400 likes | 423 Views
C Secure Coding: Format String Vulnerability Igor Sobinov 2018. 2 8 .0 3 .2019. Agenda. Vulnerability definition Types of format vulnerability Vulnerability Examples Mitigations. Format String Vulnerability: Overview. Format string vulnerability class was discovered in 2001
E N D
C Secure Coding: Format String VulnerabilityIgor Sobinov 2018 28.03.2019
Agenda • Vulnerability definition • Typesof format vulnerability • Vulnerability Examples • Mitigations
Format String Vulnerability: Overview Format string vulnerability class was discovered in 2001 Format string vulnerabilities are a class of vulnerabilities that take advantage of an easily avoidable programmer error. If the programmer passes an attacker-controlled buffer as an argument to a printf* function, the attacker can perform read and writes access to arbitrary memory addresses.
Format String Vulnerability: Overview • Format string vulnerability denial of service attacks are characterized by utilizing multiple instances of the “%s” format specifier to read data off of the stack until the program attempts to read data from an illegal address, which will cause the program to crash. • Format string vulnerability reading attacks typically utilize the %x format specifier to print sections of memory or stack that we do not normally have access to. • Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to overwrite the Instruction Pointer and force execution of user-supplied shell code.
Format String Vulnerability: Definition A format string is a way of telling the C compiler how it should format numbers and other values when it prints them or store to the buffer. It is a ASCII string used to specify and control the representation of different variables. In the C programming language there are a number of functions which accept a format string as an argument: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf. OS specific: syslog, setproctitleetc.
Format String Vulnerability: Definition They called variadic functions: accept variable number of arguments. Arguments are expected to be placed on the stack. Function prototype: intprintf(const char *format, ...); printf (“The area code is: %d”, 505);
Format String Vulnerability: Format specifiers Format Conversion specifiers:
С++ Secure Coding: Program Stack • Format string vulnerability is very close to the buffer overflow vulnerability. • The stack itself can be viewed as a kind of buffer • The sizeof that bufferis determined by the number and size of the arguments passed to a function • Providing a incorrect format string thus induces the program to overflow that “buffer”
С++ Secure Coding: sprintf sprintf is particularly interesting from a security standpoint because it "prints" formatted data to a buffer. Aside from the possibility of a format-string vulnerability, using this particular function can lead to buffer overflow vulnerabilities and should usually be replaced with its length-checking cousin snprintf.
Format String Vulnerability: Examples • Format Conversion advantages: • printf(“%1000x”, l); //Space padding is 1000 symbols • 0 • printf(“%2$x”, 1, 2, 3); //Direct parameter access. Issues on gcc“invalid %N$ use detected” • 2 • printf(“%200$x”) • printf(“%n”, &some_variable); //Writes four bytes • printf(“%hn”, &some_variable); //Writes two bytes • printf(“%100x%2$hn”, 0, &some_variable); //Writes 100 to 2 bytes to “some_variable” • 0
Format String Vulnerability: Examples • printf(“%s”): prints bytes pointed to by that stack entry • :(�� • printf(“%d %d %d %d”): prints a series of stack entries as integers • -735270568 0 4195808 1871788256 • printf(“%08x %08x %08x %08x”): same but nicely formatted hex • 27e37e68 00000000 004005e0 dadd58e0 • printf(“100% dave”): prints stack entry 4 bytes above the saved %eip because format ignores spaces between “%d” and “d” • 100-1973053272ave • printf(“100% no way!”): writes the number 3 to address pointed to by stack entry. %n ignores all spaces between “%” and “n” • 100o way!
Format String Vulnerability: Attacks • Crashing the program: printf ("%s%s%s%s%s%s%s%s%s%s%s%s"); • Viewing the stack: printf ("%08x %08x %08x %08x %08x\n"); • Viewing memory at any location • Writing an integer to nearly any location in the process memory
Format String Vulnerability: Program Stack Types of programs memory: Text: This is where the code for the program is. Initialized data: This is where global variables that have been declared and given a value are stored. Uninitialized data/BSS: This is where global variables that have been declared but not given a value are stored. Stack: The stack keeps track of the program execution and stores local variables. We'll talk about the stack more soon. Heap: The heap is where dynamic memory allocation takes place. A programmer can utilize the heap to store variables which are only needed for a short period of time and so can be removed from memory later to optimize the program.
