170 likes | 180 Views
This article explores the various memory vulnerabilities since 2002 and their exploitation methods, including stack-based overflow, heap overflow, exception handling errors, and more. It also discusses protection measures and the emerging threat of return-oriented and jump-oriented programming.
E N D
Exploitation possibilities of memory related vulnerabilities László ERDŐDI, PhD, CEH, SSCP Óbuda University, John von Neumann Faculty of Informatics, Department of Software Technology
Memory corruption vulnerabilities since 2002 CVE 2013-4974CVE 2013-4206CVE 2013-3348 400 300 200 100 2002 2005 2008 2011
Virtual address space Local variables, method parameters, exception handling data, return adresses Virtual memory Physical memory Dynamically linked shared libraries (libc) Dynamic variables Global variables Compiled code
Main causes and exploitation methods • Lack of input validation within methods (strcpy, gets, etc): stack based overflow (placing harmful code to the stack, ROP, JOP) • Dynamic memory allocation problems (use after free, double free vulnerabilities) heap overflow (function pointer overwrite + heap spray) • Exception handling errors (SEH overwrite) • Others
Classic example of buffer overflow Stack … Method1(a) { d : fixed size array copy a to d } Method2() { Method1(a); } … a Code segment d
Avoiding DEP: Return oriented programming (ROP) Shacham, 2007 • Executable code will not be placed on the stack only series of memory addresses and parameters Memory addr 1 Memory addr 2 Parameter 1 Parameter 2 Memory addr 3 Parameter 4 Instruction 1 ret Instruction 3 ret Instruction 2 ret
Jump oriented programming (JOP)Bletsch, Jiang, Freeh 2011 • Attack execution without using stack (not sensible for stack cookie and returnless kernel, it can be used in the case of register machines) Dispatcher gadget Increasing the index pointer Jumping to current address Instruction 1 jmp Instruction 2 jmp Dispatcher table: Memory addr1 Memory addr2 Parameter 1 Parameter 2 Memory addr3 Parameter4 Instruction 3 jmp
Protection against memory corruption SEH chain rewrite + Return address checking? +control flow integrity? ROP JOP Heap overflow (double free, use after free) ? Unhandled exceptions Stack overflow Return to libc
Jump Oriented Programming – dispatcher gadgets in shared libraries (Erdődi, 2013)
Return and Jump Oriented Programing requirements of Turing-completeness Kornau: ARM 2009, Buchanen, Roemer: RISC 2008 • Arbitrary code execution • Loading variables from memory • Writing variables to memory • Branches • Cycles • Method calls
Example: How to carry out conditional statements with return-oriented programming? Method 1: Writing the addresses of the false branch and true branch into the writeable memory, setting of the esp according to indirect addressing. 31 gadgets Method 2: Loading the distance between the address of the false branch and true branch in the memory into a register, adding to esp that value if the condition is true17 gadgets Method 3: Applying gadget which carries out the condition evaluation and jumps at the same time 5 gadgets Instruction 1 ret Instruction 3 ret Instruction 2 ret
Description language for return- and jump- oriented programmingwrite: e.g placing „net user add user passw” to the data segmentgadget1: pop reg1 gadget1: pop reg1 write4:address:valuegadget2: pop reg2 gadget2: pop reg2gadget3: mov [reg1], reg2 gadget3: add reg1, reg2 gadget4: pop reg3 gadget5: pop reg4 gadget6: add reg3, reg4 gadget7: mov [reg1], reg3write4:00400000:netwrite4:00400004:userwrite4:00400008: add write:00400000:net user add user passwdwrite4:0040000c: usewrite4:00400010:r pawrite3:00400014:ssw
Description language for return- and jump- oriented programmingwrite:address:valuecall:address:param1:param2: … paramn e.g call:fopen address:filenamestring:filemodif:condition:address_true:address_false
Description language for return- and jump- oriented programmingsample program:1: write:dataseg_addr1:filename_string write:00400000:try.txt 2: call:fopen_address:dataseg_addr1:filemod call:7c560122:00400000:03: if:address_of_gadget_cmp eax,0:6:4 if:77c7d230:6:44: write:dataseg_addr2:name of executable write:00400010:cmd.exe5:call:winexec_addr:dataseg_addr2 call:7d77501c:04000106:call:exitprocess_addr call:7c210254
Summary • Memory related vulnerabilities are extremly dangerous and developing quickly • The tendency is the legitimate code-reuse for attacking (ROP, JOP) • Several open questions still to solve