Ethical H ackin g an d

Coun term easures

Coun term easures

Version 6

Mo d u le XXIV

Mo d u le XXIV

News

Scen ario

It was a job that Tim wan ted right from the start of his career. Bein g a Project Man ager at a well-kn own software firm was defin itely a sign of prestige. But n ow, his

credibility was at stake.

The last project that Tim han dled failed to deliver because the application crashed. The custom er of Tim 's com pan y suffered a huge fin an cial loss. g

At the back of his m in d, som ethin g was n aggin g Tim ...

H ad he asked his Test En gin eers to do a thorough testin g of

h d l d k h ld h h d

Module Objective

• Buffer Overflows

R f b ff fl tt k

This m odule will fam iliarize you with :

• Reason s for buffer overflow attacks • Un derstan din g Stacks an d H eaps • Types of buffer overflow

• Detectin g buffer overflows in a programg p g • Attackin g a real program

• Defen se Again st Buffer Overflows • Buffer overflow detection tools • Libsafe

• Libsafe

Module Flow

Buffer Overflows Attackin g a real program

Reason s for

Real World Scen ario

Why are Program s/ Application s

Vuln erable

Vuln erable

Boun dary checks are n ot don e fully or in m ost cases they are skipped en tirely Boun dary checks are n ot don e fully or, in m ost cases, they are skipped en tirely

Program m in g lan guages such as C have errors in it Program m in g lan guages, such as C, have errors in it

The strcat(), strcpy(), sprin tf(), vsprin tf(), bcopy(), gets(), an d scan f() calls in C lan guage can be exploited because these fun ction s do n ot check to see if the lan guage can be exploited because these fun ction s do n ot check to see if the buffer, allocated on the stack, is large en ough for the data copied in to the buffer

P / li ti t dh d t d i ti

Buffer Overflows

A gen eric buffer overflow occurs when a buffer that has been allocated a

ifi h d i d i h i h dl

specific storage space, has m ore data copied to it than it can handle

Con sider the followin g source code. Wh en the source is com piled an d turn ed in to a program an d the program is run it will assign a block of m em ory 32 in to a program an d the program is run , it will assign a block of m em ory 32 bytes lon g to hold the n am e strin g

#include<stdio.h>

int main ( int argc char **argv) int main ( int argc , char argv)

Reason s for Buffer Overflow

Attacks

Attacks

Buffer overflow attacks depen d on two thin gs:

• The lack of boun dary testin g

• A m achin e that can execute a code that resides in the data/ stack segm en t

The lack of boun dary is com m on an d, usually, the program en ds with the segm en tation fault or bus error

In order to exploit buffer overflow to gain access to or escalate privileges the In order to exploit buffer overflow to gain access to or escalate privileges, the offen der m ust create the data to be fed to the application

Kn owledge Required to Program

Buffer Overflow Exploits

Buffer Overflow Exploits

C f ti d th t k

C fun ction s and the stack

A littl k l d f bl / hi l

A little kn owledge of assem bly/ m achin e lan guage

H o s stem calls a e m ade (at the m achin e code le el) H ow system calls are m ade (at the m achin e code level)

e ec( ) s stem calls exec( ) system calls

Un derstan din g Stacks

The stack is a (LIFO) m echan ism that com puters use to pass

argum en ts to fun ction s as well as to

refer to the local variables _SP

refer to the local variables

Un derstan din g H eaps

The heap is an area of m em ory utilized by an application an d is allocated dyn am ically at the run tim e

is allocated dyn am ically at the run tim e

Static variables are stored on the stack alon g with the data allocated usin g the m alloc in terface

the data allocated usin g the m alloc in terface

Types of Buffer Overflows:

Stack-Based Buffer Overflow

Based Buffer Overflow

A stack overflow occurs when a buffer has been overrun in the stack space

Malicious code can be pushed on the stack

The overflow can overwrite the return poin ter so that the flow of con trol switches to the m alicious code

C lan guage an d its derivatives offer m an y ways to put m ore data than an ticipated in to a buffer

Con sider an exam ple program given on the n ext slide for sim ple un con trolled overflow

• The program calls the bof() fun ctionp g

A Sim ple Un con trolled Overflow of

the Stack

the Stack

/* This is a program to show a simple uncontrolled overflow of the stack. It will overflow EIP with 0x41414141, which is AAAA in ASCII. */

