Successfully reported this slideshow.
Your SlideShare is downloading. ×

Classic Vulnerabilities (ACCU Keynote 2022)

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 87 Ad

Classic Vulnerabilities (ACCU Keynote 2022)

Download to read offline

We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.

We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.

We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.

We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Classic Vulnerabilities (ACCU Keynote 2022) (20)

Advertisement

More from Patricia Aas (20)

Recently uploaded (20)

Advertisement

Classic Vulnerabilities (ACCU Keynote 2022)

  1. 1. TurtleSec @pati_gallardo 1 Turtle Sec @pati_gallardo
  2. 2. TurtleSec @pati_gallardo 2 @pati_gallardo 2 TurtleSec Living in the future
  3. 3. TurtleSec @pati_gallardo 3 TurtleSec @pati_gallardo 3 2000 2022 Zoomers: Taylor Swift was 11 Boomers: Y2K Systems Programming Binary Exploitation
  4. 4. TurtleSec @pati_gallardo 4 Classic Vulnerabilities ACCU 2022 Patricia Aas Turtle Sec
  5. 5. TurtleSec @pati_gallardo 5 Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
  6. 6. TurtleSec @pati_gallardo 6 @pati_gallardo 6 Mod(C++) TurtleSec Intermediate Fundamentals Wha do I kno ?
  7. 7. TurtleSec @pati_gallardo 7 (In)Secure C++ @pati_gallardo 7 TurtleSec Wha do I kno ?
  8. 8. TurtleSec @pati_gallardo 8 @pati_gallardo 8 TurtleSec 2000
  9. 9. TurtleSec @pati_gallardo 9 @pati_gallardo 9 2000 Do Com I finished my bachelor TurtleSec I started my bachelor
  10. 10. TurtleSec @pati_gallardo 10 2000 : 22 years ago Say My Name - Destiny's Child Bye Bye Bye - *NSYNC
  11. 11. TurtleSec @pati_gallardo 11 In July 2000 Solar Designer (Alexander Peslyak) introduced the first Generic Heap Exploitation Technique
  12. 12. TurtleSec @pati_gallardo 12 @pati_gallardo 12 TurtleSec Doug Lea's malloc The idea was to create a portable exploit that worked against many applications
  13. 13. TurtleSec @pati_gallardo 13 ● JPEG COM Marker Processing Vulnerability (CVE-2000-0655), Solar Designer, https://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability ● Vudo malloc tricks, MaXX, 2001-08-11 Phrack Magazine, http://phrack.org/issues/57/8.html ● Once upon a free()..., anonymous, 2001-08-11 Phrack Magazine, http://phrack.org/issues/57/9.html ● The Heap: Once upon a free() - bin 0x17, LiveOverflow, https://youtu.be/gL45bjQvZSU ● The Heap: dlmalloc unlink() exploit - bin 0x18, LiveOverflow, https://youtu.be/HWhzH--89UQ ● Alexander Peslyak (Solar Designer), https://en.wikipedia.org/wiki/Solar_Designer Unlink Vulnerability Resources
  14. 14. TurtleSec @pati_gallardo 14 Unlink Vulnerability @pati_gallardo 14 TurtleSec
  15. 15. TurtleSec @pati_gallardo 15 @pati_gallardo 15 TurtleSec Chocolate-Doom Source port of the original Doom game from the early 90s
  16. 16. TurtleSec @pati_gallardo 16 @pati_gallardo 16 TurtleSec Z_Malloc Allocator for Doom has a metadata section used to manage the memory
  17. 17. TurtleSec @pati_gallardo 17 @pati_gallardo 17 memblock_t* sizeof(memblock_t) sizeof(floormove_t) Z_Malloc : Doom allocations void* 1. floormove_t * floor = 2. (floormove_t *) Z_Malloc(sizeof(floormove_t), PU_LEVSPEC, NULL); tag user
  18. 18. TurtleSec @pati_gallardo 18 18 @pati_gallardo memblock_t 1. struct memblock_t { 2. int id; // = ZONEID 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; tag user Doubly linked list src/z_native.cpp z_native is an implementation of Z_Malloc memblock_t Memory allocated
  19. 19. TurtleSec @pati_gallardo 19 Metadata stored in the heap Mem block Mem block allocated_blocks[tag] Next Previous
  20. 20. TurtleSec @pati_gallardo 20 @pati_gallardo 1. void Z_Free(void * ptr) { 2. auto * byte_ptr = static_cast<uint8_t *>(ptr); 3. auto * block = reinterpret_cast<memblock_t *>(byte_ptr - sizeof(memblock_t)); 4. 5. if (block->id != ZONEID) { 6. I_Error("Z_Free: freed a pointer without ZONEID"); 7. } 8. 9. if (block->tag != PU_FREE && block->user != nullptr) { 10. // clear the user's mark 11. 12. *block->user = nullptr; 13. } 14. 15. Z_RemoveBlock(block); 16. 17. // Free back to system 18. 19. free(block); 20. } Metadata on allocation stored adjacent to the allocated heap memory Before freeing the memory, remove the block from internal data structures src/z_native.cpp
  21. 21. TurtleSec @pati_gallardo 21 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. // Unlink from list 3. 4. if (block->prev == nullptr) { 5. // Start of list 6. 7. allocated_blocks[block->tag] = block->next; 8. } else { 9. block->prev->next = block->next; 10. } 11. 12. if (block->next != nullptr) { 13. block->next->prev = block->prev; 14. } 15. } 16. Classic unlinking from a doubly linked list src/z_native.cpp
