buffer overflows with content

30
1 Buffer Overflows with Content

Upload: vanquynh

Post on 14-Feb-2017

254 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Buffer Overflows with Content

1

Buffer Overflows with Content

Page 2: Buffer Overflows with Content

2

A Process Stack

Page 3: Buffer Overflows with Content

3

Buffer Overflow

• Common Techniques employed in buffer overflow exploits to create backdoors– Execution of additional network services via the

INETD daemon– The addition of new users to a system– Establishing a “trust” relationship between the

victim machine and the attacker’s machine

Page 4: Buffer Overflows with Content

4

Example - AMD Buffer Overflow

Port 2222 is a rootshell left by the AMD exploit

Page 5: Buffer Overflows with Content

5

Detecting Buffer Overflows by Protocol Signatures

• Protocol Signature– Look for anomalous traffic, such as remote traffic

targeted at facilities that should not be accessible to a remote user.

• e.g. a remote user trying to connect to the Portmapperprocess

• Payload Signature– No-OP instructions to pad the exploit code– Script signatures– Abnormal user data and responses

Page 6: Buffer Overflows with Content

6

IMAP Buffer Overflow

Page 7: Buffer Overflows with Content

7

IMAP Buffer Overflow – Con’t

Page 8: Buffer Overflows with Content

8

IMAP Buffer Overflow – Con’t

Page 9: Buffer Overflows with Content

9

IMAP Buffer Overflow – Con’t

• ls –aecho “+ + ”> /.rhosts

Page 10: Buffer Overflows with Content

10

NO-OP Hex Code Based on Processor Type

Page 11: Buffer Overflows with Content

11

Script Signatures – NO-OP Overflow

Page 12: Buffer Overflows with Content

12

Script Signatures – NO-OP Overflow Con’t

Page 13: Buffer Overflows with Content

13

Script Signatures – NO-OP Overflow Con’t

• This frame shows a large number of hex 90s followed by some machine code, some ASCII strings, and a literal command /bin/sh -c

Page 14: Buffer Overflows with Content

14

Abnormal ResponsesFTP Authentication Buffer Overflow – FTPD exploit

The password supplied in response to the FTPD prompt is suspiciously large

Page 15: Buffer Overflows with Content

15

Defending Against Buffer Overflows

• strcpy and strncpy• Introduce bounds checking into C programs• Stack-based buffer overflow - CPU executes

code that is resident on the stack– Only code in the code space can be executed

Page 16: Buffer Overflows with Content

16

Fragmentation

Page 17: Buffer Overflows with Content

17

Fragmentation

• Attackers can use fragmentation to mask their probes and exploits

• Fragment offset is specified as a quantity of 8-byte chunk– The size of all legal nonterminal fragments must

be multiples of 8 bytes• Any fragmented packets with a byte size

divisible by 8, except for the last one

Page 18: Buffer Overflows with Content

18

Boink Attack

•IP stack has no concept of negative math

•Availability DoS

Page 19: Buffer Overflows with Content

19

Teardrop Attack

Page 20: Buffer Overflows with Content

20

evilPing

….

Page 21: Buffer Overflows with Content

21

evilPing

Page 22: Buffer Overflows with Content

22

Modified Ping of Death

Page 23: Buffer Overflows with Content

23

Modified Ping of Death

Page 24: Buffer Overflows with Content

24

CGI Scan

•The attacker is running a script that attempts a number of Web server exploits, such as /cgi-bin/rwwwshell.pl

Page 25: Buffer Overflows with Content

25

CGI Scan – Con’t

Page 26: Buffer Overflows with Content

26

PHF Attack

CVE-1999-0067

Page 27: Buffer Overflows with Content

27

Some Example CGI CVE Entries

• CVE-1999-0068– CGI PHP mylog script allows an attacker to read any file

on the target server. • CVE-1999-0467

– The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter

• CVE-1999-0509– Perl, sh, csh, or other shell interpreters are installed in the

cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

Page 28: Buffer Overflows with Content

28

SGI IRIX Object Server

• CVE-2000-0245• A vulnerability in an SGI IRIX object server

daemon– Allow remote attackers to create user accounts– Port 5135: the SGI object server

• Scan one to goodguy-a.com yields nothing

Page 29: Buffer Overflows with Content

29

SGI Object Server – Con’t• The scan to goodguy-b.com is a bust

Page 30: Buffer Overflows with Content

30

SGI Object Server – Con’t• The start of the bad guy

• The user zippy is added