Ethical H ackin g an d
Coun term easures
Coun term easures
Version 6
Mo d u le XXIV
Mo d u le XXIV
News
Scen ario
It was a job that Tim wan ted right from the start of his career. Bein g a Project Man ager at a well-kn own software firm was defin itely a sign of prestige. But n ow, his
credibility was at stake.
The last project that Tim han dled failed to deliver because the application crashed. The custom er of Tim 's com pan y suffered a huge fin an cial loss. g
At the back of his m in d, som ethin g was n aggin g Tim ...
H ad he asked his Test En gin eers to do a thorough testin g of
h d l d k h ld h h d
Module Objective
• Buffer Overflows
R f b ff fl tt k
This m odule will fam iliarize you with :
• Reason s for buffer overflow attacks • Un derstan din g Stacks an d H eaps • Types of buffer overflow
• Detectin g buffer overflows in a programg p g • Attackin g a real program
• Defen se Again st Buffer Overflows • Buffer overflow detection tools • Libsafe
• Libsafe
Module Flow
Buffer Overflows Attackin g a real program
Reason s for
Real World Scen ario
Why are Program s/ Application s
Vuln erable
Vuln erable
Boun dary checks are n ot don e fully or in m ost cases they are skipped en tirely Boun dary checks are n ot don e fully or, in m ost cases, they are skipped en tirely
Program m in g lan guages such as C have errors in it Program m in g lan guages, such as C, have errors in it
The strcat(), strcpy(), sprin tf(), vsprin tf(), bcopy(), gets(), an d scan f() calls in C lan guage can be exploited because these fun ction s do n ot check to see if the lan guage can be exploited because these fun ction s do n ot check to see if the buffer, allocated on the stack, is large en ough for the data copied in to the buffer
P / li ti t dh d t d i ti
Buffer Overflows
A gen eric buffer overflow occurs when a buffer that has been allocated a
ifi h d i d i h i h dl
specific storage space, has m ore data copied to it than it can handle
Con sider the followin g source code. Wh en the source is com piled an d turn ed in to a program an d the program is run it will assign a block of m em ory 32 in to a program an d the program is run , it will assign a block of m em ory 32 bytes lon g to hold the n am e strin g
#include<stdio.h>
int main ( int argc char **argv) int main ( int argc , char argv)
Reason s for Buffer Overflow
Attacks
Attacks
Buffer overflow attacks depen d on two thin gs:
• The lack of boun dary testin g
• A m achin e that can execute a code that resides in the data/ stack segm en t
The lack of boun dary is com m on an d, usually, the program en ds with the segm en tation fault or bus error
In order to exploit buffer overflow to gain access to or escalate privileges the In order to exploit buffer overflow to gain access to or escalate privileges, the offen der m ust create the data to be fed to the application
Kn owledge Required to Program
Buffer Overflow Exploits
Buffer Overflow Exploits
C f ti d th t k
C fun ction s and the stack
A littl k l d f bl / hi l
A little kn owledge of assem bly/ m achin e lan guage
H o s stem calls a e m ade (at the m achin e code le el) H ow system calls are m ade (at the m achin e code level)
e ec( ) s stem calls exec( ) system calls
Un derstan din g Stacks
The stack is a (LIFO) m echan ism that com puters use to pass
argum en ts to fun ction s as well as to
refer to the local variables SP
refer to the local variables
Un derstan din g H eaps
The heap is an area of m em ory utilized by an application an d is allocated dyn am ically at the run tim e
is allocated dyn am ically at the run tim e
Static variables are stored on the stack alon g with the data allocated usin g the m alloc in terface
the data allocated usin g the m alloc in terface
Types of Buffer Overflows:
Stack-Based Buffer Overflow
Based Buffer Overflow
A stack overflow occurs when a buffer has been overrun in the stack space
Malicious code can be pushed on the stack
The overflow can overwrite the return poin ter so that the flow of con trol switches to the m alicious code
C lan guage an d its derivatives offer m an y ways to put m ore data than an ticipated in to a buffer
Con sider an exam ple program given on the n ext slide for sim ple un con trolled overflow
• The program calls the bof() fun ctionp g
A Sim ple Un con trolled Overflow of
the Stack
the Stack
/* This is a program to show a simple uncontrolled overflow of the stack. It will overflow EIP with 0x41414141, which is AAAA in ASCII. */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bof()
{
char buffer[8]; /* an 8 byte character buffer */
strcpy(buffer,"AAAAAAAAAAAAAAAAAAAA"); /*copy 20 bytes of A into the buffer*/
