Buffer Overflows


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Buffer Overflows

  1. 1. Buffer Overflows OWASP Bangalore 11 th Jan, 2009
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><ul><li>What, How & Why? </li></ul></ul><ul><li>Guidelines </li></ul><ul><ul><li>Are you vulnerable? </li></ul></ul><ul><ul><li>What to do or not to do? </li></ul></ul><ul><li>Vulnerability History </li></ul><ul><li>Demo (in next session) </li></ul>
  3. 3. Buffer overflow <ul><li>Pushing data more than the capacity of a buffer </li></ul><ul><li>Manipulating execution stack to reveal/modify process specific data </li></ul><ul><li>Few examples: </li></ul><ul><ul><li>strcpy(target_buffer,large_string); </li></ul></ul><ul><ul><li>printf(str_ptr); /*unescaped data from str_ptr*/ </li></ul></ul>
  4. 4. …so? <ul><li>Arbitrary shell code can be injected as user input </li></ul><ul><li>RET address can be changed to execute the arbitrary code </li></ul><ul><li>Do anything afterwards… </li></ul><ul><li>Worst if the vulnerable application was running in “root”/”superuser” mode </li></ul>
  5. 5. Types of Buffer Overflow <ul><li>Stack Overflow </li></ul><ul><li>Heap Overflow </li></ul><ul><li>Integer Overflow </li></ul><ul><li>Format String Overflow </li></ul><ul><li>Unicode Overflow </li></ul>
  6. 6. Function Calls and Stacks <ul><li>Uses stacks to evaluate functions </li></ul><ul><ul><li>foo(bar(delta(arg1, arg2,…))) </li></ul></ul><ul><ul><li>foo1(bar1(arg1), delta1(arg1, arg2,…)) </li></ul></ul><ul><li>From L->R </li></ul><ul><ul><li>LIFO </li></ul></ul>
  7. 7. Example <ul><li>int sum(int a,int b){ </li></ul><ul><li>return a+b; </li></ul><ul><li>} </li></ul><ul><li>int main(){ </li></ul><ul><li>int a[5]; </li></ul><ul><li>a[0]=sum(15,13); </li></ul><ul><li>} </li></ul>… sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret
  8. 8. RET address FP or BP 13 15 … sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret
  9. 9. <ul><li>#include <string.h> </li></ul><ul><li>void f(char* s) { </li></ul><ul><li>char buffer[10]; </li></ul><ul><li>strcpy(buffer, s); </li></ul><ul><li>} </li></ul><ul><li>void main(void) { </li></ul><ul><li>f(&quot;01234567890123456789&quot;); </li></ul><ul><li>} </li></ul><ul><li>[root /tmp]# ./stacktest </li></ul><ul><li>Segmentation fault </li></ul>Attempted to overwrite other sections of the executable
  10. 10. Heap Overflow <ul><li>When data is written beyond the boundaries in the heap </li></ul><ul><li>Overflow </li></ul><ul><ul><li>strcpy(a,long_string); </li></ul></ul><ul><li>Similar to stack overflows </li></ul>0xB1 0xB8 Array a[8] Array b[11] 0xC2 0xCC
  11. 11. Integer Overflow <ul><li>Arithmetic overflows </li></ul><ul><li>Processors have fixed width word size </li></ul><ul><ul><li>8-bit processor can handle 0 to 255 or -127 to +127 </li></ul></ul><ul><ul><li>16-bit processor can handle 0 to 65535 or -32767 to +32767 </li></ul></ul><ul><li>A value beyond the range, causes overflow </li></ul>
  12. 12. <ul><li>#include <stdio.h> </li></ul><ul><li>#include <string.h> </li></ul><ul><li>void main(int argc, char *argv[]) { </li></ul><ul><li>int i = atoi(argv[1]); // input from user </li></ul><ul><li>unsigned short s = i; // truncate to a short </li></ul><ul><li>char buf[50]; // large buffer </li></ul><ul><li>if (s > 10) { // check we're not greater than 10 </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul><ul><li>memcpy(buf, argv[2], i); // copy i bytes to the buffer </li></ul><ul><li>buf[i] = ''; // add a null byte to the buffer printf(&quot;%s &quot;, buf); // output the buffer contents </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul><ul><li>[root /tmp]# ./inttest 65580 foobar </li></ul><ul><li>Segmentation fault </li></ul>
