when good code goes bad
DESCRIPTION
Presentation by Haroon Meer and Charl van der Walt at ISSA in 2006. The presentation begins with an explanation of a stack overflow attack and format string vulnerability, both with example code. Dangerous integers are also explained. The presentation ends with a discussion on ActiveX control.TRANSCRIPT
WHEN GOOD CODE GOES WHEN GOOD CODE GOES BAD!BAD!
A SHOWCASE OF MODERN PROGRAMMING MISHAPS
(SensePost 2006)
Introduction
• Who we are.. (SensePost)• Who we are.. (charl && haroon)• What this talk is about..
– Answer some of those questions you never ask..
– Some real world examples (of shocking code)– Some real world repercussions– Mind the Gap
• Constraints…
Agenda
• What is this stack overflow stuff?
• Then what’s a format string vulnerability?
• Hmmm.. What’s all this about dangerous Integers?
• What happens if we fix all the code?
• Questions..
What’s this Stack Overflow stuff?
• This is really old news.. (Morris Worm 1988)
• Is it even still a problem?
• Super simple explanation:• The Stack..• Dangerous functions
Super Simple Explanation..
1
2
Saved Return Address
Base Pointer
void foo(int a, int b)
{
char buf1[8];
char buf2[8];
gets(buf2);
}
int main(void)
{
foo(1,2);
printf(“All done!”)
}
Buf1
Buf2
SAVED RETURN ADDRESS
Buf1
Typical Attack..
1
2
Saved Return Address
Base Pointer
void foo(int a, int b)
{
char buf1[8];
char buf2[8];
gets(buf2);
}
int main(void)
{
foo(1,2);
printf(“All done!”)
}
SAVED RETURN ADDRESS
FAKE NEW ADDRESS
What’s this Stack Overflow stuff?
• This is really old news.. (Morris Worm 1988)
• Is it even still a problem?• Super simple explanation:
• The Stack..• Dangerous functions
• Who would make such a silly mistake?• Everyone…
• How easy is this to take advantage of?• Today? Point & Click ownage!
Then what’s a format string bug?
• Spot the bug ?
• “Safe Version”• See it yet?
void syslog(char *buff)
{
printf(buff)
}
void syslog(char *buff)
{
printf(“%s”, buff)
}
Then what’s a format string bug?
printf(“%s”, buff); printf(buff);
Then what’s a format string bug?
printf(“%s”, buff);buff = “%s”;
printf(buff);
C:\> issa_format.exe
What’s a dangerous Integer?
What’s a dangerous Integer?
• Same size as a pointer
• Fixed size (32 bits for our purposes)
• MAXINT + 1 == ?
• ISO C99 “Causes Undefined Behavior”
• 0xffffffff + 0x1 == 0 {Integer Wrap Around}
• Why is this dangerous ?
Ugly Pseudo-Code
1.) get data from user (buffer)2.) add trailing \0 character3.) add 1 to length of buffer (for our \0)4.) If(length > 80)5.) { 6.) printf(“Sorry your buffer is too
long!”; 7.) exit -18.) }9.) else0.) { copy(other_buffer, buffer); }
What happens if we fix all the code?
• The proliferation of “Managed Code”
• Better and better static code analysis..
• Is the end in sight for bug hunters?– RealVNC Authentication Bypass– ActiveX Control
RealVNC Authentication Bypass
• Discovered by Steve Wiseman of intelliadmin.com (by mistake)
RealVNC Authentication Bypass
“show us”
What does this mean?
1. Vendors:• There are lots of defects that tools can not easily
detect..• (There are lots of defects they can!)• No vendor is safe just because they have deeper
pockets (or “more eyeballs”)
2. ISO’s:• Defense in Depth..• End-point-security..• Patch Management ?• If it can happen to Microsoft …
Questions ?Questions [email protected]