320 likes | 668 Views
Buffer Overflow Attacks. Adrian Norris. Overview. Buffer Overflow Attacks explained What are they? How are they accomplished? Simple Example Buffer Overflow Mitigations Explanation Pros and cons Buffer Overflow Alternatives History. What are BOF attacks?.
E N D
Buffer Overflow Attacks Adrian Norris
Overview • Buffer Overflow Attacks explained • What are they? • How are they accomplished? • Simple Example • Buffer Overflow Mitigations • Explanation • Pros and cons • Buffer Overflow Alternatives • History
What are BOF attacks? • A Buffer Overflow, or BOF, attack corrupts data values in memory adjacent to a buffer by writing outside its bounds • Commonly occur when copying character strings from buffer to buffer • Previously the dominate hacking technique • Higher level of memory intimacy
Makeup of a BOF attack • Roughly put: • Discover vulnerable code • Overwrite the return address • New return address points to alternate code • Varies based on architecture, OS, and memory region
Stack Based Exploitation • Done in one of several ways: • Overwrite a local variable near the buffer • Overwrite the return address • Overwrite a function pointer or exception handler • Inject shellcode in to the stack • Platform suitable
Heap Based Exploitation • Conceptually the same as stack based • Details differ: • Occurs in the heap • Generally much harder • Insert instructions in to the heap trick the program in to executing them • Most mitigations focus on the stack rather than the heap
Simple BOF Example • Taken from the Open Web Application Security Project (OWASP) wiki - Code:#include <stdio.h>#include <string.h>void doit(void){ char buf[8]; gets(buf);printf(%s\n”, buf);} int main(void) { printf(“So… The End…\n”); doit(); printf(“or…maybe not?\n”); return 0; } -Compilation: rezos@dojo-labs~/owasp/buffer_overflow $ gcc example02.c -o example02 -ggdb /tmp/cccbMjcN.o: In function `doit': /home/rezos/owasp/buffer_overflow/example02.c:8: warning: the `gets' function is dangerous and should not be used.
Simple BOF Example - Output 1: rezos@dojo-labs ~/owasp/buffer_overflow $ ./example02 So... The End... TEST // user data on input TEST // print out stored user data or... maybe not? - Output 2: rezos@dojo-labs ~/owasp/buffer_overflow $ ./example02 So... The End... TEST123456789 TEST123456789 Segmentation fault
Simple BOF Example • Obtaining an objdump allows for the analysis of necessary information for further exploitation - objdump: 080483be <main>: … 80483cf: c7 04 24 bc 84 04 08 movl $0x80484bc,(%esp) 80483d6: e8 f5 feffff call 80482d0 <puts@plt> 80483db: e8 c0 ffffff call 80483a0 <doit> 80483e0: c7 04 24 cd 84 04 08 movl $0x80484cd,(%esp) 80483e7: e8 e4 feffff call 80482d0 <puts@plt> 80483ec: b8 00 00 00 00 mov $0x0,%eax 80483f1: 83 c4 04 add $0x4,%esp …
Simple BOF Example • Arbitrarily omit the second printf() call -Output 3: rezos@dojo-labs ~/owasp/buffer_overflow $ perl -e 'print "A"x12 ."\xf9\x83\x04\x08"' | ./example02 So... The End... AAAAAAAAAAAAu*. Segmentation fault
BOF Mitigations • Proper programming language application • Safe library usage • Executable Space Protection • Address Space Layout Randomization (ASLR) • Deep Packet Inspection (DPI) • Pointer Protection
Programming Languages • Be careful when settling on a programming language. • C/C++ have weak bounds checking when it comes to buffers • Other languages may raise a warning or exception: • E.g. Ada, Lisp, or D • Safety versus performance tradeoffs
Safe Library • C/C++ issue: • Low level buffer details exposed • Lack of buffer management • String and array data types • Avoid standard library functions which are not bounds checked: • E.g. gets(), scanf(), and strcpy() • Safe library alternatives: “The Better String Library” and Vstr • Provides a moderate amount of coverage
Executable Space Protection • Detects common BOF • Function returns Was the stack altered? • Segmentation fault if yes • Example Systems • Libsafe • StackGuard and ProPolicegcc patches • Data Execution Prevention • SEH pointer explicitly protected • Stack splitting • One for data and one for function returns • Increases protection • Found in the Forth programming language
Executable Space Protection • Not a complete solution • Return-to-libc • Other attacks not reliant on executing the attacker’s code • Generally makes it more difficult
Address Space Layout Randomization (ASLR) • Arranges process data areas randomly • E.g. the base of the executable • Library, heap, and stack positions • Makes BOF more difficult • Forced to tailor attacks
Deep Packet Inspection (DPI) • Detects remote BOF exploits • Network perimeter • Uses attack signatures and heuristics • Blocks packets with known attack signatures or detected NOP-sled • Not effective due to limitations • Known signatures only • Different ways to encode NOP-sled • Alphanumeric, metamorphic, and self-modifying shellcodeevade detection
Pointer Protection • PointGuard: Compiler adds code to XOR-encode pointers • Before and after usage • Attacker doesn’t know what a pointer points to after overwriting it • PointGuard never released • Microsoft’s Alternative • Similar approach to PointGuard • Windows XP SP2, Windows Server 2003 SP1 • API routinecalled by the programmer • Better performance, but requires additional programmer knowledge.
