Shellbased Wargaming

Similar documents
Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Lab 2: Buffer Overflows

CSE 565 Computer Security Fall 2018

Basic Buffer Overflows

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Homework 1 CS 642: Information Security

20: Exploits and Containment

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Introduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm

CS Programming Languages Fall Homework #2

Operating system security models

General Pr0ken File System

buffer overflow exploitation

Understanding Software Vulnerabilities: C, Debugging Assembly, and Buffer Overflows

Exercise 6: Buffer Overflow and return-into-libc Attacks

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CMPSC 497 Buffer Overflow Vulnerabilities

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer overflow background

CIS 5373 Systems Security

Race Condition Vulnerability Lab

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CMSC 414 Computer and Network Security

Case Study: Access Control. Steven M. Bellovin October 4,

Assignment 4 Buffer Overflows

I run a Linux server, so we re secure

1. Allowed you to see the value of one or more variables, or 2. Indicated where you were in the execution of a program

CSE 565 Computer Security Fall 2018

Security. 1 Introduction. Alex S. 1.1 Authentication

Case Studies in Access Control

ECE 471 Embedded Systems Lecture 22

CSE 374 Programming Concepts & Tools. Brandon Myers Winter 2015 Lecture 11 gdb and Debugging (Thanks to Hal Perkins)

ENEE 757 Buffer Overflow Homework

Secure Architecture Principles

Computer Science 2500 Computer Organization Rensselaer Polytechnic Institute Spring Topic Notes: C and Unix Overview

Processes are subjects.

cs642 /operating system security computer security adam everspaugh

ISA564 SECURITY LAB. Code Injection Attacks

CS354 gdb Tutorial Written by Chris Feilbach

ECS 153 Discussion Section. April 6, 2015

CIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017

Secure Programming I. Steven M. Bellovin September 28,

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

ISA 564, Laboratory I: Buffer Overflows

Buffer Overflow Vulnerability

Memory Corruption 101 From Primitives to Exploit

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Intro to Segmentation Fault Handling in Linux. By Khanh Ngo-Duy

Secure Architecture Principles

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Laboratory 1 Semester 1 11/12

Programming Tips for CS758/858

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Basic Linux Security. Roman Bohuk University of Virginia

OS security mechanisms:

Buffer Overflows Defending against arbitrary code insertion and execution

Hardware. Ahmet Burak Can Hacettepe University. Operating system. Applications programs. Users

Secure Architecture Principles

Buffer-Overflow Attacks on the Stack

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CS155: Computer Security Spring Project #1

Hackveda Training - Ethical Hacking, Networking & Security

Unix Basics. UNIX Introduction. Lecture 14

Operating System Security

Secure Architecture Principles

DEBUGGING ON FERMI PREPARING A DEBUGGABLE APPLICATION GDB. GDB on front-end nodes

Unix and C Program Development SEEM

Why are your linux files secure?

CS/COE 0449 term 2174 Lab 5: gdb

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Exercise Session 6 Computer Architecture and Systems Programming

CS 361S - Network Security and Privacy Spring Project #2

Lab 03 - x86-64: atoi

Operating Systems Linux 1-2 Measurements Background material

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Data Security and Privacy. Unix Discretionary Access Control

EDURange Student s Manual. September 14, 2015

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Buffer Overflow & Format Strings

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

412 Notes: Filesystem

Buffer Overflow Defenses

Advanced Buffer Overflow

TECH 4272 Operating Systems

Operating systems fundamentals - B10

Processes are subjects.

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Lecture 4 September Required reading materials for this class

Transcription:

Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested in learning about computer security. This document is not intended to learn specific techniques, as that is the the purpose of wargaming itself. This document does not cover the basics of Unix systems nor the basics of programming. 1 Introduction Once in a while media reports about a security problem that allowed a virus to infect a system or a hacker to break in. Have you ever wondered what caused this? The problem is mostly an error made by the programmer, but how does those errors look? Wouldn t it be better if the programmers knew about those errors before they wrote the programs so they could write stable and more secure programs from the beginning? Wargames consisting of levels with programming bugs in them. The goals of the levels are to find the security bugs and exploit them. The goal of the wargame is to educate about security and how programs shouldn t be written. Skills needed to play (or needed to learn while playing) includes common sense, patience, searching in manuals, details of unix systems and commands, programming (mostly C), reverse engineering and thinking out of the box. 1

