How to find_vulnerability_in_software

2,458 views
2,352 views

Published on

How to find_vulnerability_in_software
in the Secuinside2013

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,458
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
87
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

How to find_vulnerability_in_software

  1. 1. How to find vulnerability in software ? documented by h2spice h2spice@gmail.com 113년 7월 3일 수요일
  2. 2. h2spice.net/secuinside2013_h2spice/ 213년 7월 3일 수요일
  3. 3. Who am I Sanghwan,Ahn (h2spice) Security Researcher in Team (NSHC.Inc) Vulnerability/Malware Analysis , Hunting Bug , Mobile Security 313년 7월 3일 수요일
  4. 4. Agenda Introduction about Vulnerability What is The Vulnerability How to Use Vulnerabilities The Reason we must find vulnerabilities Before finding vulnerability, things we should know What knowledge will help you What experience will help you Think and Act like a hacker 413년 7월 3일 수요일
  5. 5. Agenda How can we find vulnerability ? Superficial analysis on the target Internal analysis on the target Occurs Crash Demonstration ActiveX module on Banking / Financial Conclusion 513년 7월 3일 수요일
  6. 6. Introduction. Vulnerability 613년 7월 3일 수요일
  7. 7. What is The Vulnerability in a narrow perspective Weakness, Flaw from hardware, software of computer Loopholes in the system , in the design Allows an attacker to reduce system’s information assurance (eg. execution of arbitrary code , bypass security mitigation) in a broad perspective refers to all of the information security risks ,including user and administrator’s negligence or by social engineering weaknesses 713년 7월 3일 수요일
  8. 8. Financial benefits Information stealing APT (Advanced Persistent Threat) PDF, HWP, MSWord Vulnerability 3.20 Korean Terrorism Random Target Attack Via Web Browser Vulnerability Making Zombie How to use the vulnerability [Refer to FireEye’s Next-Generation Threats] 813년 7월 3일 수요일
  9. 9. Percentage of Total Infections [According to FireEye Cyber Attack Landscape] Other : 3% Logistics/Transportation : 5% Retail : 6% Business Services : 6% Telecommunications : 7% Energy/Utillities : 8% Entertainment/Media : 8% Healthcare : 9% Manufacturing : 9% Banking/Finance/Insurance : 14% Technology : 25% Technology : 25% Banking/Finance/Insurance : 14% Manufacturing : 9% Healthcare : 9% Entertainment/Media : 8% Energy/Utillities : 8% Telecommunications : 7% Business Services : 6% Retail : 6% Logistics/Transportation : 5% Other : 3% 913년 7월 3일 수요일
  10. 10. [According to IBM X-Force Research and Development] 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vulnerability Disclosure Growth by Year Vulnerability disclosure growth by year 1013년 7월 3일 수요일
  11. 11. Why we must find vulnerability Attacks used 0-day are difficult to detect and the extent of the damage is huge We discovered vulnerability in advance and there are the best solutions which vulnerability is patched Give me the money ( in Pwn2Own 2013) Google Chrome on Windows7 ($100,000) Microsoft Internet Explorer IE 10 on Windows8 ($100,000) or IE 9 on Windows7 ($75,000) To be hacker, most of them can find vulnerability on all platform, that is the starting point of hacking 1113년 7월 3일 수요일
  12. 12. Before finding vulnerability, Things we should know 1213년 7월 3일 수요일
  13. 13. What knowledge will help you ? Language ASM / C / C++ / Python / Perl Types of Vulnerability Buffer Overflow (Stack,Heap,Integer) Null Pointer Dereference Format String Bug Use After Free Etc 1313년 7월 3일 수요일
  14. 14. What experience will help you ? Vulnerability Analysis Non-CVE Vulnerability Analysis CVE-XXXX-XXXX Vulnerability Analysis 1413년 7월 3일 수요일
  15. 15. Techniques & Tools Static Analysis IDA Dynamic Analysis IDA, Immunity DBG, OllyDBG, WinDBG Bypass security mitigation DEP, NX-bit, ASLR, ASCII-Armor, Stack Canary, Sandbox, Etc Exploitation Overwriting SEH, RTL, ROP, Egg Hunting, Heap Spraying, Etc 1513년 7월 3일 수요일
  16. 16. Think and Act like a hacker There is no perfection in software that’s because they are made by Human. so the vulnerability exists Check from a small part Do not greedy, take step by step if i can’t find vulnerability, that is my fault. 1613년 7월 3일 수요일
  17. 17. Superficial Analysis on The Target How to find vulnerability Internal Analysis on The Target Occurs Crash Exploitation / Weaponizing 1713년 7월 3일 수요일
  18. 18. Environment Data User Input Data File Data Receive Data Local Remote LibraryLoading Parsing A Program Accessible entry point The Entry point is considered to have potential vulnerability Phase1. Superficial Analysis on The Target 1813년 7월 3일 수요일
