Buffer Overflow & Format Strings

Similar documents
Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

1 Recommended Readings

Buffer Overflow Vulnerability Lab

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

ISA564 SECURITY LAB. Shellcode. George Mason University

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Buffer Overflow Vulnerability Lab

Buffer Overflow Attack

Advanced Computer Networks Smashing the Stack for Fun and Profit

CSE 127 Computer Security

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Is stack overflow still a problem?

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Biography. Background

Buffer Overflow Attacks

From Over ow to Shell

CSE 127 Computer Security

CSE 127 Computer Security

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Project #1: Buffer Overflows

Buffer Overflows Defending against arbitrary code insertion and execution

buffer overflow exploitation

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lab 2: Buffer Overflows

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Secure Programming I. Steven M. Bellovin September 28,

Control Hijacking Attacks

Architecture-level Security Vulnerabilities

Lecture 4 September Required reading materials for this class

Topics. What is a Buffer Overflow? Buffer Overflows

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Università Ca Foscari Venezia

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

COMP 3704 Computer Security

Advanced Buffer Overflow

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Buffer Overflow and Format String Overflow Vulnerabilities

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CMPSC 497 Buffer Overflow Vulnerabilities

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

COMP 2355 Introduction to Systems Programming

Program Security and Vulnerabilities Class 2

Foundations of Network and Computer Security

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Practical Malware Analysis

Sungkyunkwan University

Architecture-level Security Vulnerabilities. Julian Stecklina

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Writing Exploits. Nethemba s.r.o.

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

logistics LEX assignment out exam in on week come with questions on Monday (review)

CSC 438 Systems and Software Security, Spring 2014 Instructor: Dr. Natarajan Meghanathan Question Bank for Module 6: Software Security Attacks

One-Slide Summary. Lecture Outline. Language Security

Fundamentals of Computer Security

Smashing the Buffer. Miroslav Štampar

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Basic Buffer Overflows

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

20: Exploits and Containment

System Security Class Notes 09/23/2013

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Exploits and gdb. Tutorial 5

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflow Vulnerabilities

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Advanced Buffer Overflow

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Buffer overflows & friends CS642: Computer Security

Return-orientated Programming

Lecture 08 Control-flow Hijacking Defenses

Sandwiches for everyone

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Exercise 6: Buffer Overflow and return-into-libc Attacks

Foundations of Network and Computer Security

Language Security. Lecture 40

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CSE 565 Computer Security Fall 2018

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

CS 241 Honors Security

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

CMSC 414 Computer and Network Security

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

(Early) Memory Corruption Attacks

Transcription:

& Seminar on Computer Security Threats and Counter Measures Dominik Zindel 19.01.2007

Content 1 Technical Basics 2 3 4 Discussion References

Goals Technical Basics Common goal of attacks using a buffer overflow or a format string attack: Access hidden data. Change program flow to execute own program. Get more rights than supposed to.

SUID Technical Basics Unix-flag: -rwsr-sr-x. Execute file with owners (e.g. root) right. Program is executed in the context of the owner, not the current user. Useful for tools requiring root-rights, without giving user root-rights.

Memory Technical Basics Program counter: Register indicating address of next instruction. Frame pointer: Pointer to current stack frame. FP used by functions to locate the return address. FP pushed into stack at the beginning of a function. Figure: Memory, Stack

Shellcode Technical Basics Array of character-coded assembly instructions. Performs execve( /bin/sh ). Opens a shell. char sc[]= "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50 \x53\x89\xe1\x99\xb0\x0b\xcd\x80";

Technical Basics Shellcode: Character-coded and Assembler "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */

Content 1 Technical Basics 2 3 4 Discussion References

Programming error. Memory access exception program termination. Store data beyond the boundaries of a fixed length buffer. Overwrite other data.

of s 1988: First exploitation, Unix service fingerd. 1995: Rediscovered by Thomas Lopatic. 1996: Step-by-step introduction by Aleph One (Elias Levy). 2001: Code Red Worm (MS IIS). 2003: SQLSlammer worm (MS SQL Server 2000).

Premises Programming error. Array in C: not first-class object but represented as pointer difficult verification. High level of control in C.

: example void function(char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = A ; function(large_string); }

Stack smashing Most popular technique. By Aleph One. Impossible to write to program counter. Overwrite the return address, let it point to the shellcode. Address of buffer unknown, but guessable (debugger). Detailed information about target-program & run-time behaviour required.

Stack smashing: nop-sled Make guessing easier: nop-sled. Not necessary to know exact return address. Large array of nop instructions placed before shellcode. EIP returns to return address (overwritten with nop) slide down. Figure: nop sled.

Frame Pointer Overwrite Sufficient to overflow buffer by one byte. Impossible to directly change frame pointer (register) alter last byte of saved FP in the stack. Overflowed function returns to calling function. Calling function has wrong FP pops chosen word into program counter on return. Chosen word: e.g. address of shellcode. Exact address of the buffer has to be known.

Indirect Alteration via Pointer Indirectly overwrite code pointers. Alter return address indirectly. Hard to discover. Hard to find. void f (char **argv){ char *p; char buffer[32];... strcpy(buffer, argv[1]); strcpy(p, argv[2]);} Figure: Indirectly overwrite return address

Content 1 Technical Basics 2 3 4 Discussion References

C functions that perform formatting, eg. printf(). printf("dear %s. I love you!",name) Software vulnerability. Crash programs. Execute harmful code.

Basic principle # of directives < # of parameters underflow. # of directives > # of parameters overflow. Wrong directive misinterpreted parameter. Control of format string exploit behaviour.

Example Vulnerable & Safe Code Vulnerable code: void vulnfnc (char *user){... printf(user); } Safe code: void vulnfnc (char *user){... printf("%s",user); }

of Bug first noted in 1990: interaction effect. Attacks discovered around 1999/2000. About 380 vulnerable programs (MITRE s CVE). ftpd, klogd, AOL IM 4.1.2010. MySQL Server 4.1 before 4.1.21 and 5.0 before 1 April 2006.

Premises Software vulnerability. Previously thought harmless. Unfiltered user input. # of arguments unknown at compile time rely on format string.

View Memory printf("%08x %08x %08x %08x %08x"); Prints the values of 5 consecutive words on the stack. 8-digit padded hexadecimal number. View content of the stack.

Overwriting a Word %n directive: # of characters written by the format function so far. Number is written to location pointed by parameter. printf("\x10\x01\x48\x08%08x%08x%08x%08x%08x%n"); Write small int at 0x08480110. 44: 4 (\x10\x01\x48\x08) + 8 characters per %08x. Control number of characters written = value written at 0x08480110

Minimum Field Width Specifier Overflow a buffer & overwrite the return address with address of a code pointer. Similar to stack-smashing attack. Overflow buffer using minimum field width specifier of a format directive.

Example void func(char *user){ char safebuf[512]; char vulnbuf[512]; snprintf(safebuf,512,"%s",user); sprintf(vulnbuf,safebuf);}

Example continued safebuf: cannot be overflowed (snprintf) stack-smashing attack useless. safebuf = format string of sprintf interpreted before copied to vulnbuf. If safebuf contains "%513d" 513 characters written to vulnbuf overflow overwrite return address to address of shellcode.

Content Discussion References 1 Technical Basics 2 3 4 Discussion References

Discussion References Different but still similar attacks. Main point: overwrite return address. Knowledge about systems required. Big effects on system.

Questions, Remarks Discussion References

References I Discussion References Kyung-Suk Lhee, Steve J. Chapin: and Format String Overflow Vulnerabilities. 2002. http://citeseer.ist.psu.edu/lhee02buffer.html murat@enderunix.org: Buffer overflows demystified. http://www.enderunix.org/documents/eng/bof-eng.txt Lefty: Buffer Overruns, whats the real story?. http://doc.bughunter.net/buffer-overflow/buffer-overrun.html SecuriTeam: Writing Exploits - a Tutorial for Beginners. 2002. http://www.securiteam.com/securityreviews/5op0b006uq.html

References II Discussion References Wikipedia:. http://en.wikipedia.org/wiki/buffer_overflow Wikipedia: Format string attack. http://en.wikipedia.org/wiki/format_string_attacks scut/team teso: Exploiting Format String Vulnerabilities v1.1. 2001. http://julianor.tripod.com/teso-fs1-1.pdf SANS institute: Inside the Attack:Mechanism, Method, & Prevention. 2002. http://www.sans.org/reading_room/whitepapers/securecode/386.php

References III Discussion References Przemyslaw Frasunek: WUFTPD 2.6.0 remote root exploit. 2000. http://marc.theaimsgroup.com/?l=bugtraq&m=96179429114160&w=2 Aleph One: Smashing The Stack For Fun And Profit. http://doc.bughunter.net/buffer-overflow/smash-stack.html CVE: Common Vulnerabilities and Exposures. http://cve.mitre.org/ Klog: The Frame Pointer Overwrite. http://doc.bughunter.net/buffer-overflow/frame-pointer.html David Litchfield: Windows 2000 Format String Vulnerabilities. http://www.nextgenss.com/papers/win32format.doc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback