Attackers can provide input to programs using subtle channels. Examples include:
-
Environment variables.
-
Windows registry values; way too many programs change things in the registry that they should never change.
-
Configuration files, including dotfiles and files in /etc on Unix/Linux/BSD, files in the application’s directory on Mac OS and Windows systems, etc.
-
Network configuration management, including Microsoft domain controllers, Mac OSX NetInfo.
-
DNS lookups.
-
Data from a database lookup.
-
HTTP and other protocol request headers, in other words, not just content, but EVERYTHING arriving from the remote system (also known as the attacker’s system).
All of these and all of the ones not listed require input validation. In other words, ALL data that originates outside of your program must be validated. Many of these things should almost never change or are not hostile in normal usage. However, attackers will not let “normal” be normal.
Examples
At least two bugs in Windows allow an attacker to perform a privilege escalation or denial of service attack via crafted registry values: CVE-2010-3961 and CVE-2010-0238.
An Apple bug allowed attackers to use a crafted DNS PTR record to blacklist arbitrary clients. This is CVE-2010-0500.
A buffer overflow in the DNS resolver library allowed an attacker to run arbitrary code on victim machines. This is CVE-2005-0033
To summarize the take-away from these examples: Anything you did not code is attacker-supplied data.
