140 likes | 183 Views
Paper by: Scut/team teso September 1, 2001. Format String Vulnerabilities. Overview. Exploit of the ANSI C format functions. Occurs when attacker can provide the format string in part or as a whole. Proper use: Vulnerable use:. print_msg( char *msg ) { printf( "%s<br>", msg ); }
E N D
Paper by: Scut/team teso September 1, 2001 Format String Vulnerabilities
Overview Exploit of the ANSI C format functions. Occurs when attacker can provide the format string in part or as a whole. Proper use: Vulnerable use: print_msg( char *msg ) { printf( "%s\n", msg ); } print_msg( char *msg ) { printf( msg ); }
Attacks Crash the program. View stack contents. View any memory location in process. Change any memory location in process. Take control of process. Execute system commands.
Why cover it? No longer common Compilers will flag vulnerable use An ideal teaching vehicle Exploitation requires understanding of stack, function calls, pointers, decimal/hexadecimal, assembly code, binary analysis, PLT/GOT Serves as an example of how arbitrary memory corruption can lead to code execution by adversary
Format Functions Many format functions: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf Others with format strings: setproctitle, syslog, err*, verr*, warn*, vwarn*
Variable Arguments In C, a variable number of arguments can be passed to functions. The called function must determine the number and type of arguments. The format string tells the format function what arguments to expect.
Stack In printf() call below Single argument with no variable arguments Should never result in access in print_msg() frame stack growth print_msg() VARARG ptr void print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()
But... What if the buffer contains a string like:“%s %s %s %s %s” Causes values on the stack in print_msg() frame to be interpreted as pointers to strings (most likely crashing program)! %s %s %s %s %s print_msg() VARARG ptr print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()
Reading Stack Memory An attacker can read stack memory with a string like this:“%08x %08x %08x %08x %08x” Each stack word above the printf() stack frame will be printed in hexidecimal. Given a large enough buffer, potentially all of stack memory can be retrieved. %08x %08x %08x %08x %08x print_msg() VARARG ptr print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()
Reading Arbitrary Memory Notice that in this case the buffer is on the stack. If the buffer contains something like:“AAAA_%08x_%08x…|%s” Then we can move the vararg pointer until it points to the address represented by “AAAA” ( which is0x41414141), then the %s will display memory at that address. VARARG ptr
Writing Arbitrary Memory Using a similar approach we can modify memory with the %n flag. If the buffer contains something like:“AAAA_%08x_%08x…%n” Then we can move the vararg pointer until it points to the address represented by “AAAA” ( which is 0x41414141), then the %n will write the current count of bytes written to that address. VARARG ptr
Writing Arbitrary Memory The count can be incremented with format specifiers like %<num>u where <num>is an integer. Types of exploits Update return pointer on stack to point at code stored in buffer. Update GOT (Global Offset Table) pointer to point at code stored in buffer or to redirect calls to powerful functions such as system(). Write code on heap and use above methods to run it.
Homework Scaffolded levels for leveraging format string vulnerabilities