Format string vulnerabilities

Size: px

Start display at page:

Download "Format string vulnerabilities"

Toby Casey
6 years ago
Views:

1 Format string vulnerabilities

2 Goal Take control of the program (as usual) How? Write4 (write 4 bytes to an arbitrary location) Inject shellcode (or other exploits) into the process

3 What should we overwrite? Saved instruction pointer () Other pointers to code (we ll come back to this)

4 printf family printf fprintf sprintf snprintf asprintf dprintf vprintf vfprintf vsprintf vsnprintf vasprintf vdprintf

5 Conversion specifiers %c Character %s String %d, %i Integer %p Pointer %u Unsigned integer %% Literal % %x, %X Hex %n Stores number of characters written %e, %f, %g Double

6 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ending 5 s

7 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 H ending 5 s

8 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 He ending 5 s

9 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 Hel_ ending 5 s

10 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 Hell ending 5 s

11 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o Hell ending 5 s

12 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o Hell ending 5 s

13 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o 5_ Hell ending 5 s

14 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 o 5 Hell ending 5 s

15 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 w o 5 Hell ending 5 s

16 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 wo o 5 Hell ending 5 s

17 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 wor_ o 5 Hell ending 5 s

18 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 worl o 5 Hell ending 5 s

19 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 d worl o 5 Hell ending 5 s

20 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ds worl o 5 Hell ending 5 s

21 The way snprintf() normally works void foo(int w) { char []; const char *ending = w==1? : s ; snprintf(,, Hello %d world%s, w, ending); foo(5); w: 5 ds _ worl o 5 Hell ending 5 s

22 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 x: _ 5

23 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 o Hell x: _ 5

24 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 o 5_ Hell x: _ 5

25 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: _ 5

26 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: 13 5

27 Now with %n void foo(int w) { char []; int x; snprintf(,, Hello %d world%n, w, &x); foo(5); w: 5 d worl o 5 Hell x: 13 5

28 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

29 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

30 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 2b ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

31 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); f 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

32 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); fa 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

33 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

34 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

35 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); Z = 0x5a 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

36 Attacker controlled void foo(const char *) { char []; snprintf(,, ); foo( ZZZZ%x%x%x%x%x ); 5a5a 5a5a fa75 2b72 ZZZZ garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

37 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

38 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

39 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

40 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 12 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

41 Overwriting void foo(const char *) { char []; snprintf(,, ); foo( \xe6\xff\xff\xbf%x%x%x%x%n ); 0xbfffffe6 12 fa75 2b72 garbage: 117 garbage: 10 garbage: 1839 garbage: 43 format string

42 Picking the bytes to write Use % len x to control the length of the output Use %hhn to write just the least-significant byte of the length

43 Almost putting it all together = address ZZZZ address+1 ZZZZ address+2 ZZZZ address+3 %8x%8x%8x % len x%hhn % len x%hhn % len x%hhn % len x%hhn ;

44 Misaligned If is not 4-byte aligned, prepend 1, 2, or 3 characters to

45 Advantages of format string exploits No need to smash the stack (targeted write) Avoids defenses such as stack canaries! Stack canary is a random word pushed onto the stack that is checked before the function returns

46 Stack Canaries int bar(char *); char foo(void) { char [100]; bar(); return [0]; foo: push {r4, lr sub sp, sp, #104 movw r4, #:lower16: stack_chk_guard movt r4, #:upper16: stack_chk_guard ldr r3, [r4] str r3, [sp, #100] mov r0, sp bl bar ldrb r0, zero_extendqisi2 ldr r2, [sp, #100] ldr r3, [r4] cmp r2, r3 beq.l2 bl stack_chk_fail.l2: add sp, sp, #104 pop {r4, pc saved lr saved r4 canary

47 Disadvantages of exploits Easy to catch so rarer: $ gcc -Wformat=2 f.c f.c: In function main : f.c:5: warning: format not a string literal and no format arguments Tricky to exploit compared to fer overflows

48 What else can we overwrite? Function pointers C++ vtables Global offset table (GOT)

49 Function pointers #include <stdlib.h> #include <stdio.h> int compare(const void *a, const void *b) { const int *x = a; const int *y = b; return *x - *y; int main() { int i; int arr[6] = {2, 1, 5, 13, 8, 4; qsort(arr, 6, 4, compare); for (i = 0; i < 6; ++i) printf("%d ", arr[i]); putchar('\n'); return 0; main: pushl movl leal movl movl movl movl call %ebp %esp, %ebp qsort: call *0x14(%ebp) 24(%esp), %esi // arr $compare, 12(%esp) $4, 8(%esp) $6, 4(%esp) %esi, (%esp) qsort

50 C++ Virtual function tables (vtable) struct Foo { Foo() { virtual ~Foo() { virtual void fun1() { virtual void fun2() { ; void bar(foo &f) { f.fun1(); f.fun2(); int main() { Foo f; foo(f); _Z3barR3Foo: // bar(foo&) pushl %ebp movl %esp, %ebp pushl %ebx subl $20, %esp movl 8(%ebp), %ebx // ebx <- f movl (%ebx), %eax // eax <- vtable movl %ebx, (%esp) // (esp) <- this call *8(%eax) // call virtual function movl (%ebx), %eax // eax <- vtable movl %ebx, (%esp) // (esp) <- this call *12(%eax) // call virtual function addl $20, %esp popl %ebx popl %ebp ret

vtable for Foo // Real code _ZN3FooC1Ev: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl $_ZTV3Foo+8, (%eax) popl %ebp ret _ZTV3Foo:.long 0.long _ZTI3Foo.long _ZN3FooD1Ev.long _ZN3FooD0Ev.

51 vtable for Foo // Real code _ZN3FooC1Ev: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl $_ZTV3Foo+8, (%eax) popl %ebp ret _ZTV3Foo:.long 0.long _ZTI3Foo.long _ZN3FooD1Ev.long _ZN3FooD0Ev.long _ZN3Foo4fun1Ev.long _ZN3Foo4fun2Ev address of vtable+8 stored in first word of object // Demangled Foo::Foo(): pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax movl vtable for Foo+8, (%eax) popl %ebp ret vtable for Foo:.long 0.long typeinfo for Foo.long Foo::~Foo().long Foo::~Foo().long Foo::fun1().long Foo::fun2()

52 Global Offset Table (GOT) Contains pointers to code and data in shared libraries Library functions aren t called directly; stub in the Procedure Linkage Table (PLT) called E.g., call exit -> call exit@plt exit@plt looks up the address of exit in the GOT and jumps to it (not the whole story) Overwrite function pointer in GOT

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Software Vulnerabilities. Jeff Foster University of Maryland, College Park Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)