  13. 13. Format String Overflow <ul><li>Takes advantage of functions which mix data with control information </li></ul><ul><li>“ %x” – Read data from stack </li></ul><ul><li>“ %s” – Read string from process memory </li></ul><ul><li>“ %n” – Write an integer to locations in process memory </li></ul><ul><li>“ %p” – representation of a memory location </li></ul><ul><li>Ex: </li></ul><ul><ul><li>fprint, fprintf, sprintf, snprintf </li></ul></ul><ul><ul><li>vfprintf, vprintf, vsprintf, vsnprintf </li></ul></ul><ul><ul><li>a user input can be formatted to access values from the stack, e.g. </li></ul></ul><ul><ul><ul><li>printf(“%08x.%08x.%08x.%08x.%08x”) will print top 5 stack values </li></ul></ul></ul>
  14. 14. Unicode Overflow <ul><li>Windows APIs often convert input string into Unicode before using them </li></ul><ul><li>Input can be convoluted to cause an overflow and manipulate exception handlers </li></ul><ul><li>Unicode conversion may generate special interrupt instructions on the stack </li></ul>
  15. 15. Are you vulnerable? <ul><li>Yes likely, if your code: </li></ul><ul><ul><li>uses low level languages like C/C++ </li></ul></ul><ul><ul><li>directly accesses memory </li></ul></ul><ul><ul><li>interacts with OS activities and process stacks </li></ul></ul><ul><li>However: </li></ul><ul><ul><li>reduces risk if you know what you are doing!! </li></ul></ul><ul><li>Not likely, if your code uses high level languages like Java, .NET </li></ul>
  16. 16. What to do or not to do? <ul><li>Know thy code!!! </li></ul><ul><ul><li>Use safe functions </li></ul></ul><ul><ul><ul><li>strncpy instead of strcpy, strncat instead of strcat, snprintf instead of sprintf etc. </li></ul></ul></ul><ul><ul><li>Grant processes least required privileges to run </li></ul></ul><ul><li>Be a paranoid </li></ul><ul><ul><li>don’t trust user inputs </li></ul></ul><ul><ul><li>always validate </li></ul></ul><ul><li>Do comprehensive code auditing and reviews. Use static code analysis tools: RATS, findbugs, flawfinder </li></ul><ul><li>Use compiler tools: StackShield, StackGuard and Libsafe </li></ul>
  17. 17. Compiler tools <ul><li>StackGuard </li></ul><ul><ul><li>Uses an extra canary word (4-bytes) to verify if stack is intact </li></ul></ul><ul><ul><ul><li>0x000D0AFF (0x00 NULL, 0x0D CR, 0x0A LF, 0xFF EOF) </li></ul></ul></ul><ul><ul><ul><li>Or a random number difficult to predict </li></ul></ul></ul><ul><li>StackShield </li></ul><ul><ul><li>Copies the expected return address in a different stack for later verification </li></ul></ul><ul><li>LibSafe </li></ul><ul><ul><li>intercepts all calls to vulnerable library functions and substitutes a corresponding version that implements the original functionality still contains any buffer overflows within the current stack frame </li></ul></ul>
  18. 18. Vulnerability Metrics
  19. 19. (Recent) History <ul><li>Quite many incidents </li></ul><ul><ul><li>RealPlayer ActiveX Import Method Buffer Overflow (July 2008) </li></ul></ul><ul><ul><li>Microsoft GDI Stack Overflow Vulnerability (Aug 2008) </li></ul></ul><ul><ul><li>Heap based buffer overflow in QuickTime and iTunes (Sep 2008) </li></ul></ul><ul><ul><li>Adobe Reader Javascript Printf Buffer Overflow (Nov 2008) </li></ul></ul>
  20. 20. Reporting <ul><li>http://www.cert.org/vuls/ </li></ul><ul><li>http:// www.adobe.com/misc/securityform.html </li></ul><ul><li>http://www.microsoft.com/technet/security/bulletin/alertus.aspx </li></ul><ul><li>http://www.apple.com/support/security/ </li></ul>
  21. 21. References <ul><li>http:// www.owasp.org/index.php/Buffer_Overflows </li></ul><ul><li>https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards </li></ul><ul><li>Also updated at http ://www.owasp.org/index.php/Buffer_Overflows </li></ul>