  19. 19. Environment Data User Input Data File Data Receive Data Local Remote LibraryLoading Parsing A Program Accessible entry point Entry point that potentially exist vulnerability Phase1. Superficial Analysis on The Target [+] Buffer Overflow [-] Based Stack Overflow [-] Based Heap Overflow [-] Integer Overflow [-] Format string Bug [-] Null Pointer Dereference [-] Use after Free [+] Etc [+] DLL Hijacking 1913년 7월 3일 수요일
  20. 20. Phase2. Internal Analysis on The Target Although there are vary approaches. many hackers are using some popular ones such as SA, Reverse Engineering, Fuzzing SA (Source Code Auditing) Reverse Engineering Fuzzing 2013년 7월 3일 수요일
  21. 21. Source Code Auditing If you have Source code, you can find Vulnerability This is the powerful approach Applied in many places 2113년 7월 3일 수요일
  22. 22. Approach method Code Auditing Reverse Engineering Start if it’s Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if it’s Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2213년 7월 3일 수요일
  23. 23. Approach method Code Auditing Reverse Engineering Start if it’s Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if it’s Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2313년 7월 3일 수요일
  24. 24. Approach method Code Auditing Reverse Engineering Start if it’s Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if it’s Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2413년 7월 3일 수요일
  25. 25. Approach method Code Auditing Reverse Engineering Start if it’s Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if it’s Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2513년 7월 3일 수요일
  26. 26. Approach method Code Auditing Reverse Engineering Start if it’s Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if it’s Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2613년 7월 3일 수요일
  27. 27. How to analyze source code From user interface Can be accessed Can be manipulated Common vulnerability Buffer Overflow (Stack / Heap / Integer) Format string Using an automatic analysis tools RAT, ITS4, FindBugs, Flawfinder, Splint Code Analysis Accessible entry point from User interface Common vulnerability 2713년 7월 3일 수요일
  28. 28. Stack Buffer Overflow in Source Code Fixed buffer (ex. buffer[4096] or buffer[define buffer_size] ) In source code, find dangerous function( ) like a strcpy( ), sprintf( ). mostly used be mapped like abc_strcpy( ) Sometimes buffer overflow is caused by termination conditions in the loop Beer Over Flow 2813년 7월 3일 수요일
  29. 29. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) 2913년 7월 3일 수요일
  30. 30. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step1. search accessible entry points Program Name Accessible Entry Point File Type File Format VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc Audio a52 / aac / ac3 / adt / adts / etc Play list m3u / wpl / ram / pls / gvp / etc URL mms / rtmp / rtp / rtsp / smb / etc 3013년 7월 3일 수요일
  31. 31. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step1. search accessible entry points Program Name Accessible Entry Point File Type File Format VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc Audio a52 / aac / ac3 / adt / adts / etc Play list m3u / wpl / ram / pls / gvp / etc URL mms / rtmp / rtp / rtsp / smb / etc Occurs Stack Based Buffer Overflow 3113년 7월 3일 수요일
  32. 32. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step2. find source code about accessible entry point h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ find ./ |grep "mms" .//contrib/src/src/goom/goom2k4-xmmslibdir.patch .//modules/access/mms .//modules/access/mms/asf.c .//modules/access/mms/asf.h .//modules/access/mms/buffer.c .//modules/access/mms/buffer.h .//modules/access/mms/Makefile.am .//modules/access/mms/Makefile.in .//modules/access/mms/mms.c .//modules/access/mms/mms.h .//modules/access/mms/mmsh.c .//modules/access/mms/mmsh.h .//modules/access/mms/mmstu.c .//modules/access/mms/mmstu.h .//modules/access/mms/Modules.am h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ search accessible entry point you can find source code about entry point 3213년 7월 3일 수요일
  33. 33. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step3-1. check dangerous method (eg. strcpy, sprintf, etc) h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf" grep: ./: Is a directory .//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username, .//mmstu.c:535: sprintf( tmp, .//mmstu.c:592: sprintf( tmp, .//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" ); h2spice-ui-MacBook-Pro:mms h2spice$ search dangerous method 3313년 7월 3일 수요일
