chapter 6 weaknesses exploited
DESCRIPTION
Chapter 6 Weaknesses Exploited. Weaknesses. Bad software is everywhere, and… …flaws can cause security problems In this chapter Various overflow conditions Format string vulnerabilities How weaknesses are found Defenses Human factors. Technical Weaknesses. Buffer overflow - PowerPoint PPT PresentationTRANSCRIPT
Chapter 6
Weaknesses Exploited
Weaknesses Bad software is everywhere, and… …flaws can cause security
problems In this chapter
o Various overflow conditionso Format string vulnerabilitieso How weaknesses are foundo Defenseso Human factors
Technical Weaknesses Buffer overflow Process address space: 4 sections1. Fixed-sized code block (code/text)2. Static data (data)3. Dynamic data (heap)4. “Scratch paper” (stack)
Technical Weaknesses C program example
Stack Frame Stack frame allocated for functions Stack holds…
o Local variableso Book keeping info, such as
Input arguments Return address Saved frame pointer, etc.
Stack Frame Stack frame
in action
Memory Organization Text == code Data == static
variables Heap == dynamic
data Stack == “scratch
paper” o Dynamic local variableso Parameters to functionso Return address
stack
heap
data
text
¬ high address
¬ low address
¬ SP
Simplified Stack Example
high
void func(int a, int b){char buffer[10];
}void main(){
func(1, 2);}
::
bufferretab
¬ return address
low
¬ SP¬ SP¬ SP
¬ SP
Smashing the Stack
high
What happens if buffer overflows?
::
buffer
ab
¬ ret…
low
¬ SP¬ SP¬ SP
¬ SP
retoverflow
Program “returns” to wrong location
NOT!
???
A crash is likelyoverflow
Smashing the Stack
high
Trudy has a better idea… ::
evil code
ab
low
¬ SP¬ SP¬ SP
¬ SP
retret
Code injection Trudy can run
code of her choosing…o On your
machine!
Smashing the Stack Trudy may not
know…1) Address of evil code2) Location of ret on
stack Solutions
1) Precede evil code with NOP “landing pad”
2) Insert ret many times
evil code
::
::
ret
ret:
NOP
NOP:
ret¬ ret
Stack Smashing Note that injected code is usually
known as “shellcode” Other overflow attacks are possible
o Some inject code, some don’to We discuss a few more examples later
Stack Smashing Summary A buffer overflow must exist in the code Not all buffer overflows are exploitable
o Things must align just right If exploitable, attacker can inject code Trial and error is likely required
o Fear not, lots of help available onlineo Smashing the Stack for Fun and Profit, Aleph
One Stack smashing is “attack of the decade”
o Regardless of the decade… Also heap overflow, integer overflow, etc.
Stack Smashing Example Program asks for a serial number that
the attacker does not know Attacker does not have source code Attacker does have the executable (exe)
Program quits on incorrect serial number
Example By trial and error, attacker discovers
apparent buffer overflow
Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!
Example Next, disassemble bo.exe to find
The goal is to exploit buffer overflow to jump to address 0x401034
Example Find that, in ASCII, 0x401034 is “@^P4”
Byte order is reversed? Why? X86 processors are “little-endian”
Example Reverse the byte order to “4^P@”
and…
Success! We’ve bypassed serial number check by exploiting a buffer overflow
What just happened?o We overwrote the return address on the
stack
Example Note that in this example… We overwrote return address and
jumped to somewhere interesting We did not inject any code Other interesting places to jump
to?o Without injecting code, that is?o Often called “return to libc” attacks
Example Attacker did not require access to
the source code Only tool used was a disassembler to
determine address to jump to Possible to find desired address by
trial and error?o Necessary if attacker does not have exeo For example, a remote attack
Example Source code of the buffer overflow Flaw easily
found by attacker
Without the source code!
Stack Smashing Prevention
1st choice: employ non-executable stacko “No execute” NX bit (if available) o Seems like the logical thing to do, but some
real code executes on the stack (Java, for example)
2nd choice: use safe languages (Java, C#)
3rd choice: use safer C functionso For unsafe functions, there are safer
versionso For example, strncpy instead of strcpy
Stack Smashing Prevention
Canaryo Run-time stack checko Push canary onto
stacko Canary value:
Constant 0x000aff0d Or may depends on ret
¬
high
::
buffer
ab
low
overflowretcanaryoverflow
Microsoft’s Canary Microsoft added buffer security check
feature to C++ with /GS compiler flag Based on canary (or “security cookie”)Q: What to do when canary dies?A: Check for user-supplied “handler” Handler shown to be subject to attack
o Claims that attacker can specify handler code
o If so, formerly “safe” buffer overflows become exploitable when /GS is used!
ASLR Address Space Layout Randomization
o Randomize place where code loaded in memory
Makes most buffer overflow attacks probabilistic
Vista uses 256 random layoutso So about 1/256 chance buffer overflow
works? Similar thing in Mac and other OSs Attacks against Microsoft’s ASLR do
existo Possible to “de-randomize”
Buffer Overflow A major threat yesterday, today, and
tomorrow Can greatly reduced overflow attacks
o Use safe languages/safer functionso Educate developers, use tools, etc.
Buffer overflows will exist for a long timeo Legacy codeo Bad software development practices
Race Condition Security processes should be atomic
o Occur “all at once” Race conditions can arise when security-
critical process occurs in stages Attacker makes change between stages
o Often, between stage that gives authorization, but before stage that transfers ownership
Example: prepaid debit card
Race Condition Adding cash to card
1. User inserts card into card reader machine
2. Machine reads value of card: x3. User insert cash into machine: y4. User presses “enter” key5. Machine writes x+y to card6. Machine ejects card
Race condition?
