Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Transcription

1 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

2 Part 1 2

3 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused) EBP Saved EBP Return Address Parameters

4 4 An Old, yet Still Valid Vulnerability Where on the stack is a char[4] allocated? char [4] var ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Saved EBP Return Address Parameters Stack Frame

5 5 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame

6 6 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame What if more than 4 bytes stored?

7 7 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow Lower memory ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters char [4] var Local variable Stack Frame What if more than 4 bytes stored? Higher memory

8 8 Buffer Overflow Earliest buffer overflow exploit documented in , Phrack Magazine NIST Stats:

9 9 Buffer Overflow Earliest buffer overflow exploit documented in 1988 Exploited Finger Program Started at MIT and was used to determine the size of the Internet Infected 6000 Unix machines 1996, Phrack Magazine Provides a step by step guide NIST Stats: 1996: 8 vulnerabilities 2008: 339 vulnerabilities 2012: 418 vulnerabilities 2015: 344 vulnerabilities

10 Buffer Overflow ExerciseCode.c 10

11 11 Buffer Overflow ExerciseCode.c Reads string from stdin

12 12 Buffer Overflow ExerciseCode.c Copies string to another buffer Reads string from stdin

13 C Program 13

14 14 C Program Allocates 16 bytes of memory on the stack

15 15 C Program Allocates 16 bytes of memory on the stack Heap calls the allocator explicitly (new, malloc, calloc.)

16 C Program 16

17 17 C Program Print data to screen Using an external library ( we did not implement printf ) External library function destination Maximum size of input (anymore will be ignored) Source (terminal input)

18 C Program 18

19 19 C Program Call the user function Print to screen w/ external library

20 C Program 20

21 21 C Program Input parameter Pointer to character address of location where this array starts //allocate 0x c Mem???? Push 0x c

22 C Program 22

23 23 C Program Copy all characters from name[ ] to copy[ ] Then add null terminator

24 Is there a problem? 24

25 Is there a problem? 25

26 Compilation 26

27 27 Compilation Source code A windows c compiler Output file (Results are the same w/ cygwin s gcc)

28 Execution 28

29 Execution 29

30 Execution 30

31 31 Execution Let us debug Typed in 7 A s Why? Isn t our buffer of size 8 at least?

32 IDA Pro Debug 32

33 33 IDA Pro Debug Could follow and conduct a thorough manhunt or Now where?

34 IDA Pro Debug 34

35 35 IDA Pro Debug Or look for text that appears on the screen Search for obvious external libraries function calls

36 docopy - IDA Pro Debug 36

37 37 docopy - IDA Pro Debug arg_0.text How do we know this is 4 bytes? Stack

38 38 docopy - IDA Pro Debug arg_0.text 4 bytes why? Stack 8 bytes docopy Stack frame 4 bytes

39 IDA Pro Debug 39

40 40 IDA Pro Debug Setup stack and i=0 for ( i=0; name[i]!= /0 ; i++) i = 0 {.} name[i] == /0 copy[i] = /0 loop

41 docopy - IDA Pro Debug 41

42 42 docopy - IDA Pro Debug After 1 iteration A Input is copied here 1 at a time

43 43 docopy - IDA Pro Debug After 7 iterations A

44 44 docopy - IDA Pro Debug What is this doing here?

45 45 docopy - IDA Pro Debug Ah We pressed enter

46 46 docopy - IDA Pro Debug 4 bytes of what was allocated?

47 47 docopy - IDA Pro Debug Before After

48 48 EBP Corrupted!

49 49 EBP Corrupted! This particular program will still execute But eventually we get an illegal instruction

50 Exercise 50

51 Part 2 51

52 Overwriting the Return Address 52

53 53 Overwriting the Return Address 13 values

54 Overwriting the Return Address 54

55 55 Overwriting the Return Address ; D 13 th iteration

56 56 Malicious Opportunities Execution Flow

57 Malicious Opportunities 57

58 58 Malicious Opportunities malicious code (shell code) Make the return address here

59 Some Defenses 59

60 60 Some Defenses Data Execution Prevention

61 61 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence A Buffer Overflow overwritten ra address of instruction seq. A

62 62 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence B instructions sequence A Buffer Overflow instructions sequence C overwritten ra <controllable>

63 63 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) 2 instructions sequence B gadgets 1 instructions sequence A in the correct sequence, these accomplish some desired task 3 Buffer Overflow instructions sequence C overwritten ra Return Oriented Programming (ROP) (mona.py plugin finds instruction so interest) Addr to 1 Addr to 2 Addr to 3

64 Some Defenses Address Space Layout Randomization 64

65 Some Defenses Address Space Layout Randomization 65 The stack may exist at a different location after a reboot after system reboot 0x40 f000 0x

66 66 Some Defenses Address Space Layout Randomization but,

67 67 Some Defenses Address Space Layout Randomization but, Legacy (old, but still in use) libraries may not support ASLR

68 68

69 69 High privilege account

70 70 More Defenses Type and Memory Safe Languages Check memory access at runtime

71 71 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing

72 72 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing However Time, cost, laziness humans

73 73 More Defenses Canary ESP 0xFEFF0102 0x ESP 0xFEFF0102 0x xFEFF0101 0x Saved EBP Saved EBP EBP Return Address EBP Return Address Parameters Parameters

74 74 More Defenses Canary At return time ESP 0xFEFF0102 0x ESP 0xFEFF0102 0x xFEFF0101 0x Saved EBP Saved EBP EBP Canary value Return Address EBP Changed? Return Address Parameters Parameters

75 75 More Defenses Canary but, Performance costs (especially in embedded code) Some legacy code does not support it Many times would no be enabled by default Can use other methods to bypass. (heap, ebp, )

76 Exercise 76