  34. 34. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step3-1. check dangerous method (eg. strcpy, sprintf, etc) h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf" grep: ./: Is a directory .//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username, .//mmstu.c:535: sprintf( tmp, .//mmstu.c:592: sprintf( tmp, .//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" ); h2spice-ui-MacBook-Pro:mms h2spice$ as a result, able to find code that used dangerous method 3413년 7월 3일 수요일
  35. 35. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step3-2. simple check via automatic tools (RAT, etc) C:Documents and SettingsAdministratorDesktoprats-2.3-win32rats-2.3>rats.exe mmstu.c Analyzing mmstu.c mmstu.c:459: High: fixed size local buffer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks. mmstu.c:535: High: sprintf Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. mmstu.c:535: High: sprintf mmstu.c:592: High: sprintf Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow. 3513년 7월 3일 수요일
  36. 36. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) Step4. Analyze source code in detail /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP Static Buffer was Allocated 3613년 7월 3일 수요일
  37. 37. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP request packet was copied into tmp[4096] buffer Step4. Analyze source code in detail 3713년 7월 3일 수요일
  38. 38. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP if valid request packet receives, buffer overflow doesn.t occur NSPlayer 7.0.0.195 6; {“user”}; Host:www.h2spice. net Step4. Analyze source code in detail 3813년 7월 3일 수요일
  39. 39. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP but if invalid request packet receives, buffer overflow occurs NSPlayer 7.0.0.195 6; {“user”}; Host:AA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA Step4. Analyze source code in detail 3913년 7월 3일 수요일
  40. 40. Heap Buffer Overflow in Source Code h2spice-ui-MacBook-Pro:rtsp h2spice$ find ./ |xargs grep -n "malloc" grep: ./: Is a directory .//access.c:168: p_access->p_sys = p_sys = malloc( sizeof( access_sys_t ) ); .//access.c:171: p_sys->p_rtsp = malloc( sizeof( rtsp_client_t) ); .//real.c:433: buf= (char *)malloc(2048); .//real.c:611: char *buf = malloc(256); .//real.c:666: description = malloc(size+1); .//real.c:675: subscribe = malloc(256); .//real_asmrp.c:93: p = malloc (sizeof (asmrp_t)); .//real_rmff.c:384: mdpr->type_specific_data = malloc(type_specific_len); .//real_sdpplin.c:70: buf = malloc( BUFLEN ); .//real_sdpplin.c:74: decoded = malloc( BUFLEN ); .//real_sdpplin.c:146: desc->mlti_data = malloc(desc->mlti_data_size); .//real_sdpplin.c:193: buf = malloc( BUFLEN ); .//real_sdpplin.c:200: decoded = malloc( BUFLEN ); .//real_sdpplin.c:262: desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); .//rtsp.c:505: s->host = malloc(hostend+1); Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size search method for memory allocation as a result, you are able to find the code that used method for memory allocation 4013년 7월 3일 수요일
  41. 41. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overflow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4113년 7월 3일 수요일
  42. 42. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overflow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4213년 7월 3일 수요일
  43. 43. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overflow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4313년 7월 3일 수요일
  44. 44. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overflow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4413년 7월 3일 수요일
  45. 45. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } if equal ? check the other malloc( ) and memcpy( ) Heap Buffer Overflow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4513년 7월 3일 수요일
  46. 46. httpdx 1.5.4 Heap Overflow Step1. Search malloc( ) or memcpy( ) h2spice-ui-MacBook-Pro:httpdx_src h2spice$ find ./ |xargs grep -n "malloc" grep: ./: Is a directory .//daemon.cpp:100: //d = (char*)malloc(_size); .//daemon.cpp:191: //mimes = (dblstr_t*)malloc(vc+1);//+1: space for httpdx command virtual file extension .//daemon.cpp:204: mimes = (dblstr_t*)malloc((vc+1)*sizeof(dblstr_t));//+1: space for httpdx command virtual file extension .//ftp.cpp:122: client->transfers[client->transfers_c].d = (char*)malloc(1); .//http.cpp:250: client->d = (char*)malloc(strlen(p[0])+1); .//http.cpp:357: client->d = (char*)malloc(strlen(p[0])+1); .//http.cpp:467: client->d = (char*)malloc(client->ds); .//http.cpp:661: client->pd = (char*)malloc(client->cl+1); .//script.cpp:233: //nodes[*ns].str = (char*)malloc(el+1); .//script.cpp:246: //nodes[*ns].str = (char*)malloc(el+1); .//script.cpp:264: //nodes[*ns].str = (char*)malloc(el+1); h2spice-ui-MacBook-Pro:httpdx_src h2spice$ search method for memory allocation as a result, able to find code that used method for memory allocation 4613년 7월 3일 수요일
