Exploitation possibilities of memory related vulnerabilities
László ERDŐDI, PhD, CEH, SSCP
Óbuda University, John von Neumann Faculty of Informatics, Department of Software
Technology
Memory corruption vulnerabilities since 2002
2002 2005 2008 2011
100
200
300
400
CVE 2013-4974CVE 2013-4206CVE 2013-3348
Virtual address spaceLocal variables, method parameters, exception handling data,return adresses
Dynamically linked shared libraries (libc)
Dynamic variables
Global variables
Compiled code
Physical memory
Virtual memory
Main causes and exploitation methods
• Lack of input validation within methods (strcpy, gets, etc): stack based overflow (placing harmful code to the stack, ROP, JOP)
• Dynamic memory allocation problems (use after free, double free vulnerabilities) heap overflow (function pointer overwrite + heap spray)
• Exception handling errors (SEH overwrite)
• Others
Classic example of buffer overflow
Code segment
Stack
a
d
…Method1(a){
d : fixed size arraycopy a to d
}
Method2(){
Method1(a);}…
Avoiding memory execution protection (return to libc)
Avoiding DEP: Return oriented programming (ROP) Shacham, 2007
Executable code will not be placed on the stack only series of memory addresses and parameters
Memory addr 1Memory addr 2Parameter 1Parameter 2Memory addr 3Parameter 4Instruction 1
ret
Instruction 2ret
Instruction 3ret
Jump oriented programming (JOP)Bletsch, Jiang, Freeh 2011
• Attack execution without using stack (not sensible for stack cookie and returnless kernel, it can be used in the case of register machines)
Instruction 1jmp
Instruction 2jmp
Instruction 3jmp
Dispatcher gadgetIncreasing the index pointerJumping to current address
Dispatcher table:Memory addr1Memory addr2Parameter 1Parameter 2Memory addr3Parameter4
Protection against memory corruption
Stack overflow
Heap overflow (double free, use after free)
SEH chain rewrite
Unhandled exceptions
Return to libc
ROPJOP
?
+ Return address checking?
+control flow integrity?
Jump Oriented Programming – dispatcher gadgets in shared libraries (Erdődi, 2013)
Jump Oriented Programming – WinExec example for Win32 X86
Return and Jump Oriented Programing requirements of Turing-completeness Kornau: ARM 2009, Buchanen, Roemer: RISC 2008
– Arbitrary code execution
– Loading variables from memory
– Writing variables to memory
– Branches
– Cycles
– Method calls
Example: How to carry out conditional statements with return-oriented programming?
Method 1: Writing the addresses of the false branch andtrue branch into the writeable memory, setting of the espaccording to indirect addressing. 31 gadgets
Method 2: Loading the distance between the address ofthe false branch and true branch in the memory into aregister, adding to esp that value if the condition is true17 gadgets
Method 3: Applying gadget which carries out thecondition evaluation and jumps at the same time5 gadgets
Instruction 1ret
Instruction 2ret
Instruction 3ret
Description language for return- and jump- oriented programming
write: e.g placing „net user add user passw” to the data segment
gadget1: pop reg1 gadget1: pop reg1 write4:address:valuegadget2: pop reg2 gadget2: pop reg2gadget3: mov [reg1], reg2 gadget3: add reg1, reg2
gadget4: pop reg3gadget5: pop reg4gadget6: add reg3, reg4gadget7: mov [reg1], reg3
write4:00400000:netwrite4:00400004:userwrite4:00400008: add write:00400000:net user add user passwdwrite4:0040000c: usewrite4:00400010:r pawrite3:00400014:ssw
Description language for return- and jump- oriented programming
write:address:value
call:address:param1:param2: … paramne.g call:fopen address:filenamestring:filemod
if:condition:address_true:address_false
Description language for return- and jump- oriented programming
sample program:
1: write:dataseg_addr1:filename_string write:00400000:try.txt 2: call:fopen_address:dataseg_addr1:filemod call:7c560122:00400000:03: if:address_of_gadget_cmp eax,0:6:4 if:77c7d230:6:44: write:dataseg_addr2:name of executable write:00400010:cmd.exe5:call:winexec_addr:dataseg_addr2 call:7d77501c:04000106:call:exitprocess_addr call:7c210254
Summary
• Memory related vulnerabilities are extremly dangerous and developing quickly
• The tendency is the legitimate code-reuse for attacking (ROP, JOP)
• Several open questions still to solve