bff o lfbuffer overflow - androbenchcsl.skku.edu/uploads/sse2030f10/12-buffer.pdf ·...
TRANSCRIPT
B ff O flB ff O flBuffer OverflowBuffer Overflow
Jin-Soo Kim ([email protected])Jin Soo Kim ([email protected])Computer Systems Laboratory
Sungkyunkwan Universityhtt // l kk dhttp://csl.skku.edu
IA-32/Linux Memory LayoutIA-32/Linux Memory LayoutIA 32/Linux Memory LayoutIA 32/Linux Memory Layout Stack FF
• Runtime stack (8MB limit) Heap
• Dynamically allocated storage Upper
Kernel
C0Dynamically allocated storage• When call malloc(), calloc(), new()
DLLs (shared libraries)• Dynamically linked libraries
2 hex digits of address
BFC0
Stack
• Dynamically linked libraries• Library routines (e.g., printf, gets)• Linked into object code when first
executed7F80
Heapexecuted Data
• Statically allocated datad l d d
40 DLLsDLLs
Heap
• e.g., arrays & strings declared in code Text
• Executable machine instructions
3F40
T tDataData
Heap
2SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
• Read-only00
Text08
Text & Stack ExampleText & Stack ExampleText & Stack ExampleText & Stack ExampleInitially
BF StackBF Stack
(gdb) break main
7F80
(gdb) runBreakpoint 1, 0x804856f in main ()
(gdb) print $esp(g )$3 = (void *) 0xbffffc78
3F40
TextData
08
3SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
00Text08
Vulnerable Buffer CodeVulnerable Buffer CodeVulnerable Buffer CodeVulnerable Buffer Code
/* Echo Line */void echo(){
$ ./bufdemoType:123123{
// Way too small! char buf[4]; gets(buf);
123
$ ./bufdemoType: 12345gets(buf);
puts(buf);}
Type: 12345Segmentation Fault
$ ./bufdemoint main() {
printf(“Type: “);
$ ./bufdemoType: 12345678Segmentation Fault
echo();return 0;
}
4SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
String Library CodeString Library CodeString Library CodeString Library Code Implementation of Unix function gets()
• No way to specify limit on # of characters to read
/* Get string from stdin */char *gets(char *dest) {
int c = getc();char *p = dest;hil ( ! && ! '\ ') {while (c != EOF && c != '\n') {
*p++ = c;c = getc();
}}*p = '\0';return dest;
}
• Similar problems with other Unix functions– strcpy: copies string of arbitrary length
}
5SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
– strcpy: copies string of arbitrary length– scanf/fscanf/sscanf, given %s conversion specification
Buffer Overflow (1)Buffer Overflow (1)Buffer Overflow (1)Buffer Overflow (1)
/* Echo Line *// Echo Line /void echo(){
char buf[4]; /* Way too small! */
StackFrame
for mainchar buf[4]; / Way too small! /gets(buf);puts(buf);
}
Return AddressSaved %ebp
[3] [2] [1] [0] buf%ebp
echo:hl % b # S % b t k
}[3] [2] [1] [0] buf
pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $24,%esp # Allocate spaceleal 4(%ebp) %eax # compute buf as %ebp 4
%eax %espleal ‐4(%ebp),%eax # compute buf as %ebp‐4 movl %eax,(%esp) # save to the stackcall gets # Call gets
StackFrame
for gets
6SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
. . .
Buffer Overflow (2)Buffer Overflow (2)Buffer Overflow (2)Buffer Overflow (2)
unix> gdb bufdemo(gdb) break echo
StackFrame
for mainBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp %ebp=0xbffff8f8
Return AddressSaved %ebpbf ff f8 f8
08 04 86 4d return addr.
(gdb) print /x (unsigned )$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d
p[3][2][1][0] buf
StackFrame
xx xx xx xx
Framefor echo
8048648: call 804857c <echo>804864d: mov $0,%eax # Return Point
7SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
Buffer Overflow (3)Buffer Overflow (3)Buffer Overflow (3)Buffer Overflow (3)
Before Call to gets Input = “123”
StackStackFrame
for mainFramefor main
0xbffff8f8Return Address
Saved %ebp
[3][2][1][0] bufbf ff f8 f808 04 86 4d
00 33 32 31
Return AddressSaved %ebp
[3] [2] [1] [0] buf%ebp
StackFrame
for echo
StackFrame
for echo
No Problem
8SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
Buffer Overflow (4)Buffer Overflow (4)Buffer Overflow (4)Buffer Overflow (4)Input = “12345”StackStack
Return Address
Framefor main
08 04 86 4dReturn Address
Framefor main
0xbffff8d8Return Address
Saved %ebp
[3][2][1][0] bufbf ff 00 3508 04 86 4d
34 33 32 31
Return AddressSaved %ebp
[3] [2] [1] [0] buf
%ebp
Saved value of %ebp set to 0 bfff0035Stack
Framefor echo
StackFrame
for echo
0xbfff0035
Bad news when later attempt to restore %ebp
. . .8048600: call 80482c4 # gets
<echo code>
to restore %ebp
8048600: call 80482c4 # gets8048605: leal 0xfffffffc(%ebp),%eax8048608: movl %eax,(%esp)804860b: call 80482d4 # puts8048610 l # l % b % l % b
9SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
8048610: leave # movl %ebp, %esp; popl %ebp8048611: ret
Buffer Overflow (5)Buffer Overflow (5)Buffer Overflow (5)Buffer Overflow (5)Input = “12345678”Stack
FrameStackFrame
R t Add
Framefor main
R t Add
Framefor main
08 04 86 00Return AddressSaved %ebp
[3] [2] [1] [0] buf%ebp 0xbffff8d8
Return AddressSaved %ebp
[3][2][1][0] buf38 37 36 3508 04 86 00
34 33 32 31
StackFrame
for echo
StackFrame
for echo
%ebp and return address corruptedfor echo for echo
Invalid address
l i i
p
8048648: call 804857c <echo>
No longer pointing to desired return point
10SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
8048648: call 804857c <echo>804864d: mov $0,%eax # Return Point
Buffer Overflow Attack (1)Buffer Overflow Attack (1)Buffer Overflow Attack (1)Buffer Overflow Attack (1) Malicious use of buffer overflow
• Input string contains byte representation of executable code• Overwrite return address with address of buffer
Wh b () t t ill j t l it d• When bar() executes ret, will jump to exploit code.
void foo(){
B
foo stack frame
data
bar();...
