prin'() tricks DC4420 slides, Feb 2012

Similar documents
Intermediate Programming, Spring 2017*

Memory Corruption 101 From Primitives to Exploit

System Security Class Notes 09/23/2013

Heap Arrays and Linked Lists. Steven R. Bagley

Heap Arrays. Steven R. Bagley

Lecture 4 September Required reading materials for this class

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

A heap, a stack, a bottle and a rack. Johan Montelius HT2017

CS 161 Computer Security

Foundations of Network and Computer Security

Important From Last Time

CSC C69: OPERATING SYSTEMS

CS61C Machine Structures. Lecture 5 C Structs & Memory Mangement. 1/27/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Intro to x86 Binaries. From ASM to exploit

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Recitation: Cache Lab & C

CS61C Machine Structures. Lecture 4 C Structs & Memory Management. 9/5/2007 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Biography. Background

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Intro to Cracking and Unpacking. Nathan Rittenhouse

Computer Science 50: Introduction to Computer Science I Harvard College Fall Quiz 0 Solutions. Answers other than the below may be possible.

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Infecting the Embedded Supply Chain

CS61C : Machine Structures

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

CS 33. Architecture and the OS. CS33 Intro to Computer Systems XIX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Runtime Defenses against Memory Corruption

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CS 241 Honors Memory

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Review: C Strings. A string in C is just an array of characters. Lecture #4 C Strings, Arrays, & Malloc

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

CS354 gdb Tutorial Written by Chris Feilbach

CS 33. Architecture and the OS. CS33 Intro to Computer Systems XIX 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

CS 241 Data Organization Binary Trees

Dnmaloc: a more secure memory allocator

Understanding Pointers

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

MPATE-GE 2618: C Programming for Music Technology. Unit 4.1

Dynamic Memory Allocation and Command-line Arguments

CSE 374 Programming Concepts & Tools

CS 222: Pointers and Manual Memory Management

From Over ow to Shell

CSE 565 Computer Security Fall 2018

When you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to.

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Memory and Addresses. Pointers in C. Memory is just a sequence of byte-sized storage devices.

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Lab 3. Pointers Programming Lab (Using C) XU Silei

CS 220: Introduction to Parallel Computing. Arrays. Lecture 4

CS 61c: Great Ideas in Computer Architecture

Pointer Basics. Lecture 13 COP 3014 Spring March 28, 2018

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

CS107, Lecture 9 C Generics Function Pointers

CSE 509: Computer Security

ECS 153 Discussion Section. April 6, 2015

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

Is stack overflow still a problem?

Tutorial 1 C Tutorial: Pointers, Strings, Exec

CMSC 341 Lecture 2 Dynamic Memory and Pointers

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

TI2725-C, C programming lab, course

CS113: Lecture 7. Topics: The C Preprocessor. I/O, Streams, Files

CSE 303: Concepts and Tools for Software Development

Programming Studio #9 ECE 190

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Part V. Memory and pointers. Philip Blakely (LSC) C++ Introduction 145 / 370

Number Review. Lecture #3 More C intro, C Strings, Arrays, & Malloc Variables. Clarification about counting down

Lecture 08 Control-flow Hijacking Defenses

CSE 127 Computer Security

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CS61C : Machine Structures

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Offensive Security My First Buffer Overflow: Tutorial

Subprograms: Arguments

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

CS 61C: Great Ideas in Computer Architecture. C Arrays, Strings, More Pointers

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Data Structures and Algorithms for Engineers

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually

CSCI-1200 Data Structures Spring 2016 Lecture 6 Pointers & Dynamic Memory

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

CS61C : Machine Structures

WINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES

Dynamic Data Structures. CSCI 112: Programming in C

Lecture 9 Assertions and Error Handling CS240

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Transcription:

prin'() tricks DC4420 slides, Feb 2012 1

Who am I? Shaun Colley Senior Security Consultant at IOAcFve Exploit development, reverse engineering, development, pen- tesfng 2

Prin'() tricks - Agenda ShiMing the stack pointer & arbitrary mem writes in order to exploit format string bugs without %n When is a NULL pointer not just a NULL pointer? don t expect prin'() & family to crash on NULL pointers These are just a few things I played with a while back

There was a good article in Phrack #67 called A Eulogy for format strings (phrack.org/issues.html? issue=67&id=9) by Captain Planet Main point of the article was disabling the antiformat string bug exploitation measures implemented by the FORTIFY_SOURCE patch (gcc prog.c o prog -D_FORTIFY_SOURCE=2) The patch s anti-exploit measures are: Detect holes in direct parameter access, i.e. %16$x and not %16$x %15$x %14$x %1$x Detect %n in format strings that are in writable segments (stack, heap, BSS, ) 4 Both of these result in an abort()

How did the author, Captain Planet disable FORTIFY_SOURCE? Need to look into the GLIBC vfprin'.c source code... Warning it s not preby. In fact understanding the code is more of a reverse engineering job than just reading C code J See code on next slide 5

args_type = alloca (nargs * sizeof (int)); //!!! UNBOUNDED ALLOCA = STACK SHIFTING!!! memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY? '\xff' : '\0', nargs * sizeof (int)); args_value = alloca (nargs * sizeof (union printf_arg)); //!! UNBOUNDED STACK SHIFTING!!! /* XXX Could do sanity check here: If any element in ARGS_TYPE is still zero after this loop, format is invalid. For now we simply use 0 as the value. */ /* Fill in the types of all the arguments. */ for (cnt = 0; cnt < nspecs; ++cnt) { /* If the width is determined by an argument this is an int. */ if (specs[cnt].width_arg!= -1) args_type[specs[cnt].width_arg] = PA_INT; // UNBOUNDED NULL DWORD WRITE 6

