Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Similar documents
Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Information Leaks. Kyriakos Kyriakou

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

20: Exploits and Containment

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

From Over ow to Shell

Biography. Background

Return-orientated Programming

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS 161 Computer Security

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Lecture 10 Code Reuse

6.858 Lecture 3. char *p = malloc(256); char *q = p + 256; char ch = *q; //Does this raise an exception? //Hint: How big is the baggy bound for p?

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Lecture 08 Control-flow Hijacking Defenses

18-600: Recitation #4 Exploits

Università Ca Foscari Venezia

Outline. Format string attack layout. Null pointer dereference

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CSE 509: Computer Security

String Oriented Programming Exploring Format String Attacks. Mathias Payer

18-600: Recitation #4 Exploits (Attack Lab)

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Outline. Heap meta-data. Non-control data overwrite

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

CSE 565 Computer Security Fall 2018

Software Security: Buffer Overflow Attacks (continued)

Exploit Mitigation - PIE

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Return Oriented Programming

Memory Safety (cont d) Software Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CMPSC 497 Buffer Overflow Vulnerabilities

Writing Exploits. Nethemba s.r.o.

Software Security: Buffer Overflow Defenses

Advanced Buffer Overflow

Program Security and Vulnerabilities Class 2

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

CMPSC 497: Midterm Review

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Software Security II: Memory Errors - Attacks & Defenses

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Software Security: Buffer Overflow Attacks

Buffer Overflow Attack (AskCypert CLaaS)

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Architecture-level Security Vulnerabilities

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Q: Exploit Hardening Made Easy

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Basic Buffer Overflows

Vulnerability Analysis I:

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Secure Systems Engineering

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Buffer Overflow

OS Security. Memory. Radboud University Nijmegen, The Netherlands. Winter 2014/2015

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Is stack overflow still a problem?

Abstraction Recovery for Scalable Static Binary Analysis

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CSE 127 Computer Security

Inject malicious code Call any library functions Modify the original code

Is Exploitation Over? Bypassing Memory Protections in Windows 7

ECS 153 Discussion Section. April 6, 2015

CSC 405 Computer Security Shellcode

ISA564 SECURITY LAB. Code Injection Attacks

Function Call Convention

Writing your first windows exploit in less than one hour

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

CSE 127 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Advanced Systems Security: Program Diversity

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Return oriented programming

Architecture-level Security Vulnerabilities. Julian Stecklina


Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Runtime Defenses against Memory Corruption

Bypassing Browser Memory Protections

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Lec06: DEP and ASLR. Taesoo Kim

Software Security: Buffer Overflow Defenses and Miscellaneous

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

The Geometry of Innocent Flesh on the Bone

Practical and Efficient Exploit Mitigation for Embedded Devices

Transcription:

Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University

Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh

Crash or no Crash? Enough to build exploit GET /blabla HTTP/1.0 HTTP/1.0 404 Not Found GET /AAAAAAAAAAAAAAAA connection closed

Don t even need to know what application is running! Exploit scenarios: 1. Open source 2. Open binary 3. Closed-binary (and source)????

Attack effectiveness Works on 64-bit Linux with ASLR, NX and canaries Server Requests Time (mins) nginx 2,401 1 MySQL 3,851 20 Toy proprietary service (unknown binary and source) 1,950 5

Attack requirements 1. Stack vulnerability, and knowledge of how to trigger it. 2. Server process that respawns after crash E.g., nginx, MySQL, Apache, OpenSSH, Samba.

Background Outline Stack Vulnerabilities No-eXecute memory (NX) Return-Oriented Programming (ROP) Address Space Layout Randomization (ASLR)

Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address 0x400000 urn; } handle_client() buf[1024]

Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x400000 AAAAAAAAA AAAAAAAAA handle_client() AAAAAAAAA AAAAAAAAA

Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x41414141 AAAAAAAAA AAAAAAAAA?? AAAAAAAAA AAAAAAAAA

Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x500000 AAAAAAAAA AAAAAAAAA AAAAAAAAA AAAAAAAAA

Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x600000 0x1029827189 123781923719 823719287319 879181823828

Exploit protections void process_packet(int s) { char buf[1024]; 1. Make stack non-executable int len; (NX) read(s, &len, sizeof(len)); read(s, 2. buf, Randomize len); memory addresses (ASLR) Stack: urn address 0x600000 } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x1029827189 123781923719 823719287319 879181823828

Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute

Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute

Return-Oriented Programming (ROP).text: Stack: code fragment 0x800000... dup2(sock, 0);...... dup2(sock, 1); execve( /bin/sh, 0, 0);...

Return-Oriented Programming (ROP).text: Stack: code dup2(sock, 0); 0x800000 fragment urn; 0x700000... dup2(sock, 1); 0x600000 0x600000... urn;...... execve( /bin/sh, 0, 0); urn; 0x700000 0x800000 ROP gadget

Address Space Layout Randomization (ASLR).text: 0x400000 code fragment............ dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x700000 0x600000 0x800000

Address Space Layout Randomization (ASLR).text: 0x400000 +?? code fragment............ dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x700000 +?? 0x600000 +?? 0x800000 +??

Exploit requirements today 1. Break ASLR. 2. Copy of binary (find ROP gadgets / break NX). Is it even possible to hack unknown applications?

Blind Return-Oriented Programming (BROP) 1. Break ASLR. 2. Leak binary: Remotely find enough gadgets to call write(). write() binary from memory to network to disassemble and find more gadgets to finish off exploit.

Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address buf[1024] 0x401183

Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address 0000000000000000000000000 0x401183

Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address 0000000000000000000000000 0x001183 (Was: 0x401183)

Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address 0000000000000000000000000 0x011183 (Was: 0x401183)

Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address 0000000000000000000000000 0x401183 (Was: 0x401183)

How to find gadgets?.text: 0x401183 code fragment 0x401170 0x401160 0x401150 0x401140 0x401130?????????? Stack: urn address 0x401183 buf[1024]

How to find gadgets?.text: 0x401183 code 0x401170 0x401160 0x401150 0x401140 0x401130 fragment crash???????? Connection closes Stack: urn address 0x401170 AAAAAAAAA AAAAAAAAA

How to find gadgets?.text: 0x401183 code 0x401170 0x401160 0x401150 0x401140 0x401130 fragment crash crash?????? Connection closes Stack: urn address 0x401160 AAAAAAAAA AAAAAAAAA

How to find gadgets?.text: 0x401183 code 0x401170 0x401160 0x401150 0x401140 0x401130 fragment crash crash no crash???? Connection hangs Stack: urn address 0x401150 AAAAAAAAA AAAAAAAAA

How to find gadgets?.text: 0x401183 code 0x401170 0x401160 0x401150 0x401140 0x401130 fragment crash crash no crash crash crash Connection closes Stack: urn address 0x401130 AAAAAAAAA AAAAAAAAA

Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

Finding useful gadgets 0x401170 Stack: Crash!! dup2(sock, 0); urn; other urn address 0x401170 0x401150 buf[1024] sleep(10); urn;

Finding useful gadgets 0x401170 Stack: dup2(sock, 0); urn; 0x401150 0x401150 sleep(10); urn; No crash urn address 0x401170 buf[1024]

How to find gadgets?.text: 0x401183 code fragment 0x401170 0x401160 0x401150 0x401140 0x401130 crash crash stop gadget crash crash Stack: other urn address 0x401183 buf[1024]

How to find gadgets?.text: 0x401183 code fragment Connection hangs 0x401170 0x401160 0x401150 0x401140 0x401130 gadget! crash stop gadget crash crash Stack: 0x401150 urn address 0x401170 AAAAAAAAA AAAAAAAAA

