Buffer Overflows OWASP Bangalore 11 th Jan, 2009

Agenda Introduction What, How & Why? Guidelines Are you vulnerable? What to do or not to do? Vulnerability History Demo (in next session)

Introduction

What, How & Why?

Guidelines

Are you vulnerable?

What to do or not to do?

Vulnerability History

Demo (in next session)

Buffer overflow Pushing data more than the capacity of a buffer Manipulating execution stack to reveal/modify process specific data Few examples: strcpy(target_buffer,large_string); printf(str_ptr); /*unescaped data from str_ptr*/

Pushing data more than the capacity of a buffer

Manipulating execution stack to reveal/modify process specific data

Few examples:

strcpy(target_buffer,large_string);

printf(str_ptr); /*unescaped data from str_ptr*/

…so? Arbitrary shell code can be injected as user input RET address can be changed to execute the arbitrary code Do anything afterwards… Worst if the vulnerable application was running in “root”/”superuser” mode

Arbitrary shell code can be injected as user input

RET address can be changed to execute the arbitrary code

Do anything afterwards…

Worst if the vulnerable application was running in “root”/”superuser” mode

Types of Buffer Overflow Stack Overflow Heap Overflow Integer Overflow Format String Overflow Unicode Overflow

Stack Overflow

Heap Overflow

Integer Overflow

Format String Overflow

Unicode Overflow

Function Calls and Stacks Uses stacks to evaluate functions foo(bar(delta(arg1, arg2,…))) foo1(bar1(arg1), delta1(arg1, arg2,…)) From L->R LIFO

Uses stacks to evaluate functions

foo(bar(delta(arg1, arg2,…)))

foo1(bar1(arg1), delta1(arg1, arg2,…))

From L->R

LIFO

Example int sum(int a,int b){ return a+b; } int main(){ int a[5]; a[0]=sum(15,13); } … sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret

int sum(int a,int b){

return a+b;

}

int main(){

int a[5];

a[0]=sum(15,13);

}

RET address FP or BP 13 15 … sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret

#include <string.h> void f(char* s) { char buffer[10]; strcpy(buffer, s); } void main(void) { f(&quot;01234567890123456789&quot;); } [root /tmp]# ./stacktest Segmentation fault Attempted to overwrite other sections of the executable

#include <string.h>

void f(char* s) {

char buffer[10];

strcpy(buffer, s);

}

void main(void) {

f(&quot;01234567890123456789&quot;);

}

[root /tmp]# ./stacktest

Segmentation fault

Heap Overflow When data is written beyond the boundaries in the heap Overflow strcpy(a,long_string); Similar to stack overflows 0xB1 0xB8 Array a[8] Array b[11] 0xC2 0xCC

When data is written beyond the boundaries in the heap

Overflow

strcpy(a,long_string);

Similar to stack overflows

Integer Overflow Arithmetic overflows Processors have fixed width word size 8-bit processor can handle 0 to 255 or -127 to +127 16-bit processor can handle 0 to 65535 or -32767 to +32767 A value beyond the range, causes overflow

Arithmetic overflows

Processors have fixed width word size

8-bit processor can handle 0 to 255 or -127 to +127

16-bit processor can handle 0 to 65535 or -32767 to +32767

A value beyond the range, causes overflow

#include <stdio.h> #include <string.h> void main(int argc, char *argv[]) { int i = atoi(argv[1]); // input from user unsigned short s = i; // truncate to a short char buf[50]; // large buffer if (s > 10) { // check we're not greater than 10 return; } memcpy(buf, argv[2], i); // copy i bytes to the buffer buf[i] = ''; // add a null byte to the buffer printf(&quot;%s
&quot;, buf); // output the buffer contents return; } [root /tmp]# ./inttest 65580 foobar Segmentation fault

#include <stdio.h>

#include <string.h>

void main(int argc, char *argv[]) {

int i = atoi(argv[1]); // input from user

unsigned short s = i; // truncate to a short

char buf[50]; // large buffer

if (s > 10) { // check we're not greater than 10

return;

}

memcpy(buf, argv[2], i); // copy i bytes to the buffer

buf[i] = ''; // add a null byte to the buffer printf(&quot;%s
&quot;, buf); // output the buffer contents

return;

}

[root /tmp]# ./inttest 65580 foobar

Segmentation fault

Format String Overflow Takes advantage of functions which mix data with control information “ %x” – Read data from stack “ %s” – Read string from process memory “ %n” – Write an integer to locations in process memory “ %p” – representation of a memory location Ex: fprint, fprintf, sprintf, snprintf vfprintf, vprintf, vsprintf, vsnprintf a user input can be formatted to access values from the stack, e.g. printf(“%08x.%08x.%08x.%08x.%08x”) will print top 5 stack values