Race Condition Attacks on cash card protocol? Insert 2 cards, sandwiched
together Card that is read has $100 value,
unread card has $1 valueo Step 2: Machine reads x = 100
Insert $2, so y = 2 Pull out read card, leaving unread
one Press “enter”…
Race Conditions Race conditions appear to be common
in softwareo May be more common than buffer overflows
But race conditions harder to exploito Buffer overflow is “low hanging fruit” today
To prevent race conditions…o Make security-critical processes atomico Occur all at once, not in stages
Not so easy to accomplish in practice
Heap Overflow Heap used for dynamic variables
o For example, malloc in C Can overflow one array into
another Makes it possible to change data
o Like example on next slide
Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag
allowing anyone to authenticate!
bufferFTF O U R S C …
Boolean flag
In some cases, Trudy can be more systematic
Heap Overflow Example BEFORE:
o buf2 = 22222222 AFTER:
o buf2 = 11122222
Heap Overflow Bookkeeping info stored on heap Can attacker exploit this?
Heap Overflow Data structure to keep track of free
memoryo Assume it is a doubly-linked list
Heap overflow attacks?
Heap Overflow Here we
free block B “Unlink” B
from heap If overflow
in A, can overwrite B’s pointers…
Heap Overflow Overwrite B’s
pointers Then free B Now if we ever get
to B, will go to shellcode
Integer Overflow Many “integer”
problems This example…
o What if len is negative?
o Note that memcpy thinks len is unsigned
Format String Vulnerabilities
Format string exampleprintf(“The magic number is %d\n”, 42);
Format strings:Parameter Meaning Passed
by…%d int value%u unsigned int value%x hex value%s string reference%n bytes written so
farreference
Format Strings and the Stack
Formatting functions retrieve parameters from the stacko Assuming that’s where they’re
stored… Consider
printf(“a has value %d at address %d\n”, a, &a); What if there are too few
arguments? For example
printf(“a has value %d at address %d\n”);
Format Strings and the Stack
Consider againprintf(“a has value %d at address %d\n”, a, &a);
Here, x1 and x2 are other things on the stack
high
::
aaddress of a
x1
x2
low
“a has … \n”
Format Strings and the Stack
What if there are too few arguments?
For exampleprintf(“a has value %d at address %d\n”);
What happens?high
::
x1
x2
x3
x4
low
“a has … \n”
Print stuff on stack Is this useful?
Format String Issue 1 We can “walk” the stack That is, print out items on the
stack For exampleprintf(“%08x %08x %08x %08x %08x\n”); As a bonus, it’s nicely formatted…
Format String Issue 2 What would this do?printf(“%s%s%s%s%s%s%s%s%s%s%s”); For each %s function printf will…
o Fetch a number from the stacko Treat the number as an addresso Print out whatever is at that address,
until NULL character Such an “address” might not exist!
Format String Example What about something like this…
void print_error(char *s){char buffer[100];snprintf(buffer, sizeof(buffer), “Error: %s”, s);printf(buffer);}
Suppose Trudy has control over what goes into the string s
Then some interesting possibilities…
Format String Issue 3
Suppose Trudy sets string s to
\x78\x56\x34\x12 %d%d%d%s Note \x78…\x12 is little
endian for 1234567 What does code on
previous slide do?
1st %d 2nd %d
high ::
%d%d
low
1234567
buffe
r
::
“Error: %s…”return
::
::%s
prin
tf
Format String Issue 4 The %n format is used to print the
number of characters written so far
Q: What does this do?int i;printf(“abcde%n, &i);
A: Writes 5 to variable i Can Trudy take advantage of this?
Format String Issue 4 Similar attack as “issue 3”… …except use %n in place of %s Then a value written to address
1234567o What value?
Some claim that this allows writing of arbitrary valueo Is this really true?
Format String Defenses Source code auditing
o Relatively few format strings Remove support for %n format
o Would this create any problems? Keep track of number of
arguments General buffer overflow prevention
o For example, ASLR (next slide…)
More DefensesMentioned by author
oNX approachoCanaryoASLRoSafe/safer languages
Finding Weaknesses How do attackers find
weaknesses? Technical analysis
o Study source code (if available)o Disassemble executables (SRE)o Decompile (good luck with that!)o Black box analysiso Study vendor patcheso Full disclosure websites
Zero day exploit?
Finding Weaknesses Social engineering
o Nuclear power plant company example
Impersonation Dumpster diving Shoulder surfing Fake email
o For example, ask for passwords Phishing
Virus Hoaxes Example: jdbgmgr.exe
I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple: …
Known as the teddy bear virus because this is the icon:
Exploitation Engines Developing a buffer overflow
attacko Tedious, lots of trial and erroro Until Metasploit was invented…
Metasploito Knows about lots of attackso Has lots of payloadso Doesn’t require much thought/effort
Metasploit Payloads include
o Bind shell to current porto Bind shell to arbitrary porto Reverse shello Windows VNC Server DLL injecto Reverse VNC DLL injecto Inject DLL into running applicationo Create local admin usero The Meterpreter (run command of
attacker’s choosing)
Metasploit Web Interface
Metasploit Advantages for attackers?
o Reduces “development cycle”o Resulting attacks much more reliable
Advantages for good guys?o Helps identify false positiveso Help improve IDSo Improved penetration testingo Improved management awareness