1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
Part 1 2
3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused) EBP Saved EBP Return Address Parameters
4 An Old, yet Still Valid Vulnerability Where on the stack is a char[4] allocated? char [4] var ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Saved EBP Return Address Parameters Stack Frame
5 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame
6 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame What if more than 4 bytes stored?
7 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow Lower memory ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters char [4] var Local variable Stack Frame What if more than 4 bytes stored? Higher memory
8 Buffer Overflow Earliest buffer overflow exploit documented in 1988 1996, Phrack Magazine NIST Stats:
9 Buffer Overflow Earliest buffer overflow exploit documented in 1988 Exploited Finger Program Started at MIT and was used to determine the size of the Internet Infected 6000 Unix machines 1996, Phrack Magazine Provides a step by step guide NIST Stats: 1996: 8 vulnerabilities 2008: 339 vulnerabilities 2012: 418 vulnerabilities 2015: 344 vulnerabilities
Buffer Overflow ExerciseCode.c 10
11 Buffer Overflow ExerciseCode.c Reads string from stdin
12 Buffer Overflow ExerciseCode.c Copies string to another buffer Reads string from stdin
C Program 13
14 C Program Allocates 16 bytes of memory on the stack
15 C Program Allocates 16 bytes of memory on the stack Heap calls the allocator explicitly (new, malloc, calloc.)
C Program 16
17 C Program Print data to screen Using an external library ( we did not implement printf ) External library function destination Maximum size of input (anymore will be ignored) Source (terminal input)
C Program 18
19 C Program Call the user function Print to screen w/ external library
C Program 20
21 C Program Input parameter Pointer to character address of location where this array starts //allocate 0x800 000c Mem???? Push 0x800 000c
C Program 22
23 C Program Copy all characters from name[ ] to copy[ ] Then add null terminator
Is there a problem? 24
Is there a problem? 25
Compilation 26
27 Compilation Source code A windows c compiler Output file (Results are the same w/ cygwin s gcc)
Execution 28
Execution 29
Execution 30
31 Execution Let us debug Typed in 7 A s Why? Isn t our buffer of size 8 at least?
IDA Pro Debug 32
33 IDA Pro Debug Could follow and conduct a thorough manhunt or Now where?
IDA Pro Debug 34
35 IDA Pro Debug Or look for text that appears on the screen Search for obvious external libraries function calls
docopy - IDA Pro Debug 36
37 docopy - IDA Pro Debug arg_0.text How do we know this is 4 bytes? Stack
38 docopy - IDA Pro Debug arg_0.text 4 bytes why? Stack 8 bytes docopy Stack frame 4 bytes
IDA Pro Debug 39
40 IDA Pro Debug Setup stack and i=0 for ( i=0; name[i]!= /0 ; i++) i = 0 {.} name[i] == /0 copy[i] = /0 loop
docopy - IDA Pro Debug 41
42 docopy - IDA Pro Debug After 1 iteration A Input is copied here 1 at a time
43 docopy - IDA Pro Debug After 7 iterations A
44 docopy - IDA Pro Debug What is this doing here?
45 docopy - IDA Pro Debug Ah We pressed enter
46 docopy - IDA Pro Debug 4 bytes of what was allocated?
47 docopy - IDA Pro Debug Before After
48 EBP Corrupted!
49 EBP Corrupted! This particular program will still execute But eventually we get an illegal instruction
Exercise 50
Part 2 51
Overwriting the Return Address 52
53 Overwriting the Return Address 13 values
Overwriting the Return Address 54
55 Overwriting the Return Address ; D 13 th iteration
56 Malicious Opportunities Execution Flow
Malicious Opportunities 57
58 Malicious Opportunities malicious code (shell code) Make the return address here
Some Defenses 59
60 Some Defenses Data Execution Prevention
61 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence A Buffer Overflow overwritten ra address of instruction seq. A
62 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence B instructions sequence A Buffer Overflow instructions sequence C overwritten ra <controllable>
63 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) 2 instructions sequence B gadgets 1 instructions sequence A 1 2 3 in the correct sequence, these accomplish some desired task 3 Buffer Overflow instructions sequence C overwritten ra Return Oriented Programming (ROP) (mona.py plugin finds instruction so interest) Addr to 1 Addr to 2 Addr to 3
Some Defenses Address Space Layout Randomization 64
Some Defenses Address Space Layout Randomization 65 The stack may exist at a different location after a reboot after system reboot 0x40 f000 0x404000...............
66 Some Defenses Address Space Layout Randomization but,
67 Some Defenses Address Space Layout Randomization but, Legacy (old, but still in use) libraries may not support ASLR
68
69 High privilege account
70 More Defenses Type and Memory Safe Languages Check memory access at runtime
71 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing
72 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing However Time, cost, laziness humans
73 More Defenses Canary ESP 0xFEFF0102 0x20330002 ESP 0xFEFF0102 0x20330002 0xFEFF0101 0x31323334 Saved EBP Saved EBP EBP Return Address EBP Return Address Parameters Parameters
74 More Defenses Canary At return time ESP 0xFEFF0102 0x20330002 ESP 0xFEFF0102 0x20330002 0xFEFF0101 0x31323334 Saved EBP Saved EBP EBP Canary value Return Address EBP Changed? Return Address Parameters Parameters
75 More Defenses Canary but, Performance costs (especially in embedded code) Some legacy code does not support it Many times would no be enabled by default Can use other methods to bypass. (heap, ebp, )
Exercise 76