How to find gadgets?.text: 0x401183 code fragment Connection closes 0x401170 0x401160 0x401150 0x401140 0x401130 gadget! crash stop gadget crash crash Stack: 0x401150 urn address 0x401160 AAAAAAAAA AAAAAAAAA

What are we looking for? write(int sock, void *buf, int len)

What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write

What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write AAAAA buf[1024] 0x400000 addr sock rdi 0x500000 buf rsi 0x600000 len rdx 0x700000

Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi pop rdx call write

Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi call strcmp call write

Pieces of the puzzle stop gadget pop rsi [call sleep] call strcmp pop rdi call write

Pieces of the puzzle The BROP gadget pop rbx pop rbp pop rsi pop r15 pop rdi pop r12 pop r13 pop r14 pop r15 stop gadget [call sleep] call strcmp call write

Pieces of the puzzle The BROP gadget pop rbx pop rsi pop r15 pop rdi pop rbp pop r12 pop r13 pop r14 pop r15 PLT stop gadget [call sleep] call strcmp call write

Finding the BROP gadget Stack: Connection hangs stop gadget urn address 0x401183 buf[1024]

Finding the BROP gadget Stack: stop gadget crash gadget Connection closes urn address 0x401183 buf[1024]

Finding the BROP gadget Stack: stop gadget crash gadget pop rbx Connection hangs urn address 0x401183 buf[1024]

Stack: Finding the BROP gadget stop gadget crash gadget crash gadget pop rbx pop rbp Connection hangs urn address 0x401183 buf[1024]

Stack: Finding the BROP gadget stop gadget crash gadget crash gadget crash gadget crash gadget crash gadget crash gadget urn address 0x401183 pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 BROP gadget Connection hangs buf[1024]

Attack so far Can control first two arguments to calls (using BROP gadget). Need to control third argument (using call strcmp). Need to find call write Procedure Linking Table (PLT)

Procedure Linking Table (PLT) Origin: 0x400000 PLT.text

Procedure Linking Table (PLT) Origin: 0x400000 [GOT dereference].text call write.text... call write... call strcmp PLT PLT jmp [sleep] push 0 jmp dlresolve jmp [write] push 1 jmp dlresolve jmp [strcmp] push 2 jmp dlresolve libc sleep() {... } write() {... } strcmp() {... }

Finding the PLT Toward beginning of.text Each entry is 0x10 bytes apart, 0x10 aligned Most don t crash: syscalls - urn EFAULT on bad args. Can check if entry + 6 succeeds too (dlresolve slow path)

Fingerprinting strcmp arg1 arg2 result readable 0x0 crash 0x0 readable crash readable readable nocrash Use urn address (.text) as readable Can now control three arguments: strcmp sets RDX to length of string

Finding write strcmp(origin, origin) // sets RDX / write length to 7 - ELF header. set rdi to socket number, rsi to origin/addr try calling candidate PLT function. check if data received on socket. chain writes with different FD numbers to find socket. Use multiple connections.

Launching a shell 1. dump binary to network - not blind anymore! 2. dump symbol table to find PLT calls. 3. redirect stdin/out to socket: dup2(fd, 0); close(0); fcntl(sock, F_DUPFD, 0); 4. read() /bin/sh from socket to writable writable can be environ (from symbol table) 5. execve( /bin/sh, 0, 0)

Braille Fully automated: from crash to shell. 2,000 lines of Ruby. Needs function that will trigger overflow: nginx: 68 lines. mysql: 121 lines. proprietary service: 35 lines. try_exp(data) true crash false no crash

Attack complexity dump bin 222 find write 101 find strcmp 61 stack reading 846 find BROP gadget 469 find PLT 702 # of requests for nginx

BROP conclusions It s scary what a motivated attacker can do: e.g., hack unknown binaries. Hackers can get past point solutions - need principled solutions: OS: rerandomize ASLR & canaries per-fork Compiler: Encrypt or MAC pointers? Application: Dune (privilege separation)?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback