Upload
jitendra-kumar-dash
View
221
Download
0
Embed Size (px)
Citation preview
8/9/2019 hacking Module 16
1/28
NMCSP2008 Batch-I
Module XVI
Buffer Overflows
8/9/2019 hacking Module 16
2/28
Scenario
It was a job that Tim wanted right from the startof his career. Being the Project Manager of a wellknown software firm was definitely a sign ofprestige. But now his credibility was at stake!!!
The last project that Tim handled failed as theapplication failed to deliver what it was meant to.The customer of Tim's company suffered a hugefinancial loss.
At the back of his mind something was nagginghim.....
Had he asked his Test Engineers to do a thoroughtesting of the delivered package this would nothave happened....
8/9/2019 hacking Module 16
3/28
Scenario (contd.)
Since the project was running behind schedule hehurried up the testing part.
He went with his gut feeling. He had worked withthe same team for the last few projects and no
negative feedback was reported till now from anyof the previous clients about their projects..nothing would possibly go wrong....
But this time lady luck was not smiling at him. Theweb server of Tim's client had succumbed to a
buffer overflow attack. This was due to a flaw inthe coding part as bounds were not checked ...
Is Tim's decision justified?
What next?
8/9/2019 hacking Module 16
4/28
Module Objectives
Why are programs/applications vulnerable?
What is a Buffer Overflow?
Reasons for Buffer Overflow attacks.
Skills required Types of Buffer Overflow
Understanding Stacks
Shell Code How to detect Buffer Overflows in a program?
Technical details
Defense against Buffer Overflows
8/9/2019 hacking Module 16
5/28
Flow Diagram for the module
Reasons for failureof applications
UnderstandingStacks
ShellcodeTypes of
Buffer OverflowsSkills Required
Reasons for BufferOverflow attacks
Introduction toBuffer Overflows
Tools to defend
Buffer Overflows
Detection ofBuffer Overflow
UnderstandingAssembly code
CountermeasuresNOPS
Attacking areal program
8/9/2019 hacking Module 16
6/28
8/9/2019 hacking Module 16
7/28
Why are Programs/Applicationsvulnerable?
Since there is lot of pressure on the deliverables;programmers are bound to make mistakes which areoverlooked most of the time.
Boundary check are not done.
Programming languages, such as C, whichprogrammers still use to develop packages orapplications, have errors.
The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(),
gets(), and scanf() calls in C can be exploited becausethese functions dont check to see if the buffer,allocated on the stack, is large enough for the datacopied into the buffer.
Good programming practices are not adhered to.
8/9/2019 hacking Module 16
8/28
Buffer Overflows
A buffer overflow occurs when a program allocates a block of memoryof a certain length and then tries to place more data into the memoryspace than allocated, with the extra data overflowing the space andoverwriting possibly critical information crucial to the normalexecution of the program. Consider the following source code:
#include
int main ( int argc , char **argv)
{
char target[5]=TTTT;
char attacker[11]=AAAAAAAAAA;
strcpy( attacker, DDDDDDDDDDDDDD);
printf(% \n,target);
return 0;}
When this source is compiled into a program, and the program is run,it will assign a block of memory 32 bytes long to hold the name string.
This type of vulnerability is prevalent in UNIX and NT based systems
8/9/2019 hacking Module 16
9/28
Reasons for Buffer Overflow attacks
Buffer overflow attacks depend on two things:
the lack of boundary testing, and
a machine that can execute code that resides in the data/stack segment.
The lack of boundary testing is very common and the program
usually ends with a segmentation fault or bus error. In order to
exploit buffer overflows to gain access or escalate privileges, the
offender must create the data to be fed to the application.
Random data will generate a segmentation fault or bus error,
never a remote shell or the execution of a command.
8/9/2019 hacking Module 16
10/28
Knowledge required to Program BufferOverflow Exploits
1. C functions and the stack.
2. A little knowledge of assembly/machine language.
3. How system calls are made (at the machine code level).
4. exec() system calls.
5. How to 'guess' some key parameters.
8/9/2019 hacking Module 16
11/28
Types of Buffer Overflows
Stack-Based Buffer Overflow
Heap/BSS based Buffer Overflow
8/9/2019 hacking Module 16
12/28
Stack based Buffer Overflow
Buffer is expecting a maximum number of guests.
Send the buffer more than x guests.
If the system does not perform boundary checking, extra guests
continue to be placed at positions beyond the legitimate locationswithin the buffer. (Java does not permit the code to run off the end
of an array or string as C and C++ do).
Malicious code can be pushed on the stack.
The overflow can overwrite the return pointer so that the flow ofcontrol switches to the malicious code.
8/9/2019 hacking Module 16
13/28
Understanding Assembly Language
Two most important operations in a stack:
1. Push put one item on the top of the stack
2. Pop - remove one item from the top of the stack
Typically returns the contents pointed to by a pointer and
changes the pointer (not the memory contents)
8/9/2019 hacking Module 16
14/28
Understanding Stacks
The stack is a (LIFO)mechanism thatcomputers use to passarguments to functions
as well as to referencelocal variables.