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

int bof()

{

char buffer[8]; /* an 8 byte character buffer */

strcpy(buffer,"AAAAAAAAAAAAAAAAAAAA"); /*copy 20 bytes of A into the buffer*/

return 1; /*return this will cause an access violation due to stack corruption */ return 1; /*return, this will cause an access violation due to stack corruption.*/

}

int main(int argc, char **argv)

{

bof(); /*call our function*/

/*print a short message, execution will never reach this point because of the overflow*/

printf(“Lets Go\n");

return 1; /*leaves the main function*/

Stack Based Buffer Overflows

n Bytes Overwritten Data

Types of Buffer Overflows: H

eap-Based Buffer Overflow

Based Buffer Overflow

Variables that are dyn am ically allocated with fun ction s such as Variables that are dyn am ically allocated with fun ction s, such as m alloc(), are created on the heap

In a heap-based buffer overflow attack, an attacker overflows a buffer that is placed on the lower part of heap, overwritin g other dyn am ic variables, which can have un expected an d un wan ted effects

If an application copies data without first checkin g whether it fits in to the target destin ation , the attacker could supply the application with a piece of data that is large, overwritin g heap m an agem en t in form ation

In m ost en viron m en ts, this m ay allow the attacker to con trol over the program ’s execution

H eap Mem ory Buffer Overflow Bug

/*heap1.c – the simplest of heap overflows*/ #include <stdio.h>

#i l d dlib h #include <stdlib.h>

int main(int argc, char *argv[]) {

{

char *input = malloc (20); char *output = malloc (20);

strcpy (output, "normal output"); strcpy (input, argv[1]);

printf ("input at %p: %s\n", input, input); printf ("output at %p: %s\n", output, output); printf("\n\n%s\n", output);

H eap-Based Buffer Overflow

in put=m alloc(20 ); _{output=m alloc(20 );}

“n orm al output\ 0 ” XXXXXXXXXXXXXXXXXXXX

output m alloc(20 );

n orm al output\ 0 XXXXXXXXXXXXXXXXXXXX

H e a p : B e fo re Ove rflo w

in put=m alloc(20 ); _{output=m alloc(20 );}

rdfn ordfn ord\ 0 fnordfnordfnordfnordfnord fn 0

Un derstan din g Assem bly Lan guage

The two m ost im portan t operation s in a stack:

The two m ost im portan t operation s in a stack:

• 1. Push – put on e item on the top of the stack

• 2. Pop – "rem ove" on e item from the top of the stack

T

i

ll

h

i

d

b

i

d

h

Shellcode

Shellcode is a m ethod to exploit stack-based overflows Shellcode is a m ethod to exploit stack based overflows

Shellcodes exploit com puter bugs in how the stack is han dledp p g

Buffers are soft targets for attackers as they overflow easily if the con dition s m atch

"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" con dition s m atch

"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"

"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\xaa\x10\x3f\xff"

H ow to Detect Buffer Overflows

in a Program

in a Program

There are two ways to detect buffer overflows:

There are two ways to detect buffer overflows:

On e way is to look at the source code

• In this case, the hacker can look for strin gs declared as local variables in fun ction s or m ethods an d verify the presen ce of boun dary checks

• It is also n ecessary to check for im proper use of stan dard fun ction s, especially those related to strin gs an d in put/ output

Attackin g a Real Program

Assum in g that a strin g fun ction is bein g exploited, the attacker can g g g p , sen d a lon g strin g as the in put

This strin g overflows the buffer an d causes a segm en tation error This strin g overflows the buffer an d causes a segm en tation error

The return poin ter of the fun ction is overwritten, an d the attacker po o o o , d succeeds in alterin g the flow of execution

If th h t i t hi d i th i t h / h h t If the user has to in sert his code in the input, he/ she has to:

• Kn ow the exact address on the stack • Kn ow the size of the stack

NOPS

Most CPUs have a No Operation (NOP) in struction – it does n othin g but advan ce the in struction poin ter

in struction poin ter

Usually, you can put som e of these ahead of your program (in the strin g)

As lon g as the n ew return address poin ts to a NOP, it is OK

Attacker pads the begin n in g of the in ten ded buffer overflow with a lon g run of NOP in struction s (a NOP slide or sled) so the CPU will do n othin g un til it gets to the 'm ain even t' (which preceded the 'return poin ter')

