When good code goes bad
Upcoming SlideShare
Loading in...5
×
 

When good code goes bad

on

  • 530 views

Presentation by Haroon Meer and Charl van der Walt at ISSA in 2006. ...

Presentation by Haroon Meer and Charl van der Walt at ISSA in 2006.

The presentation begins with an explanation of a stack overflow attack and format string vulnerability, both with example code. Dangerous integers are also explained. The presentation ends with a discussion on ActiveX control.

Statistics

Views

Total Views
530
Views on SlideShare
514
Embed Views
16

Actions

Likes
0
Downloads
4
Comments
0

3 Embeds 16

http://www.sensepost.com 8
http://research.sensepost.com 6
http://localhost 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

When good code goes bad When good code goes bad Presentation Transcript

  • WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)
  • Introduction
    • Who we are.. (SensePost)
    • Who we are.. (charl && haroon)
    • What this talk is about..
      • Answer some of those questions you never ask..
      • Some real world examples (of shocking code)
      • Some real world repercussions
      • Mind the Gap
    • Constraints…
  • Agenda
    • What is this stack overflow stuff?
    • Then what’s a format string vulnerability?
    • Hmmm.. What’s all this about dangerous Integers?
    • What happens if we fix all the code?
    • Questions..
  • What’s this Stack Overflow stuff?
    • This is really old news.. (Morris Worm 1988)
    • Is it even still a problem?
    • Super simple explanation:
        • The Stack..
        • Dangerous functions
  • Super Simple Explanation.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
  • Typical Attack.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
  • What’s this Stack Overflow stuff?
    • This is really old news.. (Morris Worm 1988)
    • Is it even still a problem?
    • Super simple explanation:
        • The Stack..
        • Dangerous functions
    • Who would make such a silly mistake?
        • Everyone…
    • How easy is this to take advantage of?
        • Today? Point & Click ownage!
  • Then what’s a format string bug?
    • Spot the bug ?
    • “Safe Version”
    • See it yet?
    void syslog(char *buff) { printf(buff) } void syslog(char *buff) { printf(“%s”, buff) }
  • Then what’s a format string bug? printf(“%s”, buff); printf(buff);
  • Then what’s a format string bug? printf(“%s”, buff); buff = “%s”; printf(buff); C:> issa_format.exe
  • What’s a dangerous Integer?
  • What’s a dangerous Integer?
    • Same size as a pointer
    • Fixed size (32 bits for our purposes)
    • MAXINT + 1 == ?
    • ISO C99  “Causes Undefined Behavior”
    • 0xffffffff + 0x1 == 0 {Integer Wrap Around}
    • Why is this dangerous ?
  • Ugly Pseudo-Code
    • 1.) get data from user (buffer)
    • 2.) add trailing 0 character
    • 3.) add 1 to length of buffer (for our 0)
    • 4.) If(length > 80)
    • 5.) {
    • 6.) printf(“Sorry your buffer is too long!”;
    • 7.) exit -1
    • 8.) }
    • 9.) else
    • 0.) { copy(other_buffer, buffer); }
  • What happens if we fix all the code?
    • The proliferation of “Managed Code”
    • Better and better static code analysis..
    • Is the end in sight for bug hunters?
      • RealVNC Authentication Bypass
      • ActiveX Control
  • RealVNC Authentication Bypass
    • Discovered by Steve Wiseman of intelliadmin.com (by mistake)
  • RealVNC Authentication Bypass
    • “ show us”
  • What does this mean?
    • Vendors:
      • There are lots of defects that tools can not easily detect..
      • (There are lots of defects they can!)
      • No vendor is safe just because they have deeper pockets (or “more eyeballs”)
    • ISO’s:
      • Defense in Depth..
      • End-point-security..
      • Patch Management ?
      • If it can happen to Microsoft …
    • Questions ?
    • [email_address]
    • [email_address]