hacking module 16

8/9/2019 hacking Module 16

1/28

NMCSP2008 Batch-I

Module XVI

Buffer Overflows


2/28

Scenario

It was a job that Tim wanted right from the startof his career. Being the Project Manager of a wellknown software firm was definitely a sign ofprestige. But now his credibility was at stake!!!

The last project that Tim handled failed as theapplication failed to deliver what it was meant to.The customer of Tim's company suffered a hugefinancial loss.

At the back of his mind something was nagginghim.....

Had he asked his Test Engineers to do a thoroughtesting of the delivered package this would nothave happened....


3/28

Scenario (contd.)

Since the project was running behind schedule hehurried up the testing part.

He went with his gut feeling. He had worked withthe same team for the last few projects and no

negative feedback was reported till now from anyof the previous clients about their projects..nothing would possibly go wrong....

But this time lady luck was not smiling at him. Theweb server of Tim's client had succumbed to a

buffer overflow attack. This was due to a flaw inthe coding part as bounds were not checked ...

Is Tim's decision justified?

What next?


4/28

Module Objectives

Why are programs/applications vulnerable?

What is a Buffer Overflow?

Reasons for Buffer Overflow attacks.

Skills required Types of Buffer Overflow

Understanding Stacks

Shell Code How to detect Buffer Overflows in a program?

Technical details

Defense against Buffer Overflows


5/28

Flow Diagram for the module

Reasons for failureof applications

UnderstandingStacks

ShellcodeTypes of

Buffer OverflowsSkills Required

Reasons for BufferOverflow attacks

Introduction toBuffer Overflows

Tools to defend

Buffer Overflows

Detection ofBuffer Overflow

UnderstandingAssembly code

CountermeasuresNOPS

Attacking areal program


6/28


7/28

Why are Programs/Applicationsvulnerable?

Since there is lot of pressure on the deliverables;programmers are bound to make mistakes which areoverlooked most of the time.

Boundary check are not done.

Programming languages, such as C, whichprogrammers still use to develop packages orapplications, have errors.

The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(),

gets(), and scanf() calls in C can be exploited becausethese functions dont check to see if the buffer,allocated on the stack, is large enough for the datacopied into the buffer.

Good programming practices are not adhered to.


8/28

Buffer Overflows

A buffer overflow occurs when a program allocates a block of memoryof a certain length and then tries to place more data into the memoryspace than allocated, with the extra data overflowing the space andoverwriting possibly critical information crucial to the normalexecution of the program. Consider the following source code:

#include

int main ( int argc , char **argv)

{

char target[5]=TTTT;

char attacker[11]=AAAAAAAAAA;

strcpy( attacker, DDDDDDDDDDDDDD);

printf(% \n,target);

return 0;}

When this source is compiled into a program, and the program is run,it will assign a block of memory 32 bytes long to hold the name string.

This type of vulnerability is prevalent in UNIX and NT based systems


9/28

Reasons for Buffer Overflow attacks

Buffer overflow attacks depend on two things:

the lack of boundary testing, and

a machine that can execute code that resides in the data/stack segment.

The lack of boundary testing is very common and the program

usually ends with a segmentation fault or bus error. In order to

exploit buffer overflows to gain access or escalate privileges, the

offender must create the data to be fed to the application.

Random data will generate a segmentation fault or bus error,

never a remote shell or the execution of a command.


10/28

Knowledge required to Program BufferOverflow Exploits

1. C functions and the stack.

2. A little knowledge of assembly/machine language.

3. How system calls are made (at the machine code level).

4. exec() system calls.

5. How to 'guess' some key parameters.


11/28

Types of Buffer Overflows

Stack-Based Buffer Overflow

Heap/BSS based Buffer Overflow


12/28

Stack based Buffer Overflow

Buffer is expecting a maximum number of guests.

Send the buffer more than x guests.

If the system does not perform boundary checking, extra guests

continue to be placed at positions beyond the legitimate locationswithin the buffer. (Java does not permit the code to run off the end

of an array or string as C and C++ do).

Malicious code can be pushed on the stack.

The overflow can overwrite the return pointer so that the flow ofcontrol switches to the malicious code.


13/28

Understanding Assembly Language

Two most important operations in a stack:

1. Push put one item on the top of the stack

2. Pop - remove one item from the top of the stack

Typically returns the contents pointed to by a pointer and

changes the pointer (not the memory contents)


14/28

Understanding Stacks

The stack is a (LIFO)mechanism thatcomputers use to passarguments to functions

as well as to referencelocal variables.

