Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Similar documents
Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Basic Buffer Overflows

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Secure Software Programming and Vulnerability Analysis

Software Security: Buffer Overflow Defenses

Memory Corruption 101 From Primitives to Exploit

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Lecture 4 September Required reading materials for this class

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Secure Software Development: Theory and Practice

MEMORY SAFETY ATTACKS & DEFENSES

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CSE 127 Computer Security

CSE 565 Computer Security Fall 2018

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Control Hijacking Attacks

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 565 Computer Security Fall 2018

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

COMP 2355 Introduction to Systems Programming

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Lec06: DEP and ASLR. Taesoo Kim

CSE / / 60567: Computer Security. Software Security 4

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Software Security: Buffer Overflow Attacks (continued)

20: Exploits and Containment

Lecture 03 Bits, Bytes and Data Types

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

CSE 127 Computer Security

CSE 509: Computer Security

CSE 127 Computer Security

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Intermediate Programming, Spring 2017*

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

18-600: Recitation #4 Exploits

System Security Class Notes 09/23/2013

Understanding Pointers

C and C++: vulnerabilities, exploits and countermeasures

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Memory Corruption Vulnerabilities, Part II

Lecture 9 Assertions and Error Handling CS240

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

The output: The address of i is 0xbf85416c. The address of main is 0x80483e4. arrays.c. 1 #include <stdio.h> 3 int main(int argc, char **argv) 4 {

CS Programming In C

o Code, executable, and process o Main memory vs. virtual memory

C Arrays and Pointers

Is stack overflow still a problem?

Secure Systems Engineering

18-600: Recitation #4 Exploits (Attack Lab)

ISA564 SECURITY LAB. Code Injection Attacks

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflows Defending against arbitrary code insertion and execution

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Software Security II: Memory Errors - Attacks & Defenses

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Week 6 Part 1. Kyle Dewey. Monday, July 30, 12

Biography. Background

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

finding vulnerabilities

Intermediate Programming, Spring 2017*

(Early) Memory Corruption Attacks

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Buffer Overflow Vulnerability

Exercise 6: Buffer Overflow and return-into-libc Attacks

Memory Safety (cont d) Software Security

Project 1 Buffer Overflow

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

CSE 361S Intro to Systems Software Lab Assignment #4

Selected background on ARM registers, stack layout, and calling convention

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Student Number: Instructor: Reid Section: L0101 (10:10-11:00am)

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Buffer Overflow Attack (AskCypert CLaaS)

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Two s Complement Review. Two s Complement Review. Agenda. Agenda 6/21/2011

Programming refresher and intro to C programming

C Pointers. 6th April 2017 Giulio Picierro

ECE 250 / CS 250 Computer Architecture. C to Binary: Memory & Data Representations. Benjamin Lee

ECE 471 Embedded Systems Lecture 22

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

CMPSC 497 Other Memory Vulnerabilities

Lab 3. Pointers Programming Lab (Using C) XU Silei

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Buffer Overflow and Format String Overflow Vulnerabilities

Transcription:

Security Lab Episode 6: Format String Vulnerabilities Jan Nordholz, Matthias Petschick, Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2015 jan, matthias, julian (sect) Security Lab SoSe 2015 1 / 13

Glue Slide Recalling: buffer overflows often allow redirecting the flow of execution and jumping to custom shellcode. So far we discussed how to write machine code and execute it as part of a BOF exploit. This week: a look at another bug class, namely Format String vulnerabilities. jan, matthias, julian (sect) Security Lab SoSe 2015 2 / 13

What is a format string? Used to convert datatypes to a string representation (very primitive pretty printer). Example printf prototype: int printf(const char *restrict format,...); e.g. printf( Your %dst name is %s, 1, Foobar ); Your 1st name is Foobar format points to a supplied format string (a pretty print recipe )... indicates a variable number of arguments ( variadic function, see man 3 va arg) Prominent functions that accept format strings: {s,sn,vs,vsn,f,}printf; {f,s,}scanf; syslog... jan, matthias, julian (sect) Security Lab SoSe 2015 3 / 13

