Advanced Format String AttacksPresented by Paul Haas

Contents

•Background

•Abstract

•Definition

•Context

•Technique

•How-to

•Tools

•Exploits

•Conclusion

•Q&A

Background

•LeadWebApplicationSecurityEngineeratRedspin,Incwithover4yearsexperienceinhundredsofaudits.

•Thistalkisnotassociatedwithmycompany

•Defcon13CTFwinner(Shellphish2005)

•AlumniofUCSB’sComputerSecurityGroup

•MarioKartDS:RobinTankonRainbowRoad

In

#include<stdio.h>

intmain(intargc,char**argv){

printf(argv[1]);

}

Out

Readingarbitrarylocations

Writingarbitrarylocations

Executingarbitrarycode

Getashell

Without

RTFMandWritingityourself!

Format String Attack

•SoftwarevulnerabilityincertainCfunctionsthatperformstringformattingleadingtothepotentialtowritearbitrarydatatoarbitrarylocations

•Despiteeasysolutions,vulnerabilitiesandignoranceofissuestillexist,hencethetalk

•Commoninhackademicexercises

•Talkassumesyouhaveabasicideaoftheattack(%x,%s,%n)

•Talkdetailstechniquebuttoolsdonotrequireit

Brief History

•1990:csh“InteractionEffect”crash:!o%8f

•1999-09-17:proftpd1.2.0pre6“Argumentattack/snprintfVulnerability”(BID650)

•2000-06-22:wu-ftpd2.6.0RemoteFormatStringStackOverwriteVulnerability(BID1387)

•2000-09-09:“FormatStringAttacks”whitepaperbyTimNewsham

•2010-06-30:KVIrcDCCDirectoryTraversalandMultipleFormatStringVulnerabilities(BID40746)

Old Technique

•Manualpoppingupofstackusingstringof‘%x’s

•Getoverwriteaddressusingothertechnique

•SearchforshellcodeincoreafterSEGFAULT

•Characterswrittenusinglongvaluein%xor%c

•Finalwritetoaddressusing%n

•FrequentRTFM

•Writeonce,useonce

Current Technique

•%pgivesdetailedinformationofstacklocation

•%sallowsustoviewknownstackaddressesasstrings

•%NNccontrolsnumberofbyteswritten

•%hhnallowssinglebytewrites

•Directparameteraccessshortensformatstring: %5$n=%p%p%p%p%p%n

New Technique

•FormatStringAttackallowsustodumpstack

•Stackcontainsinterestinginformation:

data,codepointers,stackaddresses

ourformatstring,formatstring’saddress

stackoffsetlocationofalloftheabove

•Knowledgeofthisgivesustheaddressofanyvalueonthestack

•Thesevaluesareenoughtowriteourexploit

Our Vulnerable Code

#include<stdio.h>

intmain(intargc,char**argv){ printf(argv[1]);}#Compileandsetupinsecureenvironment

gccprintf.c-w-O0-ggdb-std=c99-static-D_FORTIFY_SOURCE=0-fno-pie-Wno-format-Wno-format-security-fno-stack-protector-znorelro-zexecstack-oprintf

sudosysctl-wkernel.randomize_va_space=0

Exploit Steps

•Dumpstackvaluesuntilformatstringisfound

•Locatepointeraddressofformatstring

•Chooseouroverwriteaddressonthestack

•Pointformatstringatoverwriteaddressandwriteaddressofshellcodetoendofstring

•Adjustoffsetsfor‘chickenandegg’problem:

Addressofformatstringbasedonitslength

Formatstringneedsitsownaddresstoreference

Stack Dump

•Method1:Passalongstringof%p’s

./printf`perl-E‘say“%p”x200’`

•Method2:Executebinaryinloopwith%NNN$p

foriin{001..200};doecho-n“$i=“;./printf “%$i\$p”;echo;done

•Searchforhexrepresentationofstring

$=0x24,%=0x25,p=0x70

•Resultwillbestackoffsetofformatstring

Format String Address

•Executebinaryinloopwithsequential%NNN$s

WillcauseSEGFAULTS,maytripanyIDSsystems

foriin{001..100};doecho-n“$i=“;./printf “%$i\$p:%$i\$s”;echo;done|grep-v^$

•Createformatstringonlycomprisingofaddressesobtainedfromstackdump

Singleexecution/stringpreventsSEGFAULT

Muchmoreelegant,verifiesconstantstack

Offset + Address = WIN

Matchingupanoffsettoastackaddressallowsustolearntheaddressofanylocationonthestack

Example:

Offset100(0xBFFFF100):Ourformatstring

sizeof(pointer)=4bytes*100pointers=400

Offset1=0xBFFFF100+400=0xBFFFF290

Overwrite Location

•Commonexploitlocationsrequirebinaryexaminationtools:PLT,DTORS,LIBC

•Advanceformatstringattackcouldextractthesefromknownbinaryheaders(difficult)

•Returnaddressesarestoredonthestack

Weknowthestackaddressofeachvalue

•Overwritetheselocationstopointtoshellcode

Issues

•Differentformatstringslengthseffectstackaddresses,yetweassumestackisconstant

Keepallstringstosamemodulusofsizeof(pointer)

•Formatstringmaynotalignwithstackaddress

Keeppaddingrequirementwhenaddressingstring

•Evenwiththecorrectmodulusandpad,ourstringoffsetmaybeoff

Verifyourexploitbeforeweattemptitbyreading ratherthanwritingtoouroverwritelocation

Result

•Itispossibletocreateaformatstringexploitusingonly2executionsofthevulnerableprogramwithnoprogramexceptions

•Mathonly,nobruteforcingnecessary

•Incorporateshellcodeaspartofformatstring

•Smallerformatstringbuffersarealsopossible

8bytestoexamineastackaddress

Formatstringassmallas68bytes+shellcode

Format String Auto Exploitation

•ProofofconcepttoolinPython

•InstructionsforrunningonBacktrack4

•Multipleexploitandoverwriteoptions

•Missingsomeusefulfeatures:

Separateexecutionofindependentsteps

Architecturesindependent(x86&64)

Readarbitrarylocationsratherthanwrite

Finercontroloverexploit

Metasploit Integration

•Controleachstepoftheexploitindividuallyorautomateentireprocess

•Useaspayloadgenerator

•UsesMetasploitpayloadlibraryforshellcode

•Integratesintoothermodulesandinjectionfunctionality

•FunctionalitywillbedemonstratedduringDefcon

Demonstrations

•TestingCode

•OverTheWire

•Knownexploit

•0-Day?

Summary

•Theoutputfromformatstringattacksgivesyoueverythingyouneedtoknowtogofromdiscoverytocompromise

•Theexploitationprocesscanbeautomatedfromstarttofinish

•Formatstringattacksareeasytofix,andnowareeasytoexploitaswell

•Thereareplentyofvulnerableprogramsouttheretodiscoverandexploit

Questions?

Thanks

•Themostrecentversionofthispresentationandassociatedtoolscanbefoundonwww.redspin.comandwww.defcon.org

•LookfortheincorporationofthetoolsinthistalkinMetasploitinthenearfuture

•Anyfollow-upquestionscanbeaddressedtophaasATredspinDOTcom

•ShoutstotheShellphish,G.Vigna”zanardi”andtheGoatsatRedspin{ap3r,jhaddix,fulg0re,D3,OwNpile,Yimmy&b3tty}