Takes advantage of functions which mix data with control information

“ %x” – Read data from stack

“ %s” – Read string from process memory

“ %n” – Write an integer to locations in process memory

“ %p” – representation of a memory location

Ex:

fprint, fprintf, sprintf, snprintf

vfprintf, vprintf, vsprintf, vsnprintf

a user input can be formatted to access values from the stack, e.g.

printf(“%08x.%08x.%08x.%08x.%08x”) will print top 5 stack values

Unicode Overflow Windows APIs often convert input string into Unicode before using them Input can be convoluted to cause an overflow and manipulate exception handlers Unicode conversion may generate special interrupt instructions on the stack

Windows APIs often convert input string into Unicode before using them

Input can be convoluted to cause an overflow and manipulate exception handlers

Unicode conversion may generate special interrupt instructions on the stack

Are you vulnerable? Yes likely, if your code: uses low level languages like C/C++ directly accesses memory interacts with OS activities and process stacks However: reduces risk if you know what you are doing!! Not likely, if your code uses high level languages like Java, .NET

Yes likely, if your code:

uses low level languages like C/C++

directly accesses memory

interacts with OS activities and process stacks

However:

reduces risk if you know what you are doing!!

Not likely, if your code uses high level languages like Java, .NET

What to do or not to do? Know thy code!!! Use safe functions strncpy instead of strcpy, strncat instead of strcat, snprintf instead of sprintf etc. Grant processes least required privileges to run Be a paranoid don’t trust user inputs always validate Do comprehensive code auditing and reviews. Use static code analysis tools: RATS, findbugs, flawfinder Use compiler tools: StackShield, StackGuard and Libsafe

Know thy code!!!

Use safe functions

strncpy instead of strcpy, strncat instead of strcat, snprintf instead of sprintf etc.

Grant processes least required privileges to run

Be a paranoid

don’t trust user inputs

always validate

Do comprehensive code auditing and reviews. Use static code analysis tools: RATS, findbugs, flawfinder

Use compiler tools: StackShield, StackGuard and Libsafe

Compiler tools StackGuard Uses an extra canary word (4-bytes) to verify if stack is intact 0x000D0AFF (0x00 NULL, 0x0D CR, 0x0A LF, 0xFF EOF) Or a random number difficult to predict StackShield Copies the expected return address in a different stack for later verification LibSafe intercepts all calls to vulnerable library functions and substitutes a corresponding version that implements the original functionality still contains any buffer overflows within the current stack frame

StackGuard

Uses an extra canary word (4-bytes) to verify if stack is intact

0x000D0AFF (0x00 NULL, 0x0D CR, 0x0A LF, 0xFF EOF)

Or a random number difficult to predict

StackShield

Copies the expected return address in a different stack for later verification

LibSafe

intercepts all calls to vulnerable library functions and substitutes a corresponding version that implements the original functionality still contains any buffer overflows within the current stack frame

Vulnerability Metrics

(Recent) History Quite many incidents RealPlayer ActiveX Import Method Buffer Overflow (July 2008) Microsoft GDI Stack Overflow Vulnerability (Aug 2008) Heap based buffer overflow in QuickTime and iTunes (Sep 2008) Adobe Reader Javascript Printf Buffer Overflow (Nov 2008)

Quite many incidents

RealPlayer ActiveX Import Method Buffer Overflow (July 2008)

Microsoft GDI Stack Overflow Vulnerability (Aug 2008)

Heap based buffer overflow in QuickTime and iTunes (Sep 2008)

Adobe Reader Javascript Printf Buffer Overflow (Nov 2008)

Reporting http://www.cert.org/vuls/ http:// www.adobe.com/misc/securityform.html http://www.microsoft.com/technet/security/bulletin/alertus.aspx http://www.apple.com/support/security/

http://www.cert.org/vuls/

http:// www.adobe.com/misc/securityform.html

http://www.microsoft.com/technet/security/bulletin/alertus.aspx

http://www.apple.com/support/security/

References http:// www.owasp.org/index.php/Buffer_Overflows https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards Also updated at http ://www.owasp.org/index.php/Buffer_Overflows

http:// www.owasp.org/index.php/Buffer_Overflows

https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

Also updated at http ://www.owasp.org/index.php/Buffer_Overflows