chapter 10 hacking code last modified 4-24-09. common exploit techniques buffer overflows and design...
TRANSCRIPT
Chapter 10Chapter 10
Hacking Code Hacking Code
Last modified 4-24-09
Common Exploit TechniquesCommon Exploit Techniques
Buffer Overflows and Design Flaws Buffer Overflows and Design Flaws – HistoryHistory
Buffer over-runs in the mid-1990sBuffer over-runs in the mid-1990s
Then C library vulnerabilitiesThen C library vulnerabilities
Then string vulnerabilities, off-by one buffer Then string vulnerabilities, off-by one buffer overruns, and database vulnerabilitiesoverruns, and database vulnerabilities
Then web-based attacksThen web-based attacks
Then integer overflow vulnerabilities Then integer overflow vulnerabilities
MudgeMudge
Peiter C. ZatkoPeiter C. Zatko (better (better known as known as MudgeMudge) )
Did early research on Did early research on Buffer OverflowsBuffer Overflows
Member of L0pht and Member of L0pht and CULT OF THE DEAD CULT OF THE DEAD COWCOW
Testified before a Senate Testified before a Senate committee in 1998committee in 1998– Links Ch 11a, 11b, 11cLinks Ch 11a, 11b, 11c
Mudge (right) with Grandmaster Ratte' at DEFCON 14, August 2006
Stack Buffer Overflows Stack Buffer Overflows
Easiest and most devastating buffer Easiest and most devastating buffer overrun overrun
The The stackstack is simply computer memory is simply computer memory used when functions call other functionsused when functions call other functions
Example Example
When the strcpy When the strcpy function is function is called, the called, the segments are segments are as shownas shown
strcpy
PrintOut
main
Extended Instruction PointerExtended Instruction Pointer
The Extended Instruction Pointer (EIP) is The Extended Instruction Pointer (EIP) is the register used by the processor to the register used by the processor to indicate which command is being indicate which command is being executedexecutedThe values marked "Return Link" in yellow The values marked "Return Link" in yellow on the figure are loaded into the EIP when on the figure are loaded into the EIP when a function returnsa function returns– So if a hacker can control the EIP, they can So if a hacker can control the EIP, they can
execute arbitrary code (own the box)execute arbitrary code (own the box)
Famous Buffer OverflowsFamous Buffer Overflows
Since 1995 there have been over a Since 1995 there have been over a thousand buffer overflow vulnerabilities thousand buffer overflow vulnerabilities exposed to the publicexposed to the public– Nimda (Windows)Nimda (Windows)– Slammer (SQL Server)Slammer (SQL Server)– Scalper (FreeBSD)Scalper (FreeBSD)– Slapper (Apache and OpenSSL)Slapper (Apache and OpenSSL)– Witty (ISS RealSecure), Witty (ISS RealSecure),
Stack Buffer Overflow Stack Buffer Overflow Countermeasures Countermeasures
Practice safe and secure coding standards Practice safe and secure coding standards – Validate dataValidate data– Call functions properlyCall functions properly
Check your codeCheck your code– Regular code auditsRegular code audits– Especially for sprintf(), vsprintf(), strcat(), Especially for sprintf(), vsprintf(), strcat(),
strcpy(), gets(), scanf(), etc.strcpy(), gets(), scanf(), etc.