Nargs = maximum possible number of format args, i.e. %10$x %12345$x would give nargs = 12345 And specs[cnt].width_arg = width of currently parsing format specifier So args_type[specs[cnt].width_arg] = PA_INT; can ultimately lead to an (almost-)arbitrary addr NULL DWORD write 7

This allowed the author to toggle off the _IO_FLAGS2_FORTIFY flag in the file stream being used. Very important point to note is that nargs was set to something that would wrap to 0 in the memset, i.e. %1073741824$ And then another format specifier was used to exploit args_type[specs[cnt].width_arg] = PA_INT If width_arg is chosen very carefully the FORTIFY_SOURCE flag in the file stream is NULLed. At this point you can use direct parameter access + %n s to carry out a fairly standard format string aback 8

Cool, patch bypassed But are there any other ways to exploit this arbitrary stack pointer shim and/or arbitrary NULL dword write? For example, without later having to use %n like in normal format string exploits? Yes, but they re fairly applicafon- specific. Let s consider each of the aback vectors - 1) stack shiming and 2) arbitrary address write (not arbitrary value) 9

Stack pointer shiming with alloca() Few different possibilifes. Firstly you could use a large DPA to shim the stack pointer into the heap: args_type = alloca (nargs * sizeof (int)); //!!! UNBOUNDED ALLOCA = STACK SHIFTING!!! memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY? '\xff' : '\0', nargs * sizeof (int)); However you ll generally get a SIGSEGV because of the memset() 10

SomeFmes this doesn t maber The memset has sfll corrupted memory up to the point a guard page is hit We just need some of this memory to be used in a SEGV signal handler i.e. SEGV signal handler tries to drop privileges to do something priv- sensifve but the saved UID has been overwriben with 0 s Could be preby bad news. Demo (on a VM!!) 11

What if there is no signal handler and a seg fault in memset() will just crash the app? SomeFmes we may be able to work it so that nargs * sizeof(int) at [1] is small enough that no page fault happens at memset() args_type = alloca (nargs * sizeof (int)); //!!! [1] UNBOUNDED ALLOCA = STACK SHIFTING!!! memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY? '\xff' : '\0,nargs * sizeof (int)); args_value = alloca (nargs * sizeof (union printf_arg)); // [2] Yet at the same Fme we make nargs * sizeof(union prin'_arg) is large enough to shim the stack pointer past the guard page and into the heap 12

So we use a %<number>$x with number small enough that <number> * sizeof(int) still leaves ESP in the stack therefore the memset() doesn t page fault.. Then the next alloca() with no annoying memset() shifts the stack pointer past the guard page and into an area of memory we (in/)directly control i.e. heap Any further function calls after this point will push stack frames into this memory area What if another (p)thread then clobbers this area with data we control? You ve potentially got an exploitable vector and you didn t even use a %n specifier You just need to find somewhere you can shift to that you have some control over 13

Can be a little messy Often need to play around with rlimits and get a lot of heap malloc() ed Demo 14

What about using the arbitrary NULL overwrite for something? Again, application-specific just like the first demo Could be used to zero out some context-specific int like Captain Planet used to zero out the FORTIFY_SOURCE flag There are these assignment ops as well: 15 If case 1: /* One argument; we already have the type. */ args_type[specs[cnt].data_arg] = specs[cnt].data_arg_type; break; default: /* We have more than one argument for this format spec. We must call the arginfo function again to determine all the types. */ (void) (* printf_arginfo_table[specs[cnt].info.spec]) (&specs[cnt].info, specs[cnt].ndata_args, &args_type[specs[cnt].data_arg]);

Be imaginative and do some digging there may be something you can overwrite that will be enough to affect execution flow in your favour Application-specific privilege flags Loop counters i.e. overwrite a decrementing loop counter with zero, then counter--; à 0xffffffff Could lead to memory corruption 16

Lastly, be aware that printf( abcd %s\n, NULL) does not necessarily crash at a NULL pointer dereference According to C99, the behavior is actually undefined But glibc s *printf() and other implementations will replace such an occurance with (null) (not always, sometimes it will seg fault it depends what else is in the format string) i.e. root@bt:~#./null abcd (null) 17

Potential to be abused? Again, application-specific but could lead to an overflow in sprintf() if ptr was supposed to point to a string shorter than strlen( (null) ) = 6 bytes. i.e. char *ptr = NULL; switch(user_controlled_int) { case 0 : ptr = AB1 ; break; 18 } case 1 : ptr = AB2 ; break; case 2 : ptr = AB3 ; break; sprintf(buf, abcd %s, ptr); // could be an overflow

Just some *printf() internals/tricks I thought might be interesting. Thanks for listening. Questions? IOAcFve, Ltd www.ioacfve.co.uk scolley@ioacfve.co.uk 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback