Route Sixty-Sink: Connecting Application Inputs to Sinks Using Static Analysis

Abstract

Route Sixty-Sink is an open source static analysis tool that traces the flow of user input through any .NET binary and determines whether it is passed as an argument to a dangerous function call (a “sink”). Route Sixty-Sink does this using two main modules:

RouteFinder, which enumerates API routes in MVC-based and classic ASP page web applications.
SinkFinder, which takes an entry point and creates a call graph of all classes and method calls. Then, it queries strings, method calls, and class names for “sinks”.

By tying these two pieces of functionality together, Route Sixty-Sink is able to quickly identify high fidelity vulnerabilities that would be difficult to discover using black box or manual static analysis approaches.

We have used Route Sixty-Sink to reveal and successfully exploit vulnerabilities including unsafe object deserialization, SQL injection, command injection, arbitrary file uploads and access, authorization bypasses, and more in both open-source and proprietary .NET applications.

Presentation Outline

Presenter Introductions and Background
- Source to Sink Analysis
  - We will discuss our work as appsec-focused consultants and the approach we use known as “source-to-sink” analysis to identify vulnerabilities in source code
- Inspiration
  - The team will discuss pain points that occur during code reviews and gray box assessments and how it lead to the inspiration for Route Sixty-Sink
- Introduction to .NET
  - We will provide a brief overview of the .NET language and the Common Intermediary Language (”CIL”)
Identifying Sinks (SinkFinder module)
- SinkFinder Functionality
  - We will explain how SinkFinder recursively follows method calls within an application to find “sinks.”
- SinkFinder Implementation
  - Creating a function call graph
    - We will discuss how SinkFinder builds a function call graph of the application, which provides full coverage into potential sinks that will be called
  - Identifying sinks
    - We will discuss the heuristics used to create a list of sinks that SinkFinder will search for
    - We will show how one can easily create their own sinks to query an application for
- Assumptions
  - We will explain assumptions we make through our implementation of the SinkFinder module
- Case Study: Using Standalone SinkFinder to Query a Binary
  - As an example, we will show how we used SinkFinder to identify a local privilege escalation vulnerability in a console application
Identifying Routes (RouteFinder module)
- Model View Controller (”MVC”) Routing
  - We will explain how modern API routing occurs in .NET applications, which includes:
    - Conventional Routing: A routing mechanism where controllers are specified using regular expressions for URI patterns
    - Attribute Routing: A routing mechanism where controllers are specified using C# “attributes”
- Classic ASP Routing
  - The presenters will discuss how RouteFinder can also handle classic ASPX, ASMX, and ASCX pages to determine application inputs
- Case Study: Using RouteFinder to Enumerate API Routes
  - The team will show a large web application without API documentation and how RouteFinder quickly identifies all API routes in seconds
Route Sixty-Sink: Tying RouteFinder and SinkFinder Together
- Case Study: Identifying and exploiting a Vulnerability in an MVC application
- Case Study: Identifying and exploiting a Vulnerability in an ASP Classic Pages application
Next Steps for Route Sixty-Sink
- We will discuss some of the exciting plans we have for Route Sixty-Sink in the future, which includes:
  - Community-sourced sinks
  - New, higher-fidelity sink finding
  - The Route Sixty-Sink Burp extension

About the Speakers

Dillon Franke

Dillon Franke is a Consultant on Mandiant’s Proactive Services Red Team in San Francisco, CA. At Mandiant, Dillon focuses on performing gray box application security assessments, code reviews, and conducting vulnerability research. He is passionate about solving technically challenging problems that improve the world’s state of security and privacy. While completing his bachelor’s degree in Computer Science from Stanford University, Dillon helped build and author Fidelius (crypto.stanford.edu/fidelius), a solution to protect user secrets from compromised browsers using hardware enclaves. In addition to his work at Mandiant, Dillon is currently finishing a master’s degree in Computer and Network Security part-time at Stanford University.

Michael Maturi

Michael Maturi is a security enthusiast and Principal Red Team Consultant at Mandiant. He has extensive experience in both Red Team Operations and Application Security. In his primary role at Mandiant, Michael focuses on offensive security with a focus on application security and is responsible for performing security assessments as well as creating and overseeing initiatives to further the maturity of the Web Application Assessment service line. Michael has found multiple critical vulnerabilities during his time at Mandiant, and has received acknowledgements from multiple vendors for vulnerabilities affecting their products. His long term vision is to continue to develop and contribute offensive security solutions to enhance the industry’s capabilities and continue his pursuit of squashing bugs.