Most in trusion detection system s (IDSs) look for sign atures of NOP sleds

H ow to Mutate a Buffer Overflow

Exploit

Exploit

For the NOP portion

• Ran dom ly replace the NOPs with fun ction ally equivalen t segm en ts of code (e.g.: x++; x-; ? NOP NOP)

For the NOP portion

A l XOR t bi d ith d k i t lli ibl t

For the "m ain even t"

• Apply XOR to com bin e code with a random key un intelligible to IDS. The CPU code m ust also decode the gibberish in tim e in order to run the decoder. By itself, the decoder is polym orphic an d,

therefore, hard to spot

R d l t k LSB f i t t l d i th NOP

For the "return poin ter"

On ce the Stack is Sm ashed...

On ce the vuln erable process is com m an deered, the attacker has

p

,

the sam e privileges as the process an d can gain n orm al access.

H e/ she can then exploit a local buffer overflow vuln erability to

gain super-user access

Create a backdoor

• Usin g (UNIX-specific) in etd

• Usin g Trivial FTP (TFTP) in cluded with Win dows 20 0 0 an d som e UNIX flavors

• Shoot back an Xterm in al con n ection

Use Netcat to m ake raw an d in teractive con n ection s

Defen se Again st Buffer

Overflows

Overflows

M

l

Di

bli

S f C

Man ual

auditin g of

code

Disablin g

stack

execution

Safer C

library

support

Tool to Defen d Buffer Overflow:

Return Address Defen der (RAD)

Return Address Defen der (RAD)

RAD i i l t h f th il th t t ti ll t f

RAD is a sim ple patch for the com piler that autom atically creates a safe area to store a copy of return addresses

After that, RAD autom atically adds protection code in to application s an d com piles them to defen d program s again st buffer overflow attacks

Tool to Defen d Buffer Overflow:

StackGuard

StackGuard

StackGuard: Protects system s from stack sm ashin g attacks

StackGuard is a com piler approach for defen din g program s an d system s again st "stack sm ashin g" attacks

Program s that have been com piled with StackGuard are largely im m un e to stack sm ashin g attacks

Protection requires n o source code chan ges at all. When a vuln erability is exploited, StackGuard detects the attack in

Tool to Defen d Buffer Overflow:

Im m un ix System

Im m un ix System

Im m un ix System is an Im m un ix-en abled RedH at Lin ux distribution an d suite of

th li ti l l it t l

the application -level security tools

Im m un ix secures a Lin ux OS an d application s

Im m un ix works by harden in g the existin g software com pon en ts an d platform s so that attem pts to exploit security vuln erabilities will fail safe

Valgrin d

Valgrin d is a suite of sim ulation -based debugging and profiling tools for g gg g p g program s run n in g on Lin ux

The system con sists of a core which pr ovides a syn thetic CPU in software an d a The system con sists of a core, which provides a syn thetic CPU in software, and a series of tools, each of which perform s som e kin d of debuggin g, profilin g, or sim ilar task

• Mem check detects m em ory-m an agem en t problem s in program s • Cachegrin d is a cache profiler

Various tools presen t in Valgrin d are:

• Cachegrin d is a cache profiler

• H elgrin d fin ds data races in m ultithreaded program s • Callgrin d is a program profiler

• Massif is a heap profiler

L k i i l fil d t

In sure++

In sure++ is a run tim e m em ory an alysis an d error detection tool for C

an d C++ that autom atically iden tifies a variety of difficult to track

an d C++ that autom atically iden tifies a variety of difficult-to-track

program m in g an d m em ory-access errors, alon g with poten tial defects

an d in efficien cies in m em ory usage

• Corrupted heap an d stack m em ory

Errors that In sure++ detects in clude:

• Use of un in itialized variables an d objects

In sure++: Features

Detection of m em ory corruption on heap an d stack

Detection of un in itialized variables, poin ters, an d objects

Detection of m em ory leaks an d other m em ory allocation / free errors y y /

STL checkin g** for proper usage of STL con tain ers, an d related m em ory errors

Com pile tim e checks for type an d size related errors Com pile-tim e checks for type- an d size-related errors

