Chapter 6 Weaknesses Exploited

57
Chapter 6 Weaknesses Exploited

description

Chapter 6 Weaknesses Exploited. Weaknesses. Bad software is everywhere, and… …flaws can cause security problems In this chapter Various overflow conditions Format string vulnerabilities How weaknesses are found Defenses Human factors. Technical Weaknesses. Buffer overflow - PowerPoint PPT Presentation

Transcript of Chapter 6 Weaknesses Exploited

Page 1: Chapter 6 Weaknesses Exploited

Chapter 6

Weaknesses Exploited

Page 2: Chapter 6 Weaknesses Exploited

Weaknesses Bad software is everywhere, and… …flaws can cause security

problems In this chapter

o Various overflow conditionso Format string vulnerabilitieso How weaknesses are foundo Defenseso Human factors

Page 3: Chapter 6 Weaknesses Exploited

Technical Weaknesses Buffer overflow Process address space: 4 sections1. Fixed-sized code block (code/text)2. Static data (data)3. Dynamic data (heap)4. “Scratch paper” (stack)

Page 4: Chapter 6 Weaknesses Exploited

Technical Weaknesses C program example

Page 5: Chapter 6 Weaknesses Exploited

Stack Frame Stack frame allocated for functions Stack holds…

o Local variableso Book keeping info, such as

Input arguments Return address Saved frame pointer, etc.

Page 6: Chapter 6 Weaknesses Exploited

Stack Frame Stack frame

in action

Page 7: Chapter 6 Weaknesses Exploited

Memory Organization Text == code Data == static

variables Heap == dynamic

data Stack == “scratch

paper” o Dynamic local variableso Parameters to functionso Return address

stack

heap

data

text

¬ high address

¬ low address

¬ SP

Page 8: Chapter 6 Weaknesses Exploited

Simplified Stack Example

high

void func(int a, int b){char buffer[10];

}void main(){

func(1, 2);}

::

bufferretab

¬ return address

low

¬ SP¬ SP¬ SP

¬ SP

Page 9: Chapter 6 Weaknesses Exploited

Smashing the Stack

high

What happens if buffer overflows?

::

buffer

ab

¬ ret…

low

¬ SP¬ SP¬ SP

¬ SP

retoverflow

Program “returns” to wrong location

NOT!

???

A crash is likelyoverflow

Page 10: Chapter 6 Weaknesses Exploited

Smashing the Stack

high

Trudy has a better idea… ::

evil code

ab

low

¬ SP¬ SP¬ SP

¬ SP

retret

Code injection Trudy can run

code of her choosing…o On your

machine!

Page 11: Chapter 6 Weaknesses Exploited

Smashing the Stack Trudy may not

know…1) Address of evil code2) Location of ret on

stack Solutions

1) Precede evil code with NOP “landing pad”

2) Insert ret many times

evil code

::

::

ret

ret:

NOP

NOP:

ret¬ ret

Page 12: Chapter 6 Weaknesses Exploited

Stack Smashing Note that injected code is usually

known as “shellcode” Other overflow attacks are possible

o Some inject code, some don’to We discuss a few more examples later

Page 13: Chapter 6 Weaknesses Exploited

Stack Smashing Summary A buffer overflow must exist in the code Not all buffer overflows are exploitable

o Things must align just right If exploitable, attacker can inject code Trial and error is likely required

o Fear not, lots of help available onlineo Smashing the Stack for Fun and Profit, Aleph

One Stack smashing is “attack of the decade”

o Regardless of the decade… Also heap overflow, integer overflow, etc.

Page 14: Chapter 6 Weaknesses Exploited

Stack Smashing Example Program asks for a serial number that

the attacker does not know Attacker does not have source code Attacker does have the executable (exe)

Program quits on incorrect serial number

Page 15: Chapter 6 Weaknesses Exploited

Example By trial and error, attacker discovers

apparent buffer overflow

Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!

Page 16: Chapter 6 Weaknesses Exploited

Example Next, disassemble bo.exe to find

The goal is to exploit buffer overflow to jump to address 0x401034

Page 17: Chapter 6 Weaknesses Exploited

Example Find that, in ASCII, 0x401034 is “@^P4”

Byte order is reversed? Why? X86 processors are “little-endian”

Page 18: Chapter 6 Weaknesses Exploited

Example Reverse the byte order to “4^P@”

and…

Success! We’ve bypassed serial number check by exploiting a buffer overflow

What just happened?o We overwrote the return address on the

stack

Page 19: Chapter 6 Weaknesses Exploited

Example Note that in this example… We overwrote return address and

jumped to somewhere interesting We did not inject any code Other interesting places to jump

to?o Without injecting code, that is?o Often called “return to libc” attacks

Page 20: Chapter 6 Weaknesses Exploited

Example Attacker did not require access to

the source code Only tool used was a disassembler to

determine address to jump to Possible to find desired address by

trial and error?o Necessary if attacker does not have exeo For example, a remote attack

Page 21: Chapter 6 Weaknesses Exploited

Example Source code of the buffer overflow Flaw easily

found by attacker

Without the source code!

Page 22: Chapter 6 Weaknesses Exploited

Stack Smashing Prevention

1st choice: employ non-executable stacko “No execute” NX bit (if available) o Seems like the logical thing to do, but some

real code executes on the stack (Java, for example)

2nd choice: use safe languages (Java, C#)

3rd choice: use safer C functionso For unsafe functions, there are safer

versionso For example, strncpy instead of strcpy

Page 23: Chapter 6 Weaknesses Exploited

Stack Smashing Prevention

Canaryo Run-time stack checko Push canary onto

stacko Canary value:

Constant 0x000aff0d Or may depends on ret

¬

high

::

buffer

ab

low

overflowretcanaryoverflow

Page 24: Chapter 6 Weaknesses Exploited

Microsoft’s Canary Microsoft added buffer security check

feature to C++ with /GS compiler flag Based on canary (or “security cookie”)Q: What to do when canary dies?A: Check for user-supplied “handler” Handler shown to be subject to attack

o Claims that attacker can specify handler code

o If so, formerly “safe” buffer overflows become exploitable when /GS is used!

Page 25: Chapter 6 Weaknesses Exploited

ASLR Address Space Layout Randomization

o Randomize place where code loaded in memory

Makes most buffer overflow attacks probabilistic

Vista uses 256 random layoutso So about 1/256 chance buffer overflow

works? Similar thing in Mac and other OSs Attacks against Microsoft’s ASLR do

existo Possible to “de-randomize”

Page 26: Chapter 6 Weaknesses Exploited

Buffer Overflow A major threat yesterday, today, and

tomorrow Can greatly reduced overflow attacks

o Use safe languages/safer functionso Educate developers, use tools, etc.

Buffer overflows will exist for a long timeo Legacy codeo Bad software development practices

Page 27: Chapter 6 Weaknesses Exploited

Race Condition Security processes should be atomic

o Occur “all at once” Race conditions can arise when security-

critical process occurs in stages Attacker makes change between stages

o Often, between stage that gives authorization, but before stage that transfers ownership

Example: prepaid debit card

Page 28: Chapter 6 Weaknesses Exploited

Race Condition Adding cash to card

1. User inserts card into card reader machine

2. Machine reads value of card: x3. User insert cash into machine: y4. User presses “enter” key5. Machine writes x+y to card6. Machine ejects card

Race condition?

Page 29: Chapter 6 Weaknesses Exploited

Race Condition Attacks on cash card protocol? Insert 2 cards, sandwiched

together Card that is read has $100 value,

unread card has $1 valueo Step 2: Machine reads x = 100

Insert $2, so y = 2 Pull out read card, leaving unread

one Press “enter”…

Page 30: Chapter 6 Weaknesses Exploited

Race Conditions Race conditions appear to be common

in softwareo May be more common than buffer overflows

But race conditions harder to exploito Buffer overflow is “low hanging fruit” today

To prevent race conditions…o Make security-critical processes atomico Occur all at once, not in stages

Not so easy to accomplish in practice

Page 31: Chapter 6 Weaknesses Exploited

Heap Overflow Heap used for dynamic variables

o For example, malloc in C Can overflow one array into

another Makes it possible to change data

o Like example on next slide

Page 32: Chapter 6 Weaknesses Exploited

Simple Buffer Overflow Consider boolean flag for authentication Buffer overflow could overwrite flag

allowing anyone to authenticate!

bufferFTF O U R S C …

Boolean flag

In some cases, Trudy can be more systematic

Page 33: Chapter 6 Weaknesses Exploited

Heap Overflow Example BEFORE:

o buf2 = 22222222 AFTER:

o buf2 = 11122222

Page 34: Chapter 6 Weaknesses Exploited

Heap Overflow Bookkeeping info stored on heap Can attacker exploit this?

Page 35: Chapter 6 Weaknesses Exploited

Heap Overflow Data structure to keep track of free

memoryo Assume it is a doubly-linked list

Heap overflow attacks?

Page 36: Chapter 6 Weaknesses Exploited

Heap Overflow Here we

free block B “Unlink” B

from heap If overflow

in A, can overwrite B’s pointers…

Page 37: Chapter 6 Weaknesses Exploited

Heap Overflow Overwrite B’s

pointers Then free B Now if we ever get

to B, will go to shellcode

Page 38: Chapter 6 Weaknesses Exploited

Integer Overflow Many “integer”

problems This example…

o What if len is negative?

o Note that memcpy thinks len is unsigned

Page 39: Chapter 6 Weaknesses Exploited

Format String Vulnerabilities

Format string exampleprintf(“The magic number is %d\n”, 42);

Format strings:Parameter Meaning Passed

by…%d int value%u unsigned int value%x hex value%s string reference%n bytes written so

farreference

Page 40: Chapter 6 Weaknesses Exploited

Format Strings and the Stack

Formatting functions retrieve parameters from the stacko Assuming that’s where they’re

stored… Consider

printf(“a has value %d at address %d\n”, a, &a); What if there are too few

arguments? For example

printf(“a has value %d at address %d\n”);

Page 41: Chapter 6 Weaknesses Exploited

Format Strings and the Stack

Consider againprintf(“a has value %d at address %d\n”, a, &a);

Here, x1 and x2 are other things on the stack

high

::

aaddress of a

x1

x2

low

“a has … \n”

Page 42: Chapter 6 Weaknesses Exploited

Format Strings and the Stack

What if there are too few arguments?

For exampleprintf(“a has value %d at address %d\n”);

What happens?high

::

x1

x2

x3

x4

low

“a has … \n”

Print stuff on stack Is this useful?

Page 43: Chapter 6 Weaknesses Exploited

Format String Issue 1 We can “walk” the stack That is, print out items on the

stack For exampleprintf(“%08x %08x %08x %08x %08x\n”); As a bonus, it’s nicely formatted…

Page 44: Chapter 6 Weaknesses Exploited

Format String Issue 2 What would this do?printf(“%s%s%s%s%s%s%s%s%s%s%s”); For each %s function printf will…

o Fetch a number from the stacko Treat the number as an addresso Print out whatever is at that address,

until NULL character Such an “address” might not exist!

Page 45: Chapter 6 Weaknesses Exploited

Format String Example What about something like this…

void print_error(char *s){char buffer[100];snprintf(buffer, sizeof(buffer), “Error: %s”, s);printf(buffer);}

Suppose Trudy has control over what goes into the string s

Then some interesting possibilities…

Page 46: Chapter 6 Weaknesses Exploited

Format String Issue 3

Suppose Trudy sets string s to

\x78\x56\x34\x12 %d%d%d%s Note \x78…\x12 is little

endian for 1234567 What does code on

previous slide do?

1st %d 2nd %d

high ::

%d%d

low

1234567

buffe

r

::

“Error: %s…”return

::

::%s

prin

tf

Page 47: Chapter 6 Weaknesses Exploited

Format String Issue 4 The %n format is used to print the

number of characters written so far

Q: What does this do?int i;printf(“abcde%n, &i);

A: Writes 5 to variable i Can Trudy take advantage of this?

Page 48: Chapter 6 Weaknesses Exploited

Format String Issue 4 Similar attack as “issue 3”… …except use %n in place of %s Then a value written to address

1234567o What value?

Some claim that this allows writing of arbitrary valueo Is this really true?

Page 49: Chapter 6 Weaknesses Exploited

Format String Defenses Source code auditing

o Relatively few format strings Remove support for %n format

o Would this create any problems? Keep track of number of

arguments General buffer overflow prevention

o For example, ASLR (next slide…)

Page 50: Chapter 6 Weaknesses Exploited

More DefensesMentioned by author

oNX approachoCanaryoASLRoSafe/safer languages

Page 51: Chapter 6 Weaknesses Exploited

Finding Weaknesses How do attackers find

weaknesses? Technical analysis

o Study source code (if available)o Disassemble executables (SRE)o Decompile (good luck with that!)o Black box analysiso Study vendor patcheso Full disclosure websites

Zero day exploit?

Page 52: Chapter 6 Weaknesses Exploited

Finding Weaknesses Social engineering

o Nuclear power plant company example

Impersonation Dumpster diving Shoulder surfing Fake email

o For example, ask for passwords Phishing

Page 53: Chapter 6 Weaknesses Exploited

Virus Hoaxes Example: jdbgmgr.exe

I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple: …

Known as the teddy bear virus because this is the icon:

Page 54: Chapter 6 Weaknesses Exploited

Exploitation Engines Developing a buffer overflow

attacko Tedious, lots of trial and erroro Until Metasploit was invented…

Metasploito Knows about lots of attackso Has lots of payloadso Doesn’t require much thought/effort

Page 55: Chapter 6 Weaknesses Exploited

Metasploit Payloads include

o Bind shell to current porto Bind shell to arbitrary porto Reverse shello Windows VNC Server DLL injecto Reverse VNC DLL injecto Inject DLL into running applicationo Create local admin usero The Meterpreter (run command of

attacker’s choosing)

Page 56: Chapter 6 Weaknesses Exploited

Metasploit Web Interface

Page 57: Chapter 6 Weaknesses Exploited

Metasploit Advantages for attackers?

o Reduces “development cycle”o Resulting attacks much more reliable

Advantages for good guys?o Helps identify false positiveso Help improve IDSo Improved penetration testingo Improved management awareness