return 1; /*return this will cause an access violation due to stack corruption */ return 1; /*return, this will cause an access violation due to stack corruption.*/
}
int main(int argc, char **argv)
{
bof(); /*call our function*/
/*print a short message, execution will never reach this point because of the overflow*/
printf(“Lets Go\n");
return 1; /*leaves the main function*/
Stack Based Buffer Overflows
n Bytes Overwritten Data
Types of Buffer Overflows: H
eap-Based Buffer Overflow
Based Buffer Overflow
Variables that are dyn am ically allocated with fun ction s such as Variables that are dyn am ically allocated with fun ction s, such as m alloc(), are created on the heap
In a heap-based buffer overflow attack, an attacker overflows a buffer that is placed on the lower part of heap, overwritin g other dyn am ic variables, which can have un expected an d un wan ted effects
If an application copies data without first checkin g whether it fits in to the target destin ation , the attacker could supply the application with a piece of data that is large, overwritin g heap m an agem en t in form ation
In m ost en viron m en ts, this m ay allow the attacker to con trol over the program ’s execution
H eap Mem ory Buffer Overflow Bug
/*heap1.c – the simplest of heap overflows*/ #include <stdio.h>
#i l d dlib h #include <stdlib.h>
int main(int argc, char *argv[]) {
{
char *input = malloc (20); char *output = malloc (20);
strcpy (output, "normal output"); strcpy (input, argv[1]);
printf ("input at %p: %s\n", input, input); printf ("output at %p: %s\n", output, output); printf("\n\n%s\n", output);
H eap-Based Buffer Overflow
in put=m alloc(20 ); output=m alloc(20 );
“n orm al output\ 0 ” XXXXXXXXXXXXXXXXXXXX
output m alloc(20 );
n orm al output\ 0 XXXXXXXXXXXXXXXXXXXX
H e a p : B e fo re Ove rflo w
in put=m alloc(20 ); output=m alloc(20 );
rdfn ordfn ord\ 0 fnordfnordfnordfnordfnord fn 0
Un derstan din g Assem bly Lan guage
The two m ost im portan t operation s in a stack:
The two m ost im portan t operation s in a stack:
• 1. Push – put on e item on the top of the stack
• 2. Pop – "rem ove" on e item from the top of the stack
T
i
ll
h
i
d
b
i
d
h
Shellcode
Shellcode is a m ethod to exploit stack-based overflows Shellcode is a m ethod to exploit stack based overflows
Shellcodes exploit com puter bugs in how the stack is han dledp p g
Buffers are soft targets for attackers as they overflow easily if the con dition s m atch
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" con dition s m atch
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"
H ow to Detect Buffer Overflows
in a Program
in a Program
There are two ways to detect buffer overflows:
There are two ways to detect buffer overflows:
On e way is to look at the source code
• In this case, the hacker can look for strin gs declared as local variables in fun ction s or m ethods an d verify the presen ce of boun dary checks
• It is also n ecessary to check for im proper use of stan dard fun ction s, especially those related to strin gs an d in put/ output
Attackin g a Real Program
Assum in g that a strin g fun ction is bein g exploited, the attacker can g g g p , sen d a lon g strin g as the in put
This strin g overflows the buffer an d causes a segm en tation error This strin g overflows the buffer an d causes a segm en tation error
The return poin ter of the fun ction is overwritten, an d the attacker po o o o , d succeeds in alterin g the flow of execution
If th h t i t hi d i th i t h / h h t If the user has to in sert his code in the input, he/ she has to:
• Kn ow the exact address on the stack • Kn ow the size of the stack
NOPS
Most CPUs have a No Operation (NOP) in struction – it does n othin g but advan ce the in struction poin ter
in struction poin ter
Usually, you can put som e of these ahead of your program (in the strin g)
As lon g as the n ew return address poin ts to a NOP, it is OK
Attacker pads the begin n in g of the in ten ded buffer overflow with a lon g run of NOP in struction s (a NOP slide or sled) so the CPU will do n othin g un til it gets to the 'm ain even t' (which preceded the 'return poin ter')
Most in trusion detection system s (IDSs) look for sign atures of NOP sleds
H ow to Mutate a Buffer Overflow
Exploit
Exploit
For the NOP portion
• Ran dom ly replace the NOPs with fun ction ally equivalen t segm en ts of code (e.g.: x++; x-; ? NOP NOP)
For the NOP portion
A l XOR t bi d ith d k i t lli ibl t
For the "m ain even t"
• Apply XOR to com bin e code with a random key un intelligible to IDS. The CPU code m ust also decode the gibberish in tim e in order to run the decoder. By itself, the decoder is polym orphic an d,
therefore, hard to spot
R d l t k LSB f i t t l d i th NOP
For the "return poin ter"
On ce the Stack is Sm ashed...
