1 / 25

Format String Attacks

Team BAM! Scott Amack, Everett Bloch, Maxine Major. Format String Attacks. Overview. What is a Format String Attack? About Format Strings Anatomy of an Attack History Current Events Demo Conclusions. What are Format String Attacks?.

paley
Download Presentation

Format String Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Team BAM! Scott Amack, Everett Bloch, Maxine Major Format String Attacks

  2. Overview • What is a Format String Attack? • About Format Strings • Anatomy of an Attack • History • Current Events • Demo • Conclusions

  3. What are Format String Attacks? • A class of software vulnerability discovered around 1999 • Uses C format functions to crash programs or execute harmful code • Problem stems from unchecked user input in format functions

  4. Format Strings • Used in format functions: printf(), sprintf(), fprintf(), etc • Format functions take a variable amount of arguments, of which one is called the format string printf(“<format string>”, arg1, arg2, … , argn);

  5. Format Strings • % is an escape character, it pops the respective argument from the stack and evaluates its value based on the following specifier and prints • %s – ptr to ASCIIZ string • %d – integer value • %x – hexadecimal value, up to 8 digits • %p – hexadecimal value, more robust than %x • %n – write to memory the number of characters previously output • Memory location is referenced by argument • Usage: printf(“Hello%n”, &i); //i = 5 • %% - prints %, does not pop any values

  6. Format Strings • Arguments are pushed onto the stack when printf is called • Arguments are popped off in their respective order when called from the format string (using “%”) • The first to be popped is the argument that comes after the format string • No limit to number of pops, if printf pops out of its bounds program crashes

  7. Format Strings • printf (”i = %d, a = %d address of a = %x\n", i, a, &a); • The printf function parses the format string one character at a time, printing everything that is not “%” to stdout

  8. Format Strings • An argument can be referenced directly using the $ symbolUsage: %<number>$<specifier> • <number> - the arguments location in the stack, first argument is 1 • <specifier> - s, d, x, n, etc printf ("%2$d\n", 6, 5); prints “5”, because 5 is the second argument on the stack

  9. Format Strings • Some specifiers can specify the minimum number of characters to output Usage : printf(“%25d”, i); • print at least 25 characters to stdout • result is padded with blank space • does not truncate

  10. Format String Attack • Becomes possible when user input is the format string • OK: printf(“%s”, user_input); • Exploitable: printf(user_input); • The user can input format specifiers that will be evaluated by printf

  11. Format String Attack • Multiple issues of %x or %p prints out a stack trace of the printf function • traversing the stack • used to locate format string in the stack • %n can be used to overwrite memory based on the currently popped value • Multiple issues of %s, or an excessive stack traversal can kill the process

  12. Format String Attack Strategy Format string: <addr><NOP><shell-code><stack traversal + padding><%n> ex) addr = 0x08a5ffbc “\xbc\xa5\xff\xbc;;;;;;;;;;;;;;;;;;;;execl("/bin/bash", "bash", 0);%11$41002x%n” • addr– address of what we want to overwrite, normally printf return address. Little endian representation • NOP – a small NOP sled that leads to shell-code (optonal) • shell-code – the attacks payload, simple code that starts the actual exploit with printf privileges (optional) • stacktraversal - %x’s or %<number>$x, pop us to the format string location • padding – use %<number>x so number of characters output equals the address we desire to write with %n, <NOP> can act as padding also • %n writes the current number of characters to the address specified by <addr> <NOP> and <shell-code> are optional because sometimes the address to overwrite, <addr>, is something other than the printf return function.