  47. 47. Step2. Compare the allocated memory size to the copied data size int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overflow 4713년 7월 3일 수요일
  48. 48. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overflow Step2. Compare the allocated memory size to the copied data size 4813년 7월 3일 수요일
  49. 49. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overflow Step2. Compare the allocated memory size to the copied data size 4913년 7월 3일 수요일
  50. 50. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overflow Step2. Compare the allocated memory size to the copied data size 5013년 7월 3일 수요일
  51. 51. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } if it’s not equal , carry out a detailed analysis int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overflow Step3. if not equal, carry out a detailed analysis 5113년 7월 3일 수요일
  52. 52. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); Source Path Structure Name Variable Type Variable Name Detail Info source/include/http.h phclient_t int socket socket to communicate char host[256] What host client used char * pd post-data: size is allocated with "Content-Length" size_t pds post-data size int cl content-length char req[4096] request buffer int rs request size (by received packet) int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ httpdx 1.5.4 Heap Overflow Step3. if not equal, carry out a detailed analysis 5213년 7월 3일 수요일
  53. 53. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); Source Path Structure Name Variable Type Variable Name Detail Info source/include/http.h phclient_t int socket socket to communicate char host[256] What host client used char * pd post-data: size is allocated with "Content-Length" size_t pds post-data size int cl content-length char req[4096] request buffer int rs request size (by received packet) content-length request size (by received packet) int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ httpdx 1.5.4 Heap Overflow Step3. if not equal, carry out a detailed analysis 5313년 7월 3일 수요일
  54. 54. generate a malformed packet send a packet to the server POST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA heap based buffer[101] Other Space Other Space httpdx 1.5.4 Heap Overflow Step3. if it is not equal, carry out a detailed analysis dynamic buffer was allocated 5413년 7월 3일 수요일
  55. 55. generate a malformed packet send a packet to the server heap based buffer[101] Other Space Other Space httpdx 1.5.4 Heap Overflow Step3. if not equal, carry out a detailed analysis POST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA POST/index.ht ml HTTP/1.0 Content-Length :100 Content- Type :text Host: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA request packet was copied into buffer 5513년 7월 3일 수요일
  56. 56. heap based buffer[101] Other Space Other Space POST/index.ht ml HTTP/1.0 Content-Length :100 Content- Type :text Host: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA httpdx 1.5.4 Heap Overflow Step3. if not equal, carry out a detailed analysis generate a malformed packet send a packet to the server if content-length is smaller than requset packet size, buffer overflow was occurredPOST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA 5613년 7월 3일 수요일
  57. 57. Integer Buffer Overflow in Source Code 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed it is a negative number since it is interpreted as a sign bit 5713년 7월 3일 수요일
  58. 58. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow 5813년 7월 3일 수요일
  59. 59. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow declare variable (signed/unsigned type, static buffer) 5913년 7월 3일 수요일
  60. 60. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow get size of user input data and then, print size 6013년 7월 3일 수요일
  61. 61. Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) 6113년 7월 3일 수요일
  62. 62. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow copy user input data to buffer and then print user input data 6213년 7월 3일 수요일
  63. 63. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow if variable signed type stored in big data, will occur integing overflow 6313년 7월 3일 수요일
  64. 64. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow because type2 it has been set negative number, to bypass code that prevent buffer overflow 6413년 7월 3일 수요일
  65. 65. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 1 - Normal Output 2 - Integer Overflow as a result, occur stack buffer overflow 6513년 7월 3일 수요일
  66. 66. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) 6613년 7월 3일 수요일