Prohibit use of old, dangerous C functions Prohibit use of old, dangerous C functions like strcpylike strcpy
Stack Buffer Overflow Stack Buffer Overflow Countermeasures Countermeasures
Employ stack execution protectionEmploy stack execution protection– Windows has had Data Execution Prevention Windows has had Data Execution Prevention
since Win XP SP2since Win XP SP2– Available for other operating systems tooAvailable for other operating systems too
Use compiler tools to detect stack Use compiler tools to detect stack overrunsoverruns– In Microsoft Visual C++, use the /GS optionIn Microsoft Visual C++, use the /GS option– For gcc, use StackShield or StackGuard or For gcc, use StackShield or StackGuard or
LibsafeLibsafe
DemonstrationDemonstration
Damn Vulnerable Linux 1.0Damn Vulnerable Linux 1.0– Right-click, DVL, Xshells, for Light BlindedRight-click, DVL, Xshells, for Light Blinded
Right-click, DSL, Desktop, Styles, MinimalRight-click, DSL, Desktop, Styles, Minimal
01_exploitme01 application01_exploitme01 application
Source codeSource code
Uses strcpyUses strcpy
No validationNo validation
Segmentation FaultsSegmentation Faults
The 01_exploitme01 application crashes The 01_exploitme01 application crashes with no input, or with input too largewith no input, or with input too large
Gnu DebuggerGnu Debugger
Program has a segmentation fault in Program has a segmentation fault in strcpystrcpy
Gnu DebuggerGnu Debugger
Debugger OutputDebugger Output
Registers: eax, ebx, … ebp, eipRegisters: eax, ebx, … ebp, eip– Temporary storage of dataTemporary storage of data– Most important for us is the eipMost important for us is the eip
Extended Instruction PointerExtended Instruction Pointer– Address of the next instruction to be executedAddress of the next instruction to be executed– If we can control this pointer, we can execute If we can control this pointer, we can execute
arbitrary codearbitrary code– We 0wn the boxWe 0wn the box
Injecting a Long StringInjecting a Long String
Fill stack with AsFill stack with As
eip is 41414141 – four bytes of A in ASCIIeip is 41414141 – four bytes of A in ASCII
Controlling the EIPControlling the EIP
This injection precisely targets the EIP This injection precisely targets the EIP with "CCCC" or 43434343with "CCCC" or 43434343
Finding the ESPFinding the ESP
The Extended Stack Pointer is also The Extended Stack Pointer is also needed for the exploit, so we can find the needed for the exploit, so we can find the code we injectedcode we injected
This program finds the ESPThis program finds the ESP
ESP on DVL 1.0ESP on DVL 1.0
The ESP is always the same on a The ESP is always the same on a vulnerable operating system like Damn vulnerable operating system like Damn Vulnerable Linux 1.0 or 1.1Vulnerable Linux 1.0 or 1.1
If you run the program several times, you If you run the program several times, you get the same answerget the same answer
ESP on DVL 1.4ESP on DVL 1.4
The ESP is different each timeThe ESP is different each time
Buffer overflows will be much more diffcult Buffer overflows will be much more diffcult to exploitto exploit
ESP on UbuntuESP on Ubuntu
A different ESP A different ESP each timeeach timeWindows also has Windows also has this "Address this "Address Space Layout Space Layout Randomization" Randomization" protection feature protection feature in Vista and Server in Vista and Server 20082008
Buffer Overflow TutorialBuffer Overflow Tutorial
http://mag.damnvulnerablelinux.org/2008/05/buffer-http://mag.damnvulnerablelinux.org/2008/05/buffer-overflow-tutorial-by-preddy-rootshell-security-group/overflow-tutorial-by-preddy-rootshell-security-group/
Heap/BSS/Data Overflows Heap/BSS/Data Overflows
More difficult to write than stack overflows, More difficult to write than stack overflows, but still dangerousbut still dangerousThe The heap heap is used by programs to allocate is used by programs to allocate dynamic memory at runtimedynamic memory at runtimeThere are no return function addresses to There are no return function addresses to overwrite on the heapoverwrite on the heapThese attacks depend on overwriting These attacks depend on overwriting important variables or sensitive heap block important variables or sensitive heap block structures that contain addresses structures that contain addresses
Example of Heap OverflowsExample of Heap Overflows
Titan FTP Server for WindowsTitan FTP Server for Windows– Bugtraq released August 30, 2004Bugtraq released August 30, 2004
Attacker passes a directory name longer Attacker passes a directory name longer than 20,480 bytes long to the CWD than 20,480 bytes long to the CWD (change working directory) command (change working directory) command
Attacker can execute arbitrary codeAttacker can execute arbitrary code– Exploit code at link Ch 11jExploit code at link Ch 11j– Heap overflow article at link Ch 11kHeap overflow article at link Ch 11k
Heap/BSS/Data Overflow Heap/BSS/Data Overflow Countermeasures Countermeasures
Practice safe and secure coding standards Practice safe and secure coding standards – Validate dataValidate data– Call functions properlyCall functions properly
Check your codeCheck your code– Regular code auditsRegular code audits
Some operating systems also add Some operating systems also add countermeasures to the heap countermeasures to the heap – Windows Server 2003 and Windows XP SP2 check Windows Server 2003 and Windows XP SP2 check