On ce the vuln erable process is com m an deered, the attacker has
p
,
the sam e privileges as the process an d can gain n orm al access.
H e/ she can then exploit a local buffer overflow vuln erability to
gain super-user access
Create a backdoor
• Usin g (UNIX-specific) in etd
• Usin g Trivial FTP (TFTP) in cluded with Win dows 20 0 0 an d som e UNIX flavors
• Shoot back an Xterm in al con n ection
Use Netcat to m ake raw an d in teractive con n ection s
Defen se Again st Buffer
Overflows
Overflows
M
l
Di
bli
S f C
Man ual
auditin g of
code
Disablin g
stack
execution
Safer C
library
support
Tool to Defen d Buffer Overflow:
Return Address Defen der (RAD)
Return Address Defen der (RAD)
RAD i i l t h f th il th t t ti ll t f
RAD is a sim ple patch for the com piler that autom atically creates a safe area to store a copy of return addresses
After that, RAD autom atically adds protection code in to application s an d com piles them to defen d program s again st buffer overflow attacks
Tool to Defen d Buffer Overflow:
StackGuard
StackGuard
StackGuard: Protects system s from stack sm ashin g attacks
StackGuard is a com piler approach for defen din g program s an d system s again st "stack sm ashin g" attacks
Program s that have been com piled with StackGuard are largely im m un e to stack sm ashin g attacks
Protection requires n o source code chan ges at all. When a vuln erability is exploited, StackGuard detects the attack in
Tool to Defen d Buffer Overflow:
Im m un ix System
Im m un ix System
Im m un ix System is an Im m un ix-en abled RedH at Lin ux distribution an d suite of
th li ti l l it t l
the application -level security tools
Im m un ix secures a Lin ux OS an d application s
Im m un ix works by harden in g the existin g software com pon en ts an d platform s so that attem pts to exploit security vuln erabilities will fail safe
Valgrin d
Valgrin d is a suite of sim ulation -based debugging and profiling tools for g gg g p g program s run n in g on Lin ux
The system con sists of a core which pr ovides a syn thetic CPU in software an d a The system con sists of a core, which provides a syn thetic CPU in software, and a series of tools, each of which perform s som e kin d of debuggin g, profilin g, or sim ilar task
• Mem check detects m em ory-m an agem en t problem s in program s • Cachegrin d is a cache profiler
Various tools presen t in Valgrin d are:
• Cachegrin d is a cache profiler
• H elgrin d fin ds data races in m ultithreaded program s • Callgrin d is a program profiler
• Massif is a heap profiler
L k i i l fil d t
In sure++
In sure++ is a run tim e m em ory an alysis an d error detection tool for C
an d C++ that autom atically iden tifies a variety of difficult to track
an d C++ that autom atically iden tifies a variety of difficult-to-track
program m in g an d m em ory-access errors, alon g with poten tial defects
an d in efficien cies in m em ory usage
• Corrupted heap an d stack m em ory
Errors that In sure++ detects in clude:
• Use of un in itialized variables an d objects
In sure++: Features
Detection of m em ory corruption on heap an d stack
Detection of un in itialized variables, poin ters, an d objects
Detection of m em ory leaks an d other m em ory allocation / free errors y y /
STL checkin g** for proper usage of STL con tain ers, an d related m em ory errors
Com pile tim e checks for type an d size related errors Com pile-tim e checks for type- an d size-related errors
Run tim e tracin g of fun ction calls
GUI an d com m an d lin e in terface
Mem ory error checkin g in 3rd party static an d dyn am ic libraries
Buffer Overflow Protection
Solution : Libsafe
Solution : Libsafe
Libsafe is a library which re-writes som e sen sitive libc fun ction s (strcpy strcat sprin tf vsprin tf getwd gets
