23
8/10/2019 Buffer Overflows Etc http://slidepdf.com/reader/full/buffer-overflows-etc 1/23 Control hijacking attacks  Attacker’s goal :  – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control flow  This lecture: three examples.  – Buffer overflow attacks  – Integer overflow attacks  – Format string vulnerabilities

Buffer Overflows Etc

Embed Size (px)

Citation preview

Page 1: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 1/23

Control hijacking attacks

•  Attacker’s goal:

 – Take over target machine (e.g. web server)

• Execute arbitrary code on target by

hijacking application control flow

•  This lecture: three examples.

 – Buffer overflow attacks

 – Integer overflow attacks

 – Format string vulnerabilities

Page 2: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 2/23

1. Buffer overflows

• Extremely common bug. – First major exploit: 1988 Internet Worm. fingerd.

• Developing buffer overflow attacks: – Locate buffer overflow within an application. – Design an exploit.

0

100

200

300

400

500

600

1995 1997 1999 2001 2003 2005

Source: NVD/CVE

20% of all vuln.

2005-2007:  10%

Page 3: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 3/23

What is needed

• Understanding C functions and the stack• Some familiarity with machine code

• Know how systems calls are made

• The exec() system call

• Attacker needs to know which CPU and OS are running on the

target machine:

 – Our examples are for x86 running Linux

 – Details vary slightly between CPUs and OSs:

• Little endian vs. big endian (x86 vs. Motorola)

• Stack Frame structure (Unix vs. Windows)

• Stack growth direction

Page 4: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 4/23

Linux process memory layout

unused

0x08048000

run time heap

shared libraries

user stack

0x40000000

0xC0000000

%esp

brk

Loaded

from exec

0

Page 5: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 5/23

Stack Frame

Parameters

Return address

Stack Frame Pointer

Local variables

SP

StackGrowth

Page 6: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 6/23

What are buffer overflows?

• Suppose a web server contains a function:void func(char *str) {

char buf[128];

strcpy(buf, str);

do-something(buf);}

• When the function is invoked the stack looks like:

• What if *str  is 136 bytes long? After strcpy:

str ret-addr sfp buf

topof

stack

str topof

stack*str ret

Page 7: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 7/23

Basic stack exploit

• Problem: no range checking in strcpy().

• Suppose *str  is such that after strcpy  stack looks like:

• When func()  exits, the user will be given a shell !• Note: attack code runs in stack .

• To determine ret guess position of stack when func() is called

top

ofstack

*str ret Code for P

Program P: exec( “/bin/sh” ) 

(exact shell code by Aleph One)

Page 8: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 8/23

Many unsafe C lib functions

strcpy (char *dest, const char *src)

strcat (char *dest, const char *src)

gets (char *s)

scanf  ( const char *format, … ) 

• “Safe” versions strncpy(), strncat()  are misleading

 – strncpy() may leave buffer unterminated.

 – strncpy(), strncat() encourage off by 1 bugs.

Page 9: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 9/23

Page 10: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 10/23

Control hijacking opportunities

• Stack smashing attack:

 – Override return address in stack activation record byoverflowing a local buffer variable.

• Function pointers: (e.g. PHP 4.0.2, MS MediaPlayer Bitmaps)

 – Overflowing buf will override function pointer.

• Longjmp buffers: longjmp(pos) (e.g. Perl 5.003)

 – Overflowing buf next to pos overrides value of pos.

Heapor

stackbuf[128] FuncPtr

Page 11: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 11/23

Heap-based control hijacking

• Compiler generated function pointers (e.g. C++ code)

• Suppose vtable is on the heap next to a string object:

ptr

data

Object T

FP1

FP2

FP3

vtable

method #1

method #2

method #3

   p   t   r

buf [256]    d   a   t   a

object T

vtable

Page 12: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 12/23

Heap-based control hijacking

• Compiler generated function pointers (e.g. C++ code)

• After overflow of buf  we have:

ptr

data

Object T

FP1

FP2

FP3

vtable

method #1

method #2

method #3

   p   t   r

buf [256]    d   a   t   a

object T

vtable

shell

code

Page 13: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 13/23

Other types of overflow attacks

• Integer overflows: (e.g. MS DirectX MIDI Lib) Phrack60

void func(int a, char v) {

char buf[128];

init(buf);

 buf[a] = v;}

 – Problem: a can point to `ret-addr’ on stack. 

Page 14: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 14/23

Integer overflow : Example

int main(int argc, char **argv)

{

char buf[80];

unsigned short s; int i;i = atoi(argv[1]);

s = i;

if(s >= 80) { error_msg(); return -1; }

memcpy(buf, argv[2], i);

What happens if called with argv[1] = 65536?

Page 15: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 15/23

Double Free

• Double free: double free space on heap.

 – Can cause mem mgr to write data to specificlocation

 – Examples: CVS server

Page 16: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 16/23

0

20

40

60

80

100

120

140

1996 1998 2000 2002 2004 2006

Source: NVD/CVE

Integer overflow stats

Page 17: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 17/23

Finding buffer overflows

• To find overflow:

 –Run web server on local machine

 – Issue requests with long tags

All long tags end with “$$$$$”  – If web server crashes,

search core dump for “$$$$$” to findoverflow location

• Many automated tools exist (called fuzzers – next lecture)

• Then use disassemblers and debuggers (e.g. IDA-Pro) toconstruct exploit

Page 18: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 18/23

Format string bugs

Page 19: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 19/23

Format string problem

int func(char *user) {fprintf( stdout, user);}

Problem: what if user = “%s%s%s%s%s%s%s”  ??

 –Most likely program will crash: DoS.

 – If not, program will print memory contents.Privacy?

 – Full exploit using user = “%n” 

Correct form:

int func(char *user) {fprintf( stdout, “%s”, user); 

}

Page 20: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 20/23

History

•   First exploit discovered in June 2000.•   Examples:

 – wu-ftpd 2.* : remote root

 – Linux rpc.statd: remote root

 – IRIX telnetd: remote root

 – BSD chpass: local root

Page 21: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 21/23

Vulnerable functions

Any function using a format string.

Printing:

printf, fprintf, sprintf, … 

vprintf, vfprintf, vsprintf, … 

Logging:

syslog, err, warn

Page 22: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 22/23

Exploit

• Dumping arbitrary memory:

 – Walk up stack until desired pointer is found.

 –printf( “%08x.%08x.%08x.%08x|%s|”) 

• Writing to arbitrary memory:

 – printf( “hello %n”, &temp) -- writes ‘6’ into temp. 

 – printf( “%08x.%08x.%08x.%08x.%n”) 

Page 23: Buffer Overflows Etc

8/10/2019 Buffer Overflows Etc

http://slidepdf.com/reader/full/buffer-overflows-etc 23/23

Overflow using format string

char errmsg[512], outbuf[512];

sprintf (errmsg, “Illegal command: %400s”, user); 

sprintf( outbuf, errmsg );

•   What if user = “%500d <nops> <shellcode>” 

 – Bypass “%400s” limitation. 

 – Will overflow outbuf.