team bam! scott amack, everett bloch, maxine major 1
TRANSCRIPT
1
FORMAT STRING ATTACKS
Team BAM!
Scott Amack, Everett Bloch, Maxine Major
2
Overview
What is a Format String Attack? About Format Strings Anatomy of an Attack History Current Events Demo Conclusions
3
What are Format String Attacks? A class of software vulnerability
discovered around 1999 Uses C format functions to crash
programs or execute harmful code Problem stems from unchecked user
input in format functions
4
Format Strings
Used in format functions: printf(), sprintf(), fprintf(), etc
Format functions take a variable amount of arguments, of which one is called the format string
printf(“<format string>”, arg1, arg2, … , argn);
5
Format Strings % is an escape character, it pops the
respective argument from the stack and evaluates its value based on the following specifier and prints%s – ptr to ASCIIZ string%d – integer value%x – hexadecimal value, up to 8 digits%p – hexadecimal value, more robust than %x%n – write to memory the number of characters
previously output○ Memory location is referenced by argument○ Usage: printf(“Hello%n”, &i); //i = 5
%% - prints %, does not pop any values
6
Format Strings
Arguments are pushed onto the stack when printf is called
Arguments are popped off in their respective order when called from the format string (using “%”)The first to be popped is the argument
that comes after the format stringNo limit to number of pops, if printf pops
out of its bounds program crashes
7
Format Strings printf (”i = %d, a = %d address of a = %x\n", i, a, &a);
The printf function parses the format string one character at a time, printing everything that is not “%” to stdout
8
Format Strings An argument can be referenced directly using
the $ symbol
Usage: %<number>$<specifier>
○ <number> - the arguments location in the stack, first argument is 1
○ <specifier> - s, d, x, n, etc
printf ("%2$d\n", 6, 5); prints “5”, because 5 is the second argument on the stack
9
Format Strings
Some specifiers can specify the minimum number of characters to output
Usage : printf(“%25d”, i); ○ print at least 25 characters to stdout○ result is padded with blank space ○ does not truncate
10
Format String Attack
Becomes possible when user input is the format string
OK: printf(“%s”, user_input);
Exploitable: printf(user_input);
The user can input format specifiers that will be evaluated by printf
11
Format String Attack Multiple issues of %x or %p prints out a
stack trace of the printf functiontraversing the stackused to locate format string in the stack
%n can be used to overwrite memory based on the currently popped value
Multiple issues of %s, or an excessive stack traversal can kill the process
12
Format String Attack StrategyFormat string:
<addr><NOP><shell-code><stack traversal + padding><%n>
ex) addr = 0x08a5ffbc
“\xbc\xa5\xff\xbc;;;;;;;;;;;;;;;;;;;;execl("/bin/bash", "bash", 0);%11$41002x%n”
addr – address of what we want to overwrite, normally printf return address. Little endian representation
NOP – a small NOP sled that leads to shell-code (optonal) shell-code – the attacks payload, simple code that starts the actual exploit
with printf privileges (optional) stack traversal - %x’s or %<number>$x, pop us to the format string location padding – use %<number>x so number of characters output equals the
address we desire to write with %n, <NOP> can act as padding also %n writes the current number of characters to the address specified by
<addr>
<NOP> and <shell-code> are optional because sometimes the address to overwrite, <addr>, is something other than the printf return function.
13
Format String Attack Uses Overwrite printf return address to execute
shell-code
Overwrite C library hooks such as __malloc_hook, __realloc_hook, and __free_hook, to jump to your code when ever those functions are called
Overwrite __atexit address to jump to your code whenever the exit() function is called
14
History First format string bugs noted in 1990, at
the University of Wisconsin while testing the C-shell, bugs were referred to as "interaction effects"
First identified as an attack vector in September 1999 in a security audit of an FTP daemon ProFTPd by Tymm Twillman
Wasn’t until June of 2000 that the full dangers of format string vulnerabilities as exploits were made public
15
History wu-ftpd 2.*
free FTP daemonone of the first commercial programs exploited using
format string attacksdiscovered by security.ishad multiple format string vulnerabilities
○ vulnerabilities persisted for over 6 yearswhen attempting to log in, username string passed as a
format stringexploit impact gave remote root to attacker, on ftp
servervulnerabilities corrected by forcing user input to be an
argument referenced by the format string
16
Format String Attacks
Information about vulnerabilities:
Mitre has a Common Vulnerability and Exposure Database that currently lists 588 of these type of vulnerabilities in current software.
http://www.cve.mitre.org/
17
Recent Format String Attacks
January 2013
EMC Alphastor 4.0 800
Alphastor is software that provides media management and device sharing services for backup servers.
The rrobotd.exe file is vulnerable to format string input via a vsnsprintf function.
This accepts incoming commands and therefore is vulnerable to a format string attack.
18
Recent Format String Attacks September 2012
Mcrypt : A program used to encrypt files in UNIX
If you ran the program with the following command:
$ mcrypt --no-openpgp "%s.nc“
It could cause this type of attack because of how the input string was handled.
Key thing to note is the %s in the filename.
19
Recent Format String Attacks August 2012
Microsoft Windows XP, Vista, 7, Server 2003, Server 2008
Attacker can send a crafted response to the print spooler and remotely execute code.
Denial of Service is also possible making printer services unavailable.
20
Recent Format String Attacks June 2012
VMWare Workstation 8.x and VMWare player 4.x
An OVF file which helps automate distribution of virtual machines could contain malicious information to exploit this format string vulnerability.
This exploit could allow malicious code to be
executed.
21
Format String Attacks Demo
What we can do with format string attacks:
1. crash the program (DOS)
2. View the stack
3. View memory at arbitrary locations
4. Overwrite memory at arbitrary locations
5. Code execution
22
Format String Attacks
DEMO
23
Conclusions
Format functions can be used as an attack vector for format string attacks
Format function has no bounds checking; it may pop as many times as system allows.
Be sure that the format string references the variable(s). printf(“%s\n”, variablename);
Format string attacks seem simple, but are still a very viable method of attack.
24
Recap
What is a Format String Attack? About Format Strings Anatomy of an Attack History Current Events Demo Conclusions
25
References Wikipedia http://en.wikipedia.org/wiki/Format_string_attack Hanebutte, Oman. Software Vulnerability Mitigation A Proper Subset of Software Maintenance. Journal of Software Maintenance and Evolution: Research and
Practice: 2003. scut / team teso. Format String Vulnerabilities: 2001. http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ve
d=0CF8QFjAF&url=http%3A%2F%2Fcrypto.stanford.edu%2Fcs155old%2Fcs155-spring08%2Fpapers%2Fformatstring-1.2.pdf&ei=zq8tUYCbCNHyigKqgYHwCQ&usg=AFQjCNG3QiG2k0n39PsNfLIcyjkiZJjuow&bvm=bv.42965579,d.cGE
https://www.owasp.org/index.php/Format_string_attack http://en.wikipedia.org/wiki/Uncontrolled_format_string http://www.openwall.com/lists/oss-security/2012/09/06/8 http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string http://archives.neohapsis.com/archives/bugtraq/2012-06/0192.html http://www.vmware.com/security/advisories/VMSA-2012-0015.html http://cxsecurity.com/issue/WLB-2013010167 http://technet.microsoft.com/en-us/security/bulletin/ms12-054 http://www.youtube.com/watch?v=E9gx0MflQm4 http://www.youtube.com/watch?v=wLSYkYmfqJ8 http://www.youtube.com/watch?v=GfEGzZoZY7g