fun ction s (strcpy, strcat, sprin tf, vsprin tf, getwd, gets, realpath, fscan f, scan f, sscan f) to preven t an y overflow caused by a m isuse of an y on e of them
It laun ches alerts when an overflow attem pt is detected
Libsafe in tercepts the calls to the un safe fun ction s an d uses its own im plem en tation of the fun ction in stead
While keepin g the sam e sem an tic, it adds detection of the boun d violation s
Com parin g Fun ction s of libc an d
libsafe
libsafe
Som e fun ction s of libc are un safe because
they do n ot check the boun ds of a buffer Im plem en tation of strcpy by libsafe: they do n ot check the boun ds of a buffer
Im plem en tation of strcpyby libc:
p e e a o o s cpy by bsa e
char *strcpy(char *dest, const
h * )
char *src) {
...
if ((len = strnlen(src, max size)) == max size)
real_memcpy(dest, src, len + 1); return dest;
The size of the dest buffer is n ot a factor for Fun ction libsafe_ die stops the process if
return dest; decidin g whether to copy m ore characters or n ot
Sim ple Buffer Overflow in C
name = (char *) malloc(10);dangerous_system_command = (char *) malloc(128); printf("Address of name is %d\n" name);
printf("Address of name is %d\n", name);
printf("Address of command is %d\n", dangerous_system_command); sprintf(dangerous_system_command, "echo %s", "Hello world!");
Code An alysis
The first thin g the program does is declare two strin g variables an d assign m em ory to h
them
The "n a m e" variable is given 10 bytes of m em ory (which will allow it to hold a 10 -character strin g)
character strin g)
The "d a n ge ro u s _ s ys te m _ co m m a n d" variable is given 128 bytes
Code An alysis (con t’d)
~
To com pile the overrun .c program
R
thi
d i Li
~
Run this com m an d in Lin ux:
gcc overrun.c –o overrun
[XX]$ ./overrun
Address of name is 134518696
Address of command is 134518712
What's your name?xmen
Hello world!
[XX]$
~
The address given to the
"dangerous_system_command"
variable is 16 bytes from the start of the "n am e" variable
Code An alysis (con t’d)
The "
ge ts
", which reads a strin g from the stan dard in put to the
specified m em ory location , does n ot have a "len gth" specification
This m ean s it will read as m an y characters as it takes to get to the en d
of the lin e, even if it overrun s the en d of the m em ory allocated
Code An alysis (con t’d)
[XX]$ ./overrun
Address of name is 134518696 Address of command is 134518712
What's your name?0123456789123456cat /etc/passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/syncy y y
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
What H appen ed Next
Sin ce the project was run n in g behin d schedule, he had to hurry through testin g.
hurry through testin g.
Tim had worked with the sam e team for his previous projects, an d all of the other projects had successful projects, an d all of the other projects had successful con clusion s. Therefore, he thought that n othin g would possibly go wron g with this on e. This n otion m ade him overcon fiden t about the testin g of this project.
But this tim e, he was n ot lucky. The web server of the
clien t com pan y had succum bed to a buffer overflow attack. This was due to a flaw in codin g because boun ds were n ot checked.
checked.
Sum m ary
A buffer overflow occurs when a program or process tries to store m ore data in a buffer
d h d d h ld
(tem porary data storage area) than it was in ten ded to hold
Buffer overflow attacks depen d on : the lack of boun dary testin g, an d a m achin e that can t d th t id i th d t / t k t
execute a code that resides in the data/ stack segm en t
Buffer overflow vuln erability can be detected by skilled auditin g of the code as well as boun dary testin g
boun dary testin g
Coun term easures in clude checkin g the code, disablin g stack execution , safer C library support an d usin g safer com piler techn iques
support, an d usin g safer com piler techn iques