It acts like a buffer,holding all of theinformation that the
function needs. The stack is created at
the beginning of afunction and released atthe end of it.
8/9/2019 hacking Module 16
15/28
A Normal Stack
8/9/2019 hacking Module 16
16/28
Shellcode
Shellcode is a method to exploit stack basedoverflows.
Shellcodes exploit computer bugs with respect
to how the stack is handled. Buffers are soft targets for attackers as they
overflow very easily if the conditions match.
8/9/2019 hacking Module 16
17/28
Heap-based Buffer Overflow
Variables which are dynamically allocated withfunctions such as malloc() are created on theheap.
Heap is a memory space that is dynamicallyallocated. It is different from the memory whichis allocated for stack and code.
In a heap-based buffer overflow attack an
attacker overflows a buffer which is placed onthe lower part of the heap, overwriting otherdynamic variables, which can have unexpectedand unwanted effects.
8/9/2019 hacking Module 16
18/28
How to detect Buffer Overflows in aprogram
There are two ways to detect buffer overflows.
The first way is by looking at the source code. In this
case, the hacker can look for strings declared as local
variables in functions or methods and verify the
presence of boundary checks. It is also necessary to
check for improper use of standard functions,
especially those related to strings and input/output.
The second way is by feeding the application huge
amounts of data and checking for abnormal
behavior.
8/9/2019 hacking Module 16
19/28
Attacking a Real Program
Assuming that a string function is being exploited, the
attacker can send a long string as the input.
This string overflows the buffer and causes a
segmentation error.
The return pointer of the function is overwritten and
the attacker succeeds in altering the flow of execution.
If he wishes to insert his code in the input, he has to:
Know the exact address on the stack
Know the size of the stack
Make the return pointer point to his code for execution
8/9/2019 hacking Module 16
20/28
8/9/2019 hacking Module 16
21/28
How to mutate a Buffer OverflowExploit
For the NOP portion
Randomly replace NOPs with functionally equivalent segments ofcode (e.g.: x++; x-; ? NOP NOP).
For the "main event"
Apply XOR to combine code with a random key unintelligible toIDS. The CPU code must also decode the gibberish in time in orderto run the decoder. By itself the decoder is polymorphic andtherefore hard to spot.
For the "return pointer"
Randomly tweak LSB of pointer to land in the NOP-zone.
8/9/2019 hacking Module 16
22/28
Once the stack is smashed
Once the vulnerable process is commandeered, theattacker has the same privileges as the process and cangain normal access. He can then exploit a local bufferoverflow vulnerability to gain super-user access.
Create a backdoor
Using (UNIX-specific) inetd
Using Trivial FTP (TFTP) included with Windows 2000
and some UNIX flavorsUse Netcat to make raw, interactive connection
Shoot back an Xterminal connection
UNIX-specific GUI
8/9/2019 hacking Module 16
23/28
Defense against Buffer Overflows
Manual auditing ofcode
Disabling StackExecution
Safer C librarysupport
CompilerTechniques
8/9/2019 hacking Module 16
24/28
Tool to defend Buffer Overflow:Return Address Defender(RAD)
RAD is a simple patch for the compiler that
automatically creates a safe area to store a copy
of return addresses.
After that, RAD automatically adds protective
code into applications that it compiles to defend
programs against buffer overflow attacks.
RAD does not change the stack layout.
8/9/2019 hacking Module 16
25/28
Tool to defend against BufferOverflow: StackGuard
StackGuard: Protects Systems From Stack SmashingAttacks.
StackGuard is a compiler approach for defending
programs and systems against "stack smashing" attacks. Programs that have been compiled with StackGuard are
largely immune to stack smashing attacks.
Protection requires no source code changes at all. When
a vulnerability is exploited, StackGuard detects theattack in progress, raises an intrusion alert, and haltsthe victim program.
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
8/9/2019 hacking Module 16
26/28
Tool to defend Buffer Overflow:Immunix System
Immunix System 7 is an Immunix-enabled RedHat
Linux 7.0 distribution and suite of application-level
security tools.
Immunix secures a Linux OS and applications.
Immunix works by hardening existing software
components and platforms so that attempts to exploit
security vulnerabilities will fail safe. i.e. thecompromised process halts instead of giving control to
the attacker, and then is restarted.
http://immunix.org
8/9/2019 hacking Module 16
27/28
Vulnerability Search - ICAT
8/9/2019 hacking Module 16
28/28
Summary
A buffer overflow occurs when a program or processtries to store more data in a buffer (temporary datastorage area) than it was intended to hold.
Buffer overflow attacks depend on two things: the lackof boundary testing and a machine that can execute
code that resides in the data/stack segment. Buffer overflow vulnerabilities can be detected by
skilled auditing of the code as well as through boundarytesting.
Once the stack is smashed, the attacker can deploy hispayload and take control of the attacked system.
Countermeasures include: checking the code, disablingstack execution, safer C library support, using safercompiler techniques.
Tools like StackGuard, Immunix and vulnerabilityscanners help secure systems.