Format String Vulnerability: Program Stack • Stack keeps track of what function is being executed and the local variables that are defined within that function. • When a function is called, a data structure called a stack frame is created. • Each function has its own stack frame which contains • local variables for that function, • parameters passed to the function when it was called, • return address which specifies what instruction the program should execute next once the function is done. • The ESP register stores current stack pointer
Format String Vulnerability: Program Stack (x86) Stack Grows Memory Addresses
Format String Vulnerability: Program Stack Layout Stack Grows
Format String Vulnerability: Program Stack Layout Stack Grows
С++ Secure Coding: Program Stack void test (void* addr, char* fmt) { intlocal_var = 0; printf(fmt); } fmt addr return address saved ebp local_var fmt_string return address
С++ Secure Coding: The exploit addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } arg6 arg5 arg4 arg3 arg2 fmt_string return address
С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%p %p %p %p %p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x0, 0xfffca010 0x8040a10 0x41414141 0xfffeafa0” fmt addr return address saved ebp local fmt_string return address
С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “0x41414141” fmt addr return address saved ebp local fmt_string return address
С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%0100x%4$p” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..>0x41414141” fmt addr return address saved ebp local fmt_string return address
С++ Secure Coding: Program Stack addr = 0x41414141; fmt = “%0100x%4$n” void test (void* addr, char* fmt) { int local = 0; printf(fmt); } “<…100 0..> write 100 to addr” written 100 to 0x41414141 fmt addr return address saved ebp local fmt_string return address
Format String Vulnerability: Sudo format string vunerability Feb 2012: “sudo format string vulnerability” CVE-2012-0809 allows to get root shell for any logged in user. Most of Linux distributives were affected: Fedora, Ubuntu, Debian, etc. It looks like sudo creators didn’t use or ignore GCC format-related compilation flags or warnings. Top level projects that were affected to format string vulnerability: Axiom mail server, Pigeon instant messenger, CUPS (Common Unix Printing System)
Format String Vulnerability: sudoformat string vulnerability void sudo_debug(int level, const char *fmt, ...) { va_listap; char *fmt2; if (level > debug_level) return; /* Backetfmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()-edto stderr. The result is a Format String vulnerability. Exploit.
Format String Vulnerability: Demo “Dead beef” #include <stdio.h> int num1 = 0xdead; int main(intargc, char **argv){ int num2 = 0xbeef; int *ptr = &num1; printf(argv[1]); if (0xabc == num1){ printf(“Global done"); } if(0xdef == num2) printf(“Local done"); printf("\n num1: 0x%x [%p] num2: 0x%x [%p]\n", num1, &num1, num2, &num2); return 0; }
Format String Vulnerability: Mitigations • The good thing about format-string vulnerabilities is that they are relatively easy to find in a source-code audit. • Always specify a format string as part of program, not as an input. Most format string vulnerabilities are solved by specifying “%s” as format string and not using the data string as format string. • Number of arguments should be the same as number of format specifiers. • -fstack-protector (alloca and buffers > 8 bytes) • -fstack-protector-all • FormatGuard: Automatic Protection From printf Format String Vulnerabilities
Format String Vulnerability: Mitigations Address randomization: just like the countermeasures used to protect against buffer-overflow attacks, address randomization makes it difficult for the attackers to find out what address they want to read/write. # cat /proc/sys/kernel/randomize_va_space 2 # sysctl -a --pattern randomize kernel.randomize_va_space = 2 0 = Disabled 1 = Conservative Randomization 2 = Full Randomization To support ASLR an application should be build against “Position Independent Executable” (PIE) support. GCC “-fPIE” option is used for it
Format String Vulnerability: _FORTIFY_SOURCE • _FORTIFY_SOURCE is a kind of GCC feature test macro (man 7 feature_test_macros) • gcc-D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include <string.h>) • gcc-D_FORTIFY_SOURCE=2 also adds additional checks at run-time (detected buffer overflow terminates the program)
Format String Vulnerability: _FORTIFY_SOURCE *** %n in writable segment detected *** Aborted On x86, use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings). *** invalid %N$ use detected *** Aborted (core dumped) Format string positional values are being skipped, which means their type (and size on the stack) cannot be checked. This could cause unexpected results including stack content leaks, especially when using %n. This is invalid, for example: printf("%2$s\n", 0, "Test"); because position 1 is skipped.
Format String Vulnerability: Mitigations • VC: Possible to use VC SAL annotation “_Printf_format_string_” tell compiler to validate the format string: • #define FORMAT_STRING(p) _Printf_format_string_ p • extern void log_error(FORMAT_STRING(const char* format), ...); • GCC: __attribute__(__format__) • format (archetype, string-index, first-to-check) • extern int • my_printf (void *my_object, const char *my_format, ...) • __attribute__ ((format (printf, 2, 3)));
Format String Vulnerability: Format security -Wformat: Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wformat-security: If -Wformat is specified warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf (foo) -Wformat-nonliteral:If -Wformat is specified, also warn if the format string is not a string literal and so cannot be checked
Format String Vulnerability: Format security Enables compile-time warnings about misuse of format strings, some of which can have security implications. Failure examples: warning: format ‘%s’ expects type ‘char *’, but argument 3 has type ‘int’ For packages that aren't already building with -Wall, format character to argument types will be checked. Verify the correct variables for a given format string.
Format String Vulnerability: Format security warning: format not a string literal and no format arguments This is caused by code that forgot to use "%s" for a *printf function. For example: fprintf(stderr,buf); should be: fprintf(stderr,"%s",buf); Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.
Format String Vulnerability: Automation code scan • RATS, the Rough Auditing Tool for Security is a free source-code scanner • Flawfinder: Open source scanner that examines C/C++ source code and reports possible security weaknesses • Veracode: commercial code scanner
Security Design Principles Appendix
References Hacking: The Art of Exploitation