  67. 67. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step1. Collect information about variable Source Path Structure Name Function Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none ngx_uint_t state src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none off_t size signed type src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none off_t length signed type src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) size_t size unsigned type src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) u_char buffer [4096] fixed buffer src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_request_s none ngx_http_header_in_t headers_in struct pointer src/http/ ngx_http_request.h ngx_http_request_s none ngx_http_header_out_t headers_out struct pointer src/http/ ngx_http_request.h ngx_http_request_s none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_header_in_t none off_t content_length_n signed type src/http/ ngx_http_request.h ngx_http_header_in_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_header_out_t none off_t content_length_n signed type src/http/ ngx_http_request.h ngx_http_header_out_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ 6713년 7월 3일 수요일
  68. 68. Step2. Step by step, analyze source code static ngx_int_t ngx_http_static_handler(ngx_http_request_t *r) { u_char *last, *location; size_t root, len; ngx_str_t path; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->method & NGX_HTTP_POST) { return NGX_HTTP_NOT_ALLOWED; } rc = ngx_http_discard_request_body(r); if (rc != NGX_OK) { return rc; } log->action = "sending response to client"; r->headers_out.status = NGX_HTTP_OK; r->headers_out.content_length_n = of.size; r->headers_out.last_modified_time = of.mtime; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/modules/ngx_http_static_module.c ] ngx_http_discard_request_body( ) was called nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) 6813년 7월 3일 수요일
  69. 69. ngx_int_t ngx_http_discard_request_body(ngx_http_request_t *r) { ssize_t size; ngx_int_t rc; ngx_event_t *rev; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/ngx_http_request_body.c ] Check chunked data in the header nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code 6913년 7월 3일 수요일
  70. 70. ngx_int_t ngx_http_discard_request_body(ngx_http_request_t *r) { ssize_t size; ngx_int_t rc; ngx_event_t *rev; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/ngx_http_request_body.c ] ngx_http_discard_request_body_filter( ) was called nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code 7013년 7월 3일 수요일
  71. 71. ngx_http_parse_chunked( ) was called static ngx_int_t ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b) { size_t size; ngx_int_t rc; ngx_http_request_body_t *rb; if (r->headers_in.chunked) { rb = r->request_body; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for ( ;; ) { rc = ngx_http_parse_chunked(r, b, rb->chunked); if (rc == NGX_OK) { /* a chunk has been parsed successfully */ size = b->last - b->pos; if ((off_t) size > rb->chunked->size) { b->pos += rb->chunked->size; rb->chunked->size = 0; } else { rb->chunked->size -= size; b->pos = b->last; } continue; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code that exists integer overflow vulnerability 7113년 7월 3일 수요일
  72. 72. ngx_int_t ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b, ngx_http_chunked_t *ctx) { /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for (pos = b->pos; pos < b->last; pos++) { ch = *pos; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ switch (state) { case sw_chunk_start: if (ch >= '0' && ch <= '9') { state = sw_chunk_size; ctx->size = ch - '0'; break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c <= 'f') { state = sw_chunk_size; ctx->size = c - 'a' + 10; break; } goto invalid; case sw_chunk_size: if (ch >= '0' && ch <= '9') { ctx->size = ctx->size * 16 + (ch - '0'); break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c <= 'f') { ctx->size = ctx->size * 16 + (c - 'a' + 10); break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if ctx->size stored high number, occurs integer overflow by (ctx->size = ctx->size * 16 + @) Source Path Structure Name Function Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none ngx_uint_t state off_t size signed type off_t length signed type so ctx->size can be misinterpreted as negative number nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code 7213년 7월 3일 수요일