It acts like a buffer,holding all of theinformation that the

function needs. The stack is created at

the beginning of afunction and released atthe end of it.


15/28

A Normal Stack


16/28

Shellcode

Shellcode is a method to exploit stack basedoverflows.

Shellcodes exploit computer bugs with respect

to how the stack is handled. Buffers are soft targets for attackers as they

overflow very easily if the conditions match.


17/28

Heap-based Buffer Overflow

Variables which are dynamically allocated withfunctions such as malloc() are created on theheap.

Heap is a memory space that is dynamicallyallocated. It is different from the memory whichis allocated for stack and code.

In a heap-based buffer overflow attack an

attacker overflows a buffer which is placed onthe lower part of the heap, overwriting otherdynamic variables, which can have unexpectedand unwanted effects.


18/28

How to detect Buffer Overflows in aprogram

There are two ways to detect buffer overflows.

The first way is by looking at the source code. In this

case, the hacker can look for strings declared as local

variables in functions or methods and verify the

presence of boundary checks. It is also necessary to

check for improper use of standard functions,

especially those related to strings and input/output.

The second way is by feeding the application huge

amounts of data and checking for abnormal

behavior.


19/28

Attacking a Real Program

Assuming that a string function is being exploited, the

attacker can send a long string as the input.

This string overflows the buffer and causes a

segmentation error.

The return pointer of the function is overwritten and

the attacker succeeds in altering the flow of execution.

If he wishes to insert his code in the input, he has to:

Know the exact address on the stack

Know the size of the stack

Make the return pointer point to his code for execution


20/28


21/28

How to mutate a Buffer OverflowExploit

For the NOP portion

Randomly replace NOPs with functionally equivalent segments ofcode (e.g.: x++; x-; ? NOP NOP).

For the "main event"

Apply XOR to combine code with a random key unintelligible toIDS. The CPU code must also decode the gibberish in time in orderto run the decoder. By itself the decoder is polymorphic andtherefore hard to spot.

For the "return pointer"

Randomly tweak LSB of pointer to land in the NOP-zone.


22/28

Once the stack is smashed

Once the vulnerable process is commandeered, theattacker has the same privileges as the process and cangain normal access. He can then exploit a local bufferoverflow vulnerability to gain super-user access.

Create a backdoor

Using (UNIX-specific) inetd

Using Trivial FTP (TFTP) included with Windows 2000

and some UNIX flavorsUse Netcat to make raw, interactive connection

Shoot back an Xterminal connection

UNIX-specific GUI


23/28

Defense against Buffer Overflows

Manual auditing ofcode

Disabling StackExecution

Safer C librarysupport

CompilerTechniques


24/28

Tool to defend Buffer Overflow:Return Address Defender(RAD)

RAD is a simple patch for the compiler that

automatically creates a safe area to store a copy

of return addresses.

After that, RAD automatically adds protective

code into applications that it compiles to defend

programs against buffer overflow attacks.

RAD does not change the stack layout.


25/28

Tool to defend against BufferOverflow: StackGuard

StackGuard: Protects Systems From Stack SmashingAttacks.

StackGuard is a compiler approach for defending

programs and systems against "stack smashing" attacks. Programs that have been compiled with StackGuard are

largely immune to stack smashing attacks.

Protection requires no source code changes at all. When

a vulnerability is exploited, StackGuard detects theattack in progress, raises an intrusion alert, and haltsthe victim program.

http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/


26/28

Tool to defend Buffer Overflow:Immunix System

Immunix System 7 is an Immunix-enabled RedHat

Linux 7.0 distribution and suite of application-level

security tools.

Immunix secures a Linux OS and applications.

Immunix works by hardening existing software

components and platforms so that attempts to exploit

security vulnerabilities will fail safe. i.e. thecompromised process halts instead of giving control to

the attacker, and then is restarted.

http://immunix.org


27/28

Vulnerability Search - ICAT


28/28

Summary

A buffer overflow occurs when a program or processtries to store more data in a buffer (temporary datastorage area) than it was intended to hold.

Buffer overflow attacks depend on two things: the lackof boundary testing and a machine that can execute

code that resides in the data/stack segment. Buffer overflow vulnerabilities can be detected by

skilled auditing of the code as well as through boundarytesting.

Once the stack is smashed, the attacker can deploy hispayload and take control of the attacked system.

Countermeasures include: checking the code, disablingstack execution, safer C library support, using safercompiler techniques.

Tools like StackGuard, Immunix and vulnerabilityscanners help secure systems.

hacking module 16

Documents