Run tim e tracin g of fun ction calls

GUI an d com m an d lin e in terface

Mem ory error checkin g in 3rd party static an d dyn am ic libraries

Buffer Overflow Protection

Solution : Libsafe

Solution : Libsafe

Libsafe is a library which re-writes som e sen sitive libc fun ction s (strcpy strcat sprin tf vsprin tf getwd gets

fun ction s (strcpy, strcat, sprin tf, vsprin tf, getwd, gets, realpath, fscan f, scan f, sscan f) to preven t an y overflow caused by a m isuse of an y on e of them

It laun ches alerts when an overflow attem pt is detected

Libsafe in tercepts the calls to the un safe fun ction s an d uses its own im plem en tation of the fun ction in stead

While keepin g the sam e sem an tic, it adds detection of the boun d violation s

Com parin g Fun ction s of libc an d

libsafe

libsafe

Som e fun ction s of libc are un safe because

they do n ot check the boun ds of a buffer Im plem en tation of strcpy by libsafe: they do n ot check the boun ds of a buffer

Im plem en tation of strcpyby libc:

p e e a o o s cpy by bsa e

char *strcpy(char *dest, const

h * )

char *src) {

...

if ((len = strnlen(src, max size)) == max size)

real_memcpy(dest, src, len + 1); return dest;

The size of the dest buffer is n ot a factor for Fun ction libsafe_ die stops the process if

return dest; decidin g whether to copy m ore characters or n ot

Sim ple Buffer Overflow in C

name = (char *) malloc(10);

dangerous_system_command = (char *) malloc(128); printf("Address of name is %d\n" name);

printf("Address of name is %d\n", name);

printf("Address of command is %d\n", dangerous_system_command); sprintf(dangerous_system_command, "echo %s", "Hello world!");

Code An alysis

The first thin g the program does is declare two strin g variables an d assign m em ory to h

them

The "n a m e" variable is given 10 bytes of m em ory (which will allow it to hold a 10 -character strin g)

character strin g)

The "d a n ge ro u s _ s ys te m _ co m m a n d" variable is given 128 bytes

Code An alysis (con t’d)

~

To com pile the overrun .c program

R

thi

d i Li

~

Run this com m an d in Lin ux:

gcc overrun.c –o overrun

[XX]$ ./overrun

Address of name is 134518696

Address of command is 134518712

What's your name?xmen

Hello world!

[XX]$

~

The address given to the

"dangerous_system_command"

variable is 16 bytes from the start of the "n am e" variable

Code An alysis (con t’d)

The "

ge ts

", which reads a strin g from the stan dard in put to the

specified m em ory location , does n ot have a "len gth" specification

This m ean s it will read as m an y characters as it takes to get to the en d

of the lin e, even if it overrun s the en d of the m em ory allocated

Code An alysis (con t’d)

[XX]$ ./overrun

Address of name is 134518696 Address of command is 134518712

What's your name?0123456789123456cat /etc/passwd

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:

daemon:x:2:2:daemon:/sbin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:

lp:x:4:7:lp:/var/spool/lpd:

sync:x:5:0:sync:/sbin:/bin/syncy y y

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt

What H appen ed Next

Sin ce the project was run n in g behin d schedule, he had to hurry through testin g.

hurry through testin g.

Tim had worked with the sam e team for his previous projects, an d all of the other projects had successful projects, an d all of the other projects had successful con clusion s. Therefore, he thought that n othin g would possibly go wron g with this on e. This n otion m ade him overcon fiden t about the testin g of this project.

But this tim e, he was n ot lucky. The web server of the

clien t com pan y had succum bed to a buffer overflow attack. This was due to a flaw in codin g because boun ds were n ot checked.

checked.

Sum m ary

A buffer overflow occurs when a program or process tries to store m ore data in a buffer

d h d d h ld

(tem porary data storage area) than it was in ten ded to hold

Buffer overflow attacks depen d on : the lack of boun dary testin g, an d a m achin e that can t d th t id i th d t / t k t

execute a code that resides in the data/ stack segm en t

Buffer overflow vuln erability can be detected by skilled auditin g of the code as well as boun dary testin g

boun dary testin g

Coun term easures in clude checkin g the code, disablin g stack execution , safer C library support an d usin g safer com piler techn iques

support, an d usin g safer com piler techn iques