20: Exploits and Containment

Transcription

1 20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability to escalate the attacker s privileges Skip the authentication in a program. Trick the passwd program to change someone else s password Trick a web-server to execute arbitrary code. Script-kiddie definition: $./a.out # 1

2 Sample vulnerability $ echo bla"./vuln $ Sample vulnerability $ echo "abc123"./vuln w00t 2

3 Sample vulnerability $ perl -e 'print "A" x 1100'./vuln Segmentation fault (core dumped) Sample vulnerability $ perl -e 'print pack("l",0x080485d5) x 260'./vuln w00t 3

4 Outline Stack Exploits Hijacking program flow Shellcode Prevention Stackguard Non-executable memory Address space layout randomization Exploit overview An exploit typically forces a process to execute the attacker s code: 1. Inject attacker s code into process memory space. 2. Overwrite memory to change execution flow. 3. Cause process to jump to and execute attacker s code. 4

5 Are crashes exploitable? $ perl -e 'print "A" x 1100'./vuln Segmentation fault (core dumped) $ gdb vuln ore. #0 0x in?? () (gdb) print /x $eip $1 = 0x We wrote 1100 A s into a 1024 byte buffer. ASCII A is 0x41 We ended up with 0x in the program counter (EIP) Virtual address 0x was not mapped, hence crash. Could write legal address into EIP and place our exploit code there. The stack The stack is an area of process memory: Top of stack is located at stack pointer () Can add and remove objects from stack. Grows downwards; adding causes to decrement. Used for local variables and saving function return address a() s vars a() s vars a() s vars b() s vars a() calls b() b() returns 5

6 Stack overflows 0x080485cc: call 0x804855c <check_auth> 0x080485d1: test %eax,%eax Stack overflows 0x080485d1 0x080485cc: call 0x804855c <check_auth> 0x080485d1: test %eax,%eax 6

7 Stack overflows 0x080485d1 %ebp pass 0x c: push %ebp 0x d: mov %esp,%ebp 0x f: sub $0x418,%esp 0x : sub $0xc,%esp Stack overflows AAAAAAA AAAAAAA AAAAAAA 0x c: push %ebp 0x d: mov %esp,%ebp 0x f: sub $0x418,%esp 0x : sub $0xc,%esp 7

8 Hijacking execution flow 0x080485d8 0x080485d8 0x080485d8 0x080485d8 We can make check_auth return anywhere. Make it skip the if statement: $ perl -e 'print pack("l",0x080485d5) x 260'./vuln w00t 0x080485cc: call 0x804855c <check_auth> 0x080485d1: test %eax,%eax 0x080485d3: je 0x80485e7 <main+55> 0x080485d5: sub $0xc,%esp 0x080485d8: push $0x804867e 0x080485dd: call 0x80483d0 <_init+36> Executing arbitrary code Inject code in process and cause check_auth to return to it. Can store our code inside the pass buffer on the stack. Need memory address of pass so we know where to return to. $ gdb vuln (gdb) br check_auth Breakpoint 1 at 0x : file, line 6. (gdb) run Breakpoint 1, check_auth () at :6 6 (gdb) print &pass $1 = (char (*)[1024]) 0xbfbfe5d0 8

9 Morris Worm (1988) First exploit was by Robert Morris in the Internet Worm. Exploited finger daemon (remote root) int main(argc, argv) char *argv[]; { register char *sp; char line[512]; gets(line); return(0); Summary of Exploits Vulnerable programs can be tricked into executing arbitrary code. Skip authentication in ssh Make web server execute a shell Make su execute a root shell Exploits typically do this by: 1. Injecting malicious code into memory. 2. Overflow a buffer to overwrite control information such as saved return address. 3. Overwritten control information causes program to jump to malicious code. 9

10 Non-executable stack (1997) Exploit code is usually placed on the stack. Make the stack executable and exploit code cannot run. Modern CPUs (64-bit x86) have NX (non-executable) bit in page tables. Make memory non-executable at a page granularity. 32-bit x86 CPUs don t have this. Can play games with segment registers so that data segment is non-executable. Cost is 50% virtual memory overhead: can only use 1.5GB. OpenBSD W X What if attacker puts exploit code on the heap? Mark memory either Writable or executable, but not both. If attacker can write code to memory, cannot execute it. Problem: return-to-libc exploit. Instead of injecting code, cause a return to code already present in the process. eg. libc s system() function. Can pass (on stack) /bin/sh as argument to system() W X only solves exploits which cannot control the stack. Eg. OpenSSH challenge-response bug. 10

11 Randomized Memory Attacker needs address of code to jump to it. Randomize the process s address space at runtime. Suppose some part of the address space is not random. Can put code on stack; will point to it. Can find jmp %esp (0xffe4) in that memory and jump there. To be effective, all memory must be randomized. Linux s PaX randomizes the whole address space. random stack, heap, bss, and data base. random mmap, libraries at random locations..text is position independent code (relocatable code) PaX effectiveness Memory overhead: internal fragmentation random gaps between objects Does not solve: Exploits that do not require addresses (OpenSSH challenge-response bug) Bugs that can leak information (Bind TSIG bug) Format strings can leak memory (WU-ftpd site exec bug) Processes where you can systematically brute-force (eg fork() on each session). Apache chunked encoding bug. 11

12 Conclusion Exploits: Exploit software bugs for privilege escalation Exist in practice, even today, and are a big problem. Solutions: Need several solutions to be effective - no magic bullet. Even when using all solutions, problems may still remain. What about all those web server PHP bugs? Do they care about NX or random memory? 12