whether sensitive data in the heap blocks is correctly whether sensitive data in the heap blocks is correctly formed formed
Format String Attacks Format String Attacks
The correct way to use the printf function is this:The correct way to use the printf function is this:
printf("Hello world. My name printf("Hello world. My name is: %s\n", my_name); is: %s\n", my_name);
The %s is a The %s is a format stringformat string, telling C to print the , telling C to print the my_name variable as a stringmy_name variable as a string
Hello world. My name is: Stuart Hello world. My name is: Stuart McClureMcClure
Missing Format StringMissing Format String
A sloppy programmer can do this:A sloppy programmer can do this:
printf(my_name);printf(my_name);
So an attacker can add format strings like So an attacker can add format strings like %s, %d, %u in the my_name variable, and %s, %d, %u in the my_name variable, and read the contents of memory, or even read the contents of memory, or even write to memorywrite to memory– Link Ch 11lLink Ch 11l
Format String CountermeasuresFormat String Countermeasures
Validate input before using itValidate input before using it
Always include the format specifier Always include the format specifier explicitly in functions, like thisexplicitly in functions, like this
printf("Hello world. My printf("Hello world. My name is: %s\n", my_name); name is: %s\n", my_name);
Off-by-One Errors Off-by-One Errors
Here's an OpenSSH vulnerability discovered in Here's an OpenSSH vulnerability discovered in 20022002– The programmer wroteThe programmer wrote
if (id < 0 || id > channels_alloc) if (id < 0 || id > channels_alloc)
– The only allowed values are from 0 to channels_alloc-1.The only allowed values are from 0 to channels_alloc-1.– The case id=channels_alloc was incorrectly handled, The case id=channels_alloc was incorrectly handled,
allowing privilege escalationallowing privilege escalation
Off-by-One CountermeasuresOff-by-One Countermeasures
Audit code! The correct line was this:Audit code! The correct line was this:
if (id < 0 || id >= channels_alloc)if (id < 0 || id >= channels_alloc)
Input Validation AttacksInput Validation Attacks
Ways to sneak malicious input past input Ways to sneak malicious input past input validationvalidation
Canonicalization Attacks Canonicalization Attacks
CanonicalizationCanonicalization is converting input into is converting input into its standard form, or its standard form, or canonical formcanonical form
Example: the backslash character \Example: the backslash character \\\ in ASCIIin ASCII
%2f%2f in hexadecimalin hexadecimal
%2f%2f or or %c0%af%c0%af in Unicodein Unicode
URL Directory TraversalURL Directory Traversal
This URL would be blocked by a Web This URL would be blocked by a Web server because it has server because it has ../ ../ characters characters – http://10.1.1.3/scripts/../../../../winnt/http://10.1.1.3/scripts/../../../../winnt/
system32/cmd.exe?/c+dir system32/cmd.exe?/c+dir
This one might be allowed This one might be allowed – http://10.1.1.3/scripts/..%c0%af..%c0%af..http://10.1.1.3/scripts/..%c0%af..%c0%af..
%c0%af../winnt/system32/cmd.exe?/c+dir %c0%af../winnt/system32/cmd.exe?/c+dir
Other Canonical-Form ExploitsOther Canonical-Form Exploits
There are many others, here are some There are many others, here are some examplesexamples
Normalize Before Validation Normalize Before Validation
Canonicalization attacks work because Canonicalization attacks work because code is scanned for illegal characters code is scanned for illegal characters before it is converted to canonical formbefore it is converted to canonical form
Convert it first, and check for illegal Convert it first, and check for illegal characters afterwardscharacters afterwards
Canonicalization Countermeasures Canonicalization Countermeasures
This script will prevent some This script will prevent some canonicalization attacks against ASP.NET canonicalization attacks against ASP.NET applicationsapplications
URLScanURLScan
Prevents malicious URLs from reaching an Prevents malicious URLs from reaching an IIS Web serverIIS Web server
Built into IIS 6 and later versionsBuilt into IIS 6 and later versions
Web Application and Database Web Application and Database Attacks Attacks
SQL Injection and many moreSQL Injection and many more
Coming up in the next chapterComing up in the next chapter
Countermeasure: sanitize input before Countermeasure: sanitize input before using itusing it
Common Countermeasures Common Countermeasures
People: Changing the Culture People: Changing the Culture
Process: Security in the Development Process: Security in the Development Lifecycle (SDL) Lifecycle (SDL) – Threat ModelingThreat Modeling– Code Audits, both manual and automatedCode Audits, both manual and automated
ToolsTools
Security Testing Security Testing
FuzzingFuzzing– Generating random and crafted input to test Generating random and crafted input to test
softwaresoftware– This is how David Maynor 0wned the Mac via This is how David Maynor 0wned the Mac via
Wi-Fi (link Ch 11m)Wi-Fi (link Ch 11m)
Pen TestingPen Testing– Experienced attackers testing applicationExperienced attackers testing application
Audits & MaintenanceAudits & Maintenance
Audit or Final Security Review Audit or Final Security Review – Check products before shippingCheck products before shipping
MaintenanceMaintenance– Reports of vulnerabilitiesReports of vulnerabilities– Patches and hotfixesPatches and hotfixes