}
returnaddress
A
padwritten
bygets()
void bar() {char buf[64];
Stack after
bar stack frame
B
exploitcode
g ()gets(buf); ...
}
11SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
Stac a tecall to gets()
Buffer Overflow Attack (2)Buffer Overflow Attack (2)Buffer Overflow Attack (2)Buffer Overflow Attack (2) Exploits based on buffer overflowsp
• Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines.
• Internet worm– Early versions of the finger server (fingerd) used gets() to
d th t t b th li tread the argument sent by the client:» finger [email protected]
– Worm attacked fingerd server by sending phony argument:o a ac ed g se e by se d g p o y a gu e» finger “exploit‐code padding new‐return‐address”» exploit code: executed a root shell on the victim machine with
a direct TCP connection to the attackera direct TCP connection to the attacker.
12SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
Code Red Worm (1)Code Red Worm (1)Code Red Worm (1)Code Red Worm (1) History
• June 18, 2001. Microsoft announces buffer overflow vulnerability in IIS Internet serverJ l 19 2001 O 250 000 hi i f t d b• July 19, 2001. Over 250,000 machines infected by new virus in 9 hours.
• White house must change its IP address Pentagon• White house must change its IP address. Pentagon shut down public WWW servers for day.
Received strings of form Received strings of formGET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN....NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN% 9090% 6858% bd3% 780NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1 0" 400 325 "‐" "‐"
13SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
HTTP/1.0 400 325 ‐ ‐
Code Red Worm (2)Code Red Worm (2)Code Red Worm (2)Code Red Worm (2) Code Red exploit codep
• Starts 100 threads running• Spread selfp
– Generate random IP addresses & send attack stringB t 1 t & 19th f th– Between 1st & 19th of month
• Denial of service attack to www whitehouse govwww.whitehouse.gov– Send 98,304 packets; sleep for
4-1/2 hours; repeat– Between 21st & 27th of month
• Deface server’s home page
14SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
– After waiting 2 hours
Code Red Worm (3)Code Red Worm (3)Code Red Worm (3)Code Red Worm (3) Code Red effects
• Later version even more malicious– Code Red II– As of April 2002, over 18,000 machines infected– Still spreading
P d f NIMDA• Paved way for NIMDA– Variety of propagation methods
One was to exploit vulnerabilities left behind by Code Red II– One was to exploit vulnerabilities left behind by Code Red II
15SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
Nimda WormNimda WormNimda WormNimda Worm Nimda (2001)( )
• Five different infection methods:– Via e-mail– Via open network shares – Via browsing of compromised web
sitessites– Exploitation of various Microsoft IIS
4.0/5.0 directory traversal vulnerabilities
– Via back doors left behind by the “Code Red II” and “Sadmind/IIS”Code Red II and Sadmind/IIS worms
• One of the most widespread
16SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
virus/worm
SQL Slammer WormSQL Slammer WormSQL Slammer Worm SQL Slammer Worm SQL slammer (2003)Q ( )
• Exploited two buffer overflow bugs in Microsoft’s SQL Server and Desktop Engine.
• Infected 75,000 victims within 10 minutes • Generate random IP addresses and send itself out to
those addresses, slowing down Internet traffic dramatically.
• 1/25 nationwide Internet shutdownin South Koreain South Korea
17SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
30 minutes after release
Avoiding Buffer OverflowAvoiding Buffer OverflowAvoiding Buffer OverflowAvoiding Buffer Overflow Use library routines that limit string lengthsy g g
• fgets() instead of gets()• strncpy() instead of strcpy()py() py()• Don’t use scanf() with %s conversion specification
– Use fgets() to read the string– Or use %ns where n is a suitable integer
/* Echo Line *// Echo Line /void echo(){
char buf[4]; /* Way too small! */char buf[4]; / Way too small! /fgets(buf, 4, stdin);puts(buf);
}
18SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
}
System-Level ProtectionsSystem-Level ProtectionsSystem Level ProtectionsSystem Level Protections Randomized stack offsets
• At start of program, allocate random amount of space on stack
• Makes it difficult for hacker to predict beginning of inserted code
Executable space protectionp p• Mark certain areas of memory as non-executable• Hardware assistance:
– Intel NX (No eXecute) bit– AMD XD (eXecute Disable) bit
19SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])
SummarySummarySummarySummary Memory layout
• OS/machine dependent (including kernel version)• Basic partitioning:
– stack, data, text, heap, DLL found in most machines
Avoiding buffer overflow vulnerabilityI lib i h li i i• Important to use library routines that limit string lengths
Working with strange code Working with strange code• Important to analyze nonstandard cases
– e g what happens when stack corrupted due to buffere.g., what happens when stack corrupted due to buffer overflow
• Helps to step through with GDB
20SSE2030: Introduction to Computer Systems | Fall 2010| Jin-Soo Kim ([email protected])