  13. Format String Attack Uses • Overwrite printf return address to execute shell-code • Overwrite C library hooks such as __malloc_hook, __realloc_hook, and __free_hook, to jump to your code when ever those functions are called • Overwrite __atexit address to jump to your code whenever the exit() function is called

  14. History • First format string bugs noted in 1990, at the University of Wisconsin while testing the C-shell, bugs were referred to as "interaction effects" • First identified as an attack vector in September 1999 in a security audit of an FTP daemon ProFTPd by TymmTwillman • Wasn’t until June of 2000 that the full dangers of format string vulnerabilities as exploits were made public

  15. History • wu-ftpd 2.* • free FTP daemon • one of the first commercial programs exploited using format string attacks • discovered by security.is • had multiple format string vulnerabilities • vulnerabilities persisted for over 6 years • when attempting to log in, username string passed as a format string • exploit impact gave remote root to attacker, on ftp server • vulnerabilities corrected by forcing user input to be an argument referenced by the format string

  16. Format String Attacks • Information about vulnerabilities: Mitre has a Common Vulnerability and Exposure Database that currently lists 588 of these type of vulnerabilities in current software. http://www.cve.mitre.org/

  17. Recent Format String Attacks • January 2013 EMC Alphastor 4.0 800 Alphastor is software that provides media management and device sharing services for backup servers. The rrobotd.exe file is vulnerable to format string input via a vsnsprintf function. This accepts incoming commands and therefore is vulnerable to a format string attack.

  18. Recent Format String Attacks • September 2012 Mcrypt : A program used to encrypt files in UNIX • If you ran the program with the following command:$ mcrypt --no-openpgp "%s.nc“It could cause this type of attack because of how the input string was handled. • Key thing to note is the %s in the filename.

  19. Recent Format String Attacks • August 2012 Microsoft Windows XP, Vista, 7, Server 2003, Server 2008 • Attacker can send a crafted response to the print spooler and remotely execute code. • Denial of Service is also possible making printer services unavailable.

  20. Recent Format String Attacks • June 2012 VMWare Workstation 8.x and VMWare player 4.x • An OVF file which helps automate distribution of virtual machines could contain malicious information to exploit this format string vulnerability. • This exploit could allow malicious code to be executed.

  21. Format String Attacks Demo What we can do with format string attacks: 1. crash the program (DOS) 2. View the stack 3. View memory at arbitrary locations 4. Overwrite memory at arbitrary locations 5. Code execution

  22. Format String Attacks DEMO

  23. Conclusions • Format functions can be used as an attack vector for format string attacks • Format function has no bounds checking; it may pop as many times as system allows. • Be sure that the format string references the variable(s). printf(“%s\n”, variablename); • Format string attacks seem simple, but are still a very viable method of attack.

  24. Recap • What is a Format String Attack? • About Format Strings • Anatomy of an Attack • History • Current Events • Demo • Conclusions

  25. References • Wikipedia http://en.wikipedia.org/wiki/Format_string_attack • Hanebutte, Oman. Software Vulnerability Mitigation A Proper Subset of Software • Maintenance. Journal of Software Maintenance and Evolution: Research and Practice: 2003. • scut / team teso. Format String Vulnerabilities: 2001. • http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CF8QFjAF&url=http%3A%2F%2Fcrypto.stanford.edu%2Fcs155old%2Fcs155-spring08%2Fpapers%2Fformatstring-1.2.pdf&ei=zq8tUYCbCNHyigKqgYHwCQ&usg=AFQjCNG3QiG2k0n39PsNfLIcyjkiZJjuow&bvm=bv.42965579,d.cGE • https://www.owasp.org/index.php/Format_string_attack • http://en.wikipedia.org/wiki/Uncontrolled_format_string • http://www.openwall.com/lists/oss-security/2012/09/06/8 • http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string • http://archives.neohapsis.com/archives/bugtraq/2012-06/0192.html • http://www.vmware.com/security/advisories/VMSA-2012-0015.html • http://cxsecurity.com/issue/WLB-2013010167 • http://technet.microsoft.com/en-us/security/bulletin/ms12-054 • http://www.youtube.com/watch?v=E9gx0MflQm4 • http://www.youtube.com/watch?v=wLSYkYmfqJ8 • http://www.youtube.com/watch?v=GfEGzZoZY7g

More Related