2 Concepts Shellbased wargaming is mostly played on a dedicated Linux server via the remote login service ssh. 2.1 Unix permissions Each file in an unix system has permissions assigned to it. $ ls -l -r-sr-x--- 1 levely levelx 6949 example -rw-r----- 1 levely levelx 69 example.c -rw------- 1 levely levely 20 password -rwxr-sr-x 1 root game 7383 adventure -rw-rw-r-- 1 root game 234 highscore This is a directory listing, showing their owners, groups and permissions of the files. example, example.c and password are owned by levely, but example and example.c are in the group levelx. 2.2 User ID Each process on a UNIX system has a user id and a group id, and also an effective user id and effective group id. These are commonly abbriviated to UID, GID, EUID and EGID. Some processes requires to run at higher priviledges. In the listing above, there is the game adventure and it s hiscore file. A user should not be able to edit the highscore file directly, only when running the game. adventure has an s instead of an x in the group execute permission. This means that when adventure is run, the process will run with an effective group id of game, thus allowing it to edit the highscore file. We say that adventure runs setgid, or that it is a setgid-binary 1. Similarly, the example is a setuid-binary. It will run with an effective user id of levely. 1 Binary is another word for executable, referring to the file itself 2

2.3 Privilege escalation The game progress in wargaming is done by privilege escalation. A program is buggy if the behaviour of the program is not well defined for all situations. A program is vulnerable if a user can control the flow of the program, making it do things it wasn t intended to do. If a user can control the flow of a program running with another effective user id, that user gets all the permissions of that user, which is a security breach. A level in a shell-based consists (most of the time) of a setuid binary with a security vulnerability. Exploiting can be done by reading a file that contains the password for the next level or, most commonly, by tricking the program to spawn a shell with the privileges of the next level. Note that it is necessary to log in as the next level to get the group id set. The group id is necessary to play the next level. 3 Examining To find a vulnerability, the inner workings of the program must be examined. Sometimes the source code is available, otherwise the binary must be examined to find out if and how it might be exploited. The process when the inner functions of a compiled program is determined is called Reverse Engineering. When you have found out what the program does, try asking yourself the question: What was this program not designed to handle? What if it is fed with a large string, a negative number or a string with strange characters in it? Does the program assume things that aren t always true? 3.1 Tools for examining binaries strings ltrace strace gdb objdump Extracts text stored in a binary file Traces library calls made by the program Traces system calls made by the program The GNU debugger Extract information from a binary 3

4 Exploiting When a vulnerability is found, an exploit should be written. This includes some research about the vulnerability, finding offsets and so on. 5 Example This example lacks details on the theory behind why the exploit works, the reader is encouraged to do independent research. The following program written in C demonstrates a buffer overflow. ls -l -r-sr-x--- 1 levely levelx 6949 example -rw-r----- 1 levely levelx 69 example.c This level consists of a small suid binary with source code. /* example.c */ #include <stdio.h> int main() { char a[20]; gets(a); return 0; } From the gets() manual page: SECURITY CONSIDERATIONS The gets() function cannot be used securely. Because of its lack of bounds checking, and the inability for the calling program to reliably determine the length of the next incoming line, the use of this function enables malicious users to arbitrarily change a running program s functionality through a buffer overflow attack. So what happens if this program is given a string longer than 20 characters?./example AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault 4

The program crashed, because important data was overwritten. By using a debugger, it is possible to find the cause to the crash. gdb -q./example (gdb) r Starting program:./example AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in?? () (gdb) The program is crashing because it tried to execute program code at memory address 0x41414141. Why? The hexadecimal representation of A is 0x41. Note that for the processor, there is no difference between characters, integers or memory pointers. It s how the data is used that matters. In this case, the function return pointer was overwritten by a buffer overflow. It s now possible to control where in the memory the program executes code. By choosing data that points to program code that say, spawns a shell, the program will spawn a shell. For more theory behind how to exploit a buffer overflow, see Smashing the stack for fun and profit by Alef 0 First, which of all A s overwrites the return-pointer? And where are our string? (gdb) r Starting program: /tmp/example AAAAAAAAAAAAAAAAAAAABCDEFGHIJKLM Program received signal SIGSEGV, Segmentation fault. 0x49484746 in?? () (gdb) x $esp 0xbfffdd40: 0x4d4c4b4a (gdb) 5

6 Tips and Tricks 6.1 Manual pages As soon as there is a strange command or function that you are not sure about, strstr for example, just type man strstr in your terminal. This can not be taken to easily, there is even an acronym for it. RTFM - read the friendly manual. 6.2 Bash Sometimes an exploit needs to be submitted to standard input. As a shell closes when it detects EOF 2, the following trick might be used to continue to give input after the exploit has been fed to the program. (perl -e print "exploit" ; cat)./binary 6.3 Perl Perl is a great scripting tool when wargaming. It is possible to run small scripts directly from the shell with the -e flag. Large strings are easily produced../binary $(perl -e print "A"x10000 ) That is a lot more handy than writing./binary AAAAAAAAAAAAAAAAAAAAAAA...10000times...AAA 6.4 gdb In gdb, exploit code can be given as an argument (gdb) r $( perl -e exploitcode ) or to standard input (gdb) r < <( perl -e exploitcode ) There is a space between the less-than signs. This is because of process substitution. More about that can be found on the internet and in the bash manual page. 2 End of file 6

7 List of wargame communities http://www.smashthestack.org/ http://intruded.net/ http://overthewire.org/ 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback