Buffer Overflows with Content
Transcript of Buffer Overflows with Content
1
Buffer Overflows with Content
2
A Process Stack
3
Buffer Overflow
• Common Techniques employed in buffer overflow exploits to create backdoors– Execution of additional network services via the
INETD daemon– The addition of new users to a system– Establishing a “trust” relationship between the
victim machine and the attacker’s machine
4
Example - AMD Buffer Overflow
Port 2222 is a rootshell left by the AMD exploit
5
Detecting Buffer Overflows by Protocol Signatures
• Protocol Signature– Look for anomalous traffic, such as remote traffic
targeted at facilities that should not be accessible to a remote user.
• e.g. a remote user trying to connect to the Portmapperprocess
• Payload Signature– No-OP instructions to pad the exploit code– Script signatures– Abnormal user data and responses
6
IMAP Buffer Overflow
7
IMAP Buffer Overflow – Con’t
8
IMAP Buffer Overflow – Con’t
9
IMAP Buffer Overflow – Con’t
• ls –aecho “+ + ”> /.rhosts
10
NO-OP Hex Code Based on Processor Type
11
Script Signatures – NO-OP Overflow
12
Script Signatures – NO-OP Overflow Con’t
13
Script Signatures – NO-OP Overflow Con’t
• This frame shows a large number of hex 90s followed by some machine code, some ASCII strings, and a literal command /bin/sh -c
14
Abnormal ResponsesFTP Authentication Buffer Overflow – FTPD exploit
The password supplied in response to the FTPD prompt is suspiciously large
15
Defending Against Buffer Overflows
• strcpy and strncpy• Introduce bounds checking into C programs• Stack-based buffer overflow - CPU executes
code that is resident on the stack– Only code in the code space can be executed
16
Fragmentation
17
Fragmentation
• Attackers can use fragmentation to mask their probes and exploits
• Fragment offset is specified as a quantity of 8-byte chunk– The size of all legal nonterminal fragments must
be multiples of 8 bytes• Any fragmented packets with a byte size
divisible by 8, except for the last one
18
Boink Attack
•IP stack has no concept of negative math
•Availability DoS
19
Teardrop Attack
20
evilPing
….
21
evilPing
22
Modified Ping of Death
23
Modified Ping of Death
24
CGI Scan
•The attacker is running a script that attempts a number of Web server exploits, such as /cgi-bin/rwwwshell.pl
25
CGI Scan – Con’t
26
PHF Attack
CVE-1999-0067
27
Some Example CGI CVE Entries
• CVE-1999-0068– CGI PHP mylog script allows an attacker to read any file
on the target server. • CVE-1999-0467
– The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter
• CVE-1999-0509– Perl, sh, csh, or other shell interpreters are installed in the
cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.
28
SGI IRIX Object Server
• CVE-2000-0245• A vulnerability in an SGI IRIX object server
daemon– Allow remote attackers to create user accounts– Port 5135: the SGI object server
• Scan one to goodguy-a.com yields nothing
29
SGI Object Server – Con’t• The scan to goodguy-b.com is a bust
30
SGI Object Server – Con’t• The start of the bad guy
• The user zippy is added