  73. 73. switch (state) { /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ case sw_chunk_size: if (ch >= '0' && ch <= '9') { ctx->size = ctx->size * 16 + (ch - '0'); break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c <= 'f') { ctx->size = ctx->size * 16 + (c - 'a' + 10); break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ data: ctx->state = state; b->pos = pos; switch (state) { case sw_chunk_start: ctx->length = 3 /* "0" LF LF */; break; case sw_chunk_size: ctx->length = 2 /* LF LF */ + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0); break; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ and then ctx->length was stored negative number nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code Source Path Structure Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t ngx_uint_t state off_t size signed type off_t length signed type 7313년 7월 3일 수요일
  74. 74. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for ( ;; ) { rc = ngx_http_parse_chunked(r, b, rb->chunked); if (rc == NGX_OK) { /* a chunk has been parsed successfully */ /*~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ continue; } if (rc == NGX_DONE) { /* a whole response has been parsed successfully */ r->headers_in.content_length_n = 0; break; } if (rc == NGX_AGAIN) { /* set amount of data we want to see next time */ r->headers_in.content_length_n = rb->chunked->length; break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ r->headers.in.content_length_n was stored negative number Source Path Structure Name Variable Type Variable Name Detail Info src/http/ ngx_http_request.h ngx_http_header_in_t off_t content_length_n signed type ngx_http_header_out_t off_t content_length_n signed type nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code 7413년 7월 3일 수요일
  75. 75. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } rc = ngx_http_read_discarded_request_body(r); if (rc == NGX_OK) { r->lingering_close = 0; return NGX_OK; } if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { return rc; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ ngx_http_read_discarded_request_body( ) was called nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code that exists stack based overflow vulnerability 7513년 7월 3일 수요일
  76. 76. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ #define ngx_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) Already, r->header_in.content_length has been set negative number nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code as a result, able to bypass code that prevent buffer overflow 7613년 7월 3일 수요일
  77. 77. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code buffer[4096] EBP EIP chunked data was copied into buffer 7713년 7월 3일 수요일
  78. 78. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028) Step2. Step by step, analyze source code buffer[4096] EBP EIP AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA if chunked data is bigger than 4096 bytes, occurs stack buffer overflow 7813년 7월 3일 수요일
  79. 79. Reverse Engineering 7913년 7월 3일 수요일
  80. 80. Reverse Engineering Some software codes have a large range that can not be imagined ; ridiculous but possible It’s hard to find vulnerability with reverse engineering and dynamic analysis. but can find unique bugs which fuzzer won’t find usually Be specific with the big picture first Call graphs / System calls / Associated Data Then dive into smaller parts Recognize well-known routines eg. crypto(RC4, RSA, etc), memcpy, strcpy, etc 8013년 7월 3일 수요일
  81. 81. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall flow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8113년 7월 3일 수요일
  82. 82. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall flow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8213년 7월 3일 수요일
  83. 83. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall flow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8313년 7월 3일 수요일
  84. 84. Can be reduced the amount of code by using a script. #include <stdio.h> void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } Call flow Debugging with script 8413년 7월 3일 수요일
  85. 85. #include <stdio.h> void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call Debugging with script Can be reduced the amount of code by using a script. 8513년 7월 3일 수요일
  86. 86. #include <stdio.h> void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call Debugging with script Can be reduced the amount of code by using a script. 8613년 7월 3일 수요일
  87. 87. Debugging with script #include <stdio.h> void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __flush call __write call Can be reduced the amount of code by using a script. 8713년 7월 3일 수요일
  88. 88. Fuzzing Throw random bits at the program, and see if it handles them Popular robust testing mechanism for software Fast and Effective Easy to implement Two type of Fuzzing Dumb Fuzzing Smart Fuzzing 8813년 7월 3일 수요일
  89. 89. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classification Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 8913년 7월 3일 수요일
  90. 90. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classification Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9013년 7월 3일 수요일
  91. 91. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classification Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9113년 7월 3일 수요일
  92. 92. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classification Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9213년 7월 3일 수요일
  93. 93. Specific Target through Fuzzing File Format (File Fuzzing) Network Protocol (Network Fuzzing) ActiveX (ActiveX Fuzzing) Browser (Browser Fuzzing) Etc 9313년 7월 3일 수요일
  94. 94. Type of Fuzzing - Dumb Fuzzing Dumb Fuzzing Based on mutation Little or no knowledge for the structure of the inputs is assumed Most of the input data are invalid Anomalies may be completely random or follow some heuristics Anomalies are added to existing valid inputs Example ex) m3u, pls, asx, etc 9413년 7월 3일 수요일
  95. 95. Dumb fuzzing sample File Format [AAAAAAA....AAAA] [normal data] + [AAAAAAA....AAAA] [header] + [AAAAAAA....AAAA] + [eof] Mutated normal file Network Protocol GET /AAAAAAA....AAAA.html HTTP/1.1 AAAAAAA....AAAA /indext.html HTTP/1.1 GET /index.html HTTTTTTTTTTTTTTTP/1.1 9513년 7월 3일 수요일
  96. 96. Type of Fuzzing - Smart Fuzzing Smart Fuzzing Based on generation Knowledge for the structure of the inputs is needed Test cases are generated from some description of the format RFC, Documents Consideration of data structure such as offset , checksum 9613년 7월 3일 수요일
  97. 97. Smart fuzzing sample File Format Consideration of data structure or relations Variety of attack vectors length, offset, object, etc Use 010 binary editor template free binary templates (*.bmp , *.zip , *wav) int int int flag int length stringstring int length datadatadatadata int int intint datadatadatadata 9713년 7월 3일 수요일
  98. 98. Smart fuzzing sample POST index.html HTTP/ 1.1HTTP/ 1.1 Content-TypeContent-Type application/x-www- form-urlencoded application/x-www- form-urlencoded Accept-EncodingAccept-Encoding gzip deflate User-AgentUser-Agent Mozilla/ 4.0 Content-LengthContent-LengthContent-Length 100 HOSTHOST localhost :8080 Network Protocol Consideration of data structure or relations Variety of attack vectors host, content-length, etc 9813년 7월 3일 수요일
  99. 99. Smart fuzzing sample Active X Parameter extraction Input data to parameter big data, invalid data, etc Generate HTML Document classID parameter value {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} A String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} B String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} C String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} D Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} E Integer{AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} F String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} G Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} H Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} I String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} J String 9913년 7월 3일 수요일
  100. 100. Smart fuzzing sample Browser Take W3C specification Group together (methods / attributes / properties) Replace input values with getRandomValue( ) <html> <head> <script> var gl = document.createElement("canvas").getContext('experimental-webgl') var texture = gl.createTexture() gl.bindTexture(gl.TEXTURE_2D, texture) gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null) gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array(256 * 256 * 4)) </script> </head> </html> CVE-2012-2896 10013년 7월 3일 수요일
  101. 101. Phase 3. Crash 5 Type of Crash Read Access Violation near NULL Read Access Violation not near NULL Write Access Violation near NULL Write Access Violation not near NULL Unknown 10113년 7월 3일 수요일
  102. 102. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx 10213년 7월 3일 수요일
  103. 103. Demonstration ActiveX module on Banking / Financial / Etc 10313년 7월 3일 수요일
  104. 104. Demonstration ActiveX module on Banking / Financial / Etc 10413년 7월 3일 수요일
  105. 105. Demonstration ActiveX module on Banking / Financial / Etc 10513년 7월 3일 수요일
  106. 106. Demonstration ActiveX module on Banking / Financial / Etc Occurs Stack Buffer Overflow via strcpy( ) 10613년 7월 3일 수요일
  107. 107. 10713년 7월 3일 수요일
  108. 108. Conclusion Source Code Auditing Fuzzing Reverse Engineering 10813년 7월 3일 수요일
  109. 109. Conclusion Diffing Taint Analysis Symbolic Execution Source Code Auditing Fuzzing Reverse Engineering 10913년 7월 3일 수요일
  110. 110. Thank You :) 11013년 7월 3일 수요일

×