Altered BOF attacks • NOP Sled • Register Usage • Alphanumeric Code • Metamorphic Code • Self-Modifying Code • Return-to-libc
NOP Sled • Oldest and most widely known • Solves finding the exact address of the buffer • Attacker guesses where NOP sled is located • At the end is a jmp instruction to the shellcode • Need not contain traditional no-op instructions • Not without problems • Relies on luck • Requires buffer and stack size not be small • Sought out in intrusion prevention systems
Using Registers • Allows for exploitation without a NOP sled • No guessing stack offsets • Most common method for internet worms • Strategy: • Overwrite return address • Jump to a known pointer within a register • Points to shellcode
Example • I386 jmpespopcode = FF E4 • DbgPrint • Two byte sequence at one byte offset • Attack • Overwrite the return address with 0x7C941EED • Jump is executed interpret opcode FF E4 • Jump to shellcode
Alphanumeric Code • Machine code written to resemble ASCII or Unicode • Uses 0-9, A-Z, and a-z characters • Working machine code appears to be text • Requires a strong understanding of an architecture’s instruction set • Possible to write code to execute on more than one machine • Similar to Printable Code which uses all printable characters
Metamorphic Code • Code that outputs its own code under a new interpretation • Translates binary code into a new representation, then in to machine code • No part stays the same • Mutation performed one of several ways • Mutated code accomplishes the same thing • May give the capabilities to infect different OS or architectures • Differs from Polymorphic Code • Provides no protection against heuristic analysis
Self-Modifying Code • Code that alters its own instructions while executing. • Usually used to improve performance • Can be applied to make a BOF attack harder to detect
Return-to-libc • Usually starts with a BOF • Calls a preexisting function • Replaces call stack address • Overwrites stack portion with parameters • No need to inject malicious code • libc is the most likely target • Could return anywhere • libcusually linked • Provides many useful functions
Return-to-libc Mitigations • Resistant to non executable stacks • ASLR • Extremely unlikely on 64-bit machines • Little benefit on 32-bit machines
History behind BOF • Immense • Started in 1972: Computer Security Technology Planning Study • 1988: Morris Worm • 1996: Elias Levy (aka Aleph One) • Phrack Magazine – “Smashing the Stack for Fun and Profit” • 2000: Alexander Peslyak (aka Solar Designer) • Return-to-libc attack • 2001: Code Red Worm • 2003: SQL Slammer Worm • 2003+: Xbox Modchips, PS2 Independence Exploit, Wii Twilight Hack
Recap • Buffer Overflow Attacks explained • What are they? • How are they accomplished? • Simple Example • Buffer Overflow Mitigations • Explanation • Pros and cons • Buffer Overflow Alternatives • History
Bibliography • . "Buffer Overflow." Wikipedia. Wikipedia, 25 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Buffer_overflow>. • . "Buffer Overflow Attack." OWASP. OWASP, 7 2009. Web. 3 Dec 2012. <https://www.owasp.org/index.php/Buffer_overflow_attack>. • Ogorkiewicz, Maciej, and PiotrFrej. "Window Security." Analysis Of Buffer Overflow Attacks. Window Security, 8 2008. Web. 5 Dec 2012. <http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html>.
Bibliography cont. • . "Abyssec Security Research." Past, Present, and Future of Windows Exploitation. Abyssec Security Research. Web. 3 Dec 2012. <http://www.abysssec.com/blog/tag/buffer-overflow/>. • . "Wikipedia." Alphanumeric Code. Wikipedia, 25 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Alphanumeric_code>. • . "Wikipedia." Metamporphic Code. Wikipedia, 8 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Metamorphic_code>.
Bibliography cont. • . "Wikipedia." Self-Modifying Code. Wikipedia, 19 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Self-modifying_code • . "Wikipedia." Return-to-libc attack. Wikipedia, 12 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Return-to-libc_attack>.