Security Reference Guide

Code Injection Explained

Last updated Nov 3, 2006.

Code injection is a very popular technique that is widely used by hackers and malware coders alike. To the average computer user and even to an expert that does not have much background in programming, this technique can be confusing.

In this article we will explain what code injection is and what software is vulnerable. We will also give a simple example of a code injection technique and show you how dangerous this vulnerability can be.

What Exactly is Code Injection?

Code injection is a way to place software code into a computer system or program by exploiting unchecked assumed inputs. When a program assumes only a certain input will occur and does not protect against different inputs being made, problems can occur. Code injection provides a way for hackers to gain access to data, modify data and corrupt code that they normally could not affect.

A Simple Example Found in List Site Pro

This simple example is a real life exploit that is found in a topsites script that was very common a few years ago. This script is not widely used anymore, but the code injection is relatively simple and makes a great example.

This example shows us how to change the password of another user’s account. If we were spammers we could use this to generate traffic to our own website. Here is how it works.

A hacker visits a website running List Site Pro 2 and looks at the sites listed in the topsites. He then gets the link URL of the account he wants to take over simply by copying and pasting it into a text editor. The link URL will look something like this:

http://webserver/cgi-bin/lspro/lspro.cgi?hit_out=1036360992

The hacker takes careful notice of the last part of the URL. This set of numbers is the account number he or she needs. The hacker then creates an account on the topsites by filling out the form as pictured below.

In this example you can see how the hacker has put something not expected into the banner url form. The hacker has added the account number and a new password along with a banner URL. The last two sets of numbers are the banner size. The script is expecting these, and when the password and account number is added the script is also accepted.

Once the hacker hits the submit button, the password for the account 1036360992 will be change to the word "password."

In this example the script has been tricked into changing the password of the 1036360992 account. The script assumed that only the URL of the banner image file would be inserted into that field. The attack was successful because inadequate protection measures had been put in place to stop code injection.

Dangerous Assumptions Sometimes Made

As we have seen in the above example, when a software developer assumes certain things when programming code, things can go wrong fairly quickly.

Wikipedia has a great list of dangerous assumptions made by software developers. They are as follows:

• assuming that metacharacters for an API never occurs in an input
• assuming punctuation like quotation marks or semi-colons would never appear
• assuming only numeric characters will be entered as input
• assuming the input will never exceed a certain size
• assuming that numeric values are equal or less than upper bound
• assuming that numeric values are equal or greater than lower bound
• assuming that client supplied values set by server (such as hidden form fields or cookies), cannot be modified by client. This assumption ignores known attacks such as Cookie poisoning, in which values are set arbitrarily by malicious clients.
• assuming that it is okay to pick pointers or array indexes from input
• assuming an input would never provide false information about itself or related values, such as the size of a file (*).

Software developers need to be very aware that not everyone will use their software as intended. They also need to be aware that even accidental code injection can take place. Accidental code injection can occur when someone uses characters such as quotation marks and punctuation in their name. A user could accidentally corrupt a whole database without realizing it. Software that is vulnerable to accidental bugs like this should never be used. It could never withstand a deliberate attack by a proper hacker.

Can Code Injection be Used for Good?

This section has mentioned hackers and hacking, but can code injection be used for good purposes? The answer to this question is maybe, but probably not.

Communities have sprung up around forum script modifications with people trying to make better "hacks" than others. These hackers use a type of code injection that allows people to modify their forum scripts without actually recoding the whole thing from scratch. In a lot of cases this can be really good, but when you have amateurs trying to make these forum hacks or even trying to install, them a lot of security features in the original software may be nullified.

Code injection is also sometimes used to provide patches and updates to security holes in software. Sometimes the security hole that allows the injection is patched using the injection point to fix it. Using these types of techniques to update software is never recommended. If the software has holes that allow this, think of the holes that may be unknown still!

Conclusion

Once you understand the basics of code injection and how it works, you are able to understand how to secure applications and scripts from these types of attacks. Code injection should never be used for fixing or modifying software; it is an unreliable technique and can lead to more problems later.