What are common format conversion specifiers? There is a large set of conversion specifiers (see man 3 printf)! A few examples: specifier conversion output passed as %c single character value %s null-terminated string pointer %d signed integer value %u unsigned integer value %p pointer value value %x hexadecimal value jan, matthias, julian (sect) Security Lab SoSe 2015 4 / 13

Processing of format strings: the big picture jan, matthias, julian (sect) Security Lab SoSe 2015 5 / 13

Processing of format strings: the big picture with own arguments without own arguments jan, matthias, julian (sect) Security Lab SoSe 2015 5 / 13

Processing of format strings (3): the close-up Remember the calling convention! x86 expects arguments on the stack, ARM uses registers (at least for the first ones) and the stack So for each argument specified by the format string, libc accesses the next appropriately-sized chunk of memory (or register data) provided by the calling function... No matter whether it has actually filled that space with arguments or not! jan, matthias, julian (sect) Security Lab SoSe 2015 6 / 13

So what is a Format String Vulnerability? Fairly new bug class, initially explored in 1999/2000. Let s start with a simple example: Example: void swallow egg(char *ptr) { char buf[32]; strncpy(buf, ptr, sizeof(buf)); buf[sizeof(buf)-1] = 0; printf(buf); } Let s assume ptr references an attacker-controlled string! Format string is attacker-controlled as well! jan, matthias, julian (sect) Security Lab SoSe 2015 7 / 13

Format String Vulnerability Implications (1) Possibility to read values from the top of the stack printf( %x%x%x%x ); prints the last 4 words on the stack in hexadecimal Can be used to leak secret data (%s, %x,..), pointers etc. Perform DoS attacks: e.g. %s%s%s%s%s may dereference an invalid pointer Crash Example: int main(int ac, char **av) { printf(av[1]); } $./a.out "%p.%p.%p.%p.%p" 0xbfb95650.0xbfb956a8.0xb75dc455.0x80483f0.0x80482f0 jan, matthias, julian (sect) Security Lab SoSe 2015 8 / 13

Format String Vulnerability Implications (2) Reading memory is nice, but what about writing? Enter the one conversion specificer that writes to memory: %n! %n stores the number of bytes written so far into the supplied pointer argument. There are almost no sensible applications for this beast, so MS apparently disabled it in the mid-2000s (one good decision). Anyway, it s still around on Unix! Idea: discover useful pointer values (%x) and abuse them (%n)! jan, matthias, julian (sect) Security Lab SoSe 2015 9 / 13

Abusing Format Strings (1) Once more the simple swallow egg() example: void swallow egg(char *ptr) { char buf[32]; strncpy(buf, ptr, sizeof(buf)); printf(buf); } jan, matthias, julian (sect) Security Lab SoSe 2015 10 / 13

Abusing Format Strings (2) Unix printf() has yet more features (some of them GNU extensions)! Direct argument access %j$x applies the %x conversion to the j-th argument Not available in uclibc (used on the pandaboard) Integer width modifiers allows reading/writing 1, 2, 4 or 8 byte values (%hhi, %hi, %li, %lli) Note: this works even with %n! Length and precision attributes (%.8f, %32s) Helpful in tuning the current number of written characters to a desired value So in order to write an arbitrary 4 byte value, write it incrementally (4x1 byte using %hhn or 4x4 bytes partially overlapping each other) jan, matthias, julian (sect) Security Lab SoSe 2015 11 / 13

Abusing Format Strings (3) In order to use %n effectively, you need useful pointer values you can feed to it Often, the printf() buffer itself is on the stack and thus available as argument space to format conversions include necessary pointers in your attack input, then use %n on them Last resort: place your pointer values into the environment! The environment is always on the stack, and its distance to the top of the stack is usually constant for a single bug jan, matthias, julian (sect) Security Lab SoSe 2015 12 / 13

Student Assignment Install the new SD card images (yes, yet again)... Give the mediacenter service a close look. Maybe connect a storage device? (Note you can reuse the SD card for this, the system resides completely in RAM.) Note: It s probably easiest to do this challenge completely on the board. The mediacenter service has inotify support and the SD card is mounted r/w for anyone. One last hint: It may not be necessary to hijack control flow. Look at the functionality provided by mediacenter. There is an easier way to get a shell! jan, matthias, julian (sect) Security Lab SoSe 2015 13 / 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback