
Is more information sent than necessary?
Are the error messages too revealing?
Is sensitive data protected?
Sometimes an attacker can alter the request and get the application to return additional data that it shouldn’t. Refer to Chapter 4, to understand how to bypass client-side validation, which might help pass values that would normally be blocked. Although some of the data might be visible to the user, sometimes extra data is returned that is not displayed, so you need to use tools to examine it.
Chapter 3 discusses tools that could be used to determine which ports an application opens on a machine and how to monitor data going over the network. Several tools can be used to help monitor this data, such as Ethereal and Web Proxy Editor. You should also be aware that sensitive data could be sent in the padding of an IP packet. Some tools that operate at the TCP level ignore the padding, and the information goes undetected.
Important
The quality of the tools you use to gather information can make a difference between finding or missing the bugs. You should also understand the functions and limitations of the tools.
A tool called Scapy, which runs on Linux, allows packet manipulation, including data contained in the padding. Refer to http://www.secdev.org/projects/scapy for more information.
Now that you know what data is being sent across the network, you can determine whether too much information is being revealed, especially to unprivileged users. If your application has features that attempt to protect a user’s anonymity, you should think of other ways that a malicious user might be able to defeat those features. Following are two examples:
HTTP Referer
Web beacons
As mentioned in Chapter 4, the HTTP Referer header is automatically sent from a Web browser when it fetches a resource from the Internet. The Referer indicates the URL of the Web page from where the request was made. For example, if a visitor to the Web page http://www.alpineskihouse.com/page.html clicks a link to http://www.contoso.com, the Referer would be http://www.alpineskihouse.com/page.html.
Developers of Web applications should be aware that sensitive information can be part of the URL. For instance, imagine a Web-based e-mail client. If the client displays HTML e-mails, it might be possible for attackers to display an image from their server in a message. What if the URL looks like https://mail.contoso.com/inbox/bryan? When fetching the image, the attacker’s server could log the request, including the Referer. Then, not only does the attacker know that the e-mail message was read, the attacker gains the link of the Web-based e-mail server, including the recipient’s user name.
Web beacons, or “web bugs,” are a way for an application to “call home” without the user’s knowledge. Web beacons are usually transparent image files with a dimension of 1 by 1 pixels that can be embedded into a Web page, document, or other file; when the page or file is accessed, the application automatically links to the Web to download the image. For example, most e-mail clients have a read receipt feature that enables the recipient of an e-mail message to notify the sender when the message is received. Most mail clients give the message recipient options on how to handle the read receipt, such as to send the receipt or not.
However, there are other ways without the client’s permission that a malicious user can obtain information on whether the recipient received or viewed the message. For example, in the Web-based e-mail client example, suppose the client automatically displays images in e-mail messages. A malicious user could insert a link to an invisible image located on the attacker’s server in the e-mail message. When the unsuspecting user views the message, the Web-based e-mail client fetches the image from the malicious user’s server. The attacker can then check the server logs to know whether the recipient has read the message yet, bypassing the read receipt feature. If you run a network monitor such as Ethereal or Web Proxy Editor, you can detect whether an application calls home using a Web beacon.
The preceding sidebar covers how applications sometimes reveal too much information that can assist a malicious user. Similarly, you might not think twice about error messages that an application displays. For instance, how many times have you browsed to a Web site, and then received an error as shown in Figure 7-8?
As a user, you might be frustrated because the site does not appear to be working properly; however, to a malicious user, this error message discloses a lot of interesting information:
Uses Open Database Connectivity (ODBC) Access driver
Runs the Apache Web service
Runs PHP
Shows the location (path disclosure) of the script on the server’s file system
Indicates a SQL SELECT statement is being constructed
Server is not using an English language setting because the word “program” in Program Files is spelled as “programme,” as used in European languages
Obviously, the server is not handling error messages properly, which indicates there might be a weakness in the script—which makes this a great target for an attacker.
Sometimes testers focus on only the valid input to make sure an application functions properly. But it is vital to force applications into error cases to see what happens and to view the error messages that are displayed and the information they can reveal. You will often find that the errors are not handled properly and are simply returned to the user.
Whereas the error message displayed in Figure 7-8 was caused by the application not handling an error from the system, applications can also return error messages that disclose too much information. For example, the following graphic shows an example of a real Web site and the information disclosed in its error messages. The figure shows a Web site’s login form.
If the user types in an invalid user name, the following error message is displayed.
Can you see an information disclosure problem in the error message? It might not be very obvious at first, but the error indicates that specifically the “user name” is invalid. When the user types in or guesses the valid user name, the error message changes as indicated in the next graphic:
Now that the user name is known, half of the puzzle is solved. If the first error message displayed in the beginning simply indicated that the login information was invalid, it would be harder for a malicious user to narrow down whether the user name or password was the problem.
Sometimes data might not appear to be of any interest to malicious users because the values are not readable or understandable. However, upon further investigation, you might discover the developer used a weak attempt, as discussed later, to protect the data. Also, items you might not traditionally think of as data can disclose sensitive information. For instance, monitor burn-in can reveal data if the data was displayed on the screen for a long period of time, CPU usage reports can indicate the hours when a user works, screen captures published in documentation can show sensitive information, and attackers can also use a technique called “van Eck phreaking” or “tempest” (http://en.wikipedia.org/wiki/Van_Eck_Phreaking) to eavesdrop on the contents of the monitor using its electronic emissions. It’s up to you to identify the data and interpret how it can be useful to attackers.
Data might be obfuscated, and so the information disclosure bug might not be easily detected. Obfuscation refers to the process of modifying data so it isn’t easy to understand or read but can still be interpreted—if you know how. For example, data can be encoded to prevent it from appearing in clear text. However, using data obfuscation schemes does not protect the data; it just makes it harder for the tester to find the bugs, but easy for the attacker to break once the attacker figures out the encoding.
For instance, data sent across the network might look like “%50%41%53%53word= %66%6f %6f.” Not too readable, right? However, the data was encoded in hexadecimal format. If you know that and then decode the data, it would reveal “password=foo.” Other types of encoding schemes might not be as simple; however, once the attacker figures out what the encoding scheme is, the game is over.
Here are some common schemes developers might use to protect sensitive data—but make no mistake, they are not protecting anything:
Hexadecimal
Base64
Rot-13/Rot-n
XOR
Mime
Chapter 12, goes into greater depths about these types of encoding, but data obfuscation is worth introducing here because you need to understand that the data might be encoded. The data might also be compressed using something like the ZLIB or GZIP algorithms, which make the data harder to recognize but which can easily be uncompressed. Developers might also use their own custom schemes to try to protect the data. The point is that you should know what the data is and how it is being used. If you find data that can easily fall into the hands of an attacker and it is protected only by obfuscation techniques like the examples mentioned, log a bug and get it fixed.
Implied disclosures are when an attacker makes logical guesses to gain access to a resource. Suppose you just bought two phone cards and scratched off the gray area to reveal their activation numbers. If those numbers are sequential, you can probably guess the activation number of the next phone card in the store display. However easy and far-fetched that might seem, it happens. For instance, if you have a Web application that sets the session ID as a client cookie, it might be possible to hijack someone else’s session by guessing that user’s ID.
Note
One weekend, I (Bryan Jeffries) was writing an application that interacted with a Web site to programmatically send requests to a form. To prevent people from doing this, the site used a technique called completely automated public Turing test to tell computers and humans apart (CAPTCHA). The goal of CAPTCHA is to make sure the user is a human, not a computer. For example, CAPTCHA could be used on a site that provides free e-mail accounts to prevent an automated script from creating several accounts—useful for spammers. In my situation, the Web site showed an image containing six random numbers that the human user had to enter for the operation to succeed. When I right-clicked the image, I noticed the filename was also a six-digit number, but not the same value as the one shown on-screen. After refreshing the screen a few times and making note of the number displayed and the image’s filename, I then realized that the difference between the two numbers remained constant. Thus, I could easily predict the “random” CAPTCHA number shown on-screen by looking at the image filename and adding to it the constant difference I had determined previously between the two numbers.
Following are more examples of implied disclosures:
“Hidden” Web pages that are not linked to
Common account or user names and passwords
Default user names and passwords that are never changed
If username_read exists, perhaps so does username_write
Backup copies of files (file.bak, file.old, taxes05.tax.bak, etc.)
Using Bitwise XOR to protect secrets
Using cookies or HTTP headers to send secrets
All applications use information in some form, and it can be difficult to determine whether that information can be useful to an attacker. There are many different types of information disclosure. Do not overlook these issues. If your application discloses information, an attacker has an advantage to use against the application, another program, or even the system.