  22. 22. TurtleSec @pati_gallardo 22 22 @pati_gallardo src/z_native.cpp 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } block block->next block->prev
  23. 23. TurtleSec @pati_gallardo 23 @pati_gallardo 23 TurtleSec Insight If we can control both sides of an allocation we can create a Write-What-Where primitive
  24. 24. TurtleSec @pati_gallardo 24 24 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } where where what If we control block->prev we control the where this write will happen (adjusted for the offset of next) If we control block->next we control what to write there src/z_native.cpp Write-What-Where
  25. 25. TurtleSec @pati_gallardo 25 @pati_gallardo 25 TurtleSec Proof of Concept Corrupt the memblock_t metadata before freeing the memory
  26. 26. TurtleSec @pati_gallardo 26 @pati_gallardo 1. void * guard = Z_Malloc(10, PU_LEVEL, nullptr); 2. void * ptr = Z_Malloc(10, PU_LEVEL, nullptr); 3. void * guard2 = Z_Malloc(10, PU_LEVEL, nullptr); 4. 5. auto * byte_ptr = ( uint8_t *) ptr; 6. auto * header = ( memblock_t *) (byte_ptr - sizeof(memblock_t)); 7. 8. long * where = nullptr; 9. long ** where_ptr = &where; 10. long what = 0x42424242; 11. long * what_ptr = &what; 12. 13. auto distance = (uint8_t*)(&(header->next)) - (uint8_t*) header; 14. uint8_t * byte_where_ptr = ( uint8_t*) where_ptr; 15. uint8_t * adjusted_byte_where_ptr = byte_where_ptr - distance; 16. 17. header->prev = (memblock_t *) adjusted_byte_where_ptr; 18. header->next = (memblock_t *) what_ptr; 19. 20. assert(where == nullptr); 21. Z_Free(ptr); 22. assert(where != nullptr); 23. assert(*where == 0x42424242); Free memory - unlink happens Adjust what for distance to next Allocate memory Get memblock* Prepare where Prepare what where has been set to what
  27. 27. TurtleSec @pati_gallardo 27 27 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } block block->next block->prev src/z_native.cpp next offset &where:NULL &what: 0x42424242 block->prev->next = block->prev + next offset
  28. 28. TurtleSec @pati_gallardo 28 @pati_gallardo 28 TurtleSec Traditional mitigation Check the pointers before unlinking
  29. 29. TurtleSec @pati_gallardo 29 29 @pati_gallardo block block->next block->prev src/z_native.cpp 1. // ... 2. if (block->prev->next != block) 3. exit(1); 4. block->prev->next = block->next; 5. // ... 6. if (block->next->prev != block) 7. exit(1); 8. block->next->prev = block->prev; 9. // ...
  30. 30. TurtleSec @pati_gallardo 30 @pati_gallardo 30 TurtleSec How to exploit Using a heap buffer overflow
  31. 31. TurtleSec @pati_gallardo 31 31 @pati_gallardo Heap Grooming to overwrite adjacent memory 1. struct memblock_t { 2. int id; 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; memblock_t *next void ** user Overflow block To be freed memblock_t *prev Overflow block Overflow block To be freed padding int tag int id int size
  32. 32. TurtleSec @pati_gallardo 32 32 @pati_gallardo Heap Grooming to overwrite adjacent memory 1. struct memblock_t { 2. int id; 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; &what void ** user Overflow block To be freed &where - distance Overflow block Overflow block To be freed padding int tag int id int size
  33. 33. TurtleSec @pati_gallardo 33 @pati_gallardo 33 TurtleSec How to find them Hard to find without in-code checks This is valid memory that is being corrupted.
  34. 34. TurtleSec @pati_gallardo 34 @pati_gallardo 34 Test case fails in ASan Global-buffer-overflow on address 0x0001083a58b8 at pc 0x000107d40d1b bp 0x7ffee84542b0 sp 0x7ffee84542a8 WRITE of size 8 at 0x0001083a58b8 thread T0 0x107d40d1a Z_RemoveBlock z_native.cpp:109 0x107d4054c Z_Free z_native.cpp:138 0x1078b6e85 ____C_A_T_C_H____T_E_S_T____12 test_z_native.cpp:97 0x1079614a2 Catch::TestInvokerAsFunction::invoke const catch.hpp:14321 0x10793442d Catch::TestCase::invoke const catch.hpp:14160 0x10793408a Catch::RunContext::invokeActiveTestCase catch.hpp:13020 0x107925d11 Catch::RunContext::runCurrentTest catch.hpp:12985 0x107921d40 Catch::RunContext::runTest catch.hpp:12754 0x10794637c Catch::TestGroup::execute catch.hpp:13347 0x10794335d Catch::Session::runInternal catch.hpp:13553 0x1079421c2 Catch::Session::run catch.hpp:13509 0x1079d01fd Catch::Session::run<…> catch.hpp:13231 0x1079cfd93 main catch.hpp:17526 0x7fff2055ef3c start
  35. 35. TurtleSec @pati_gallardo 35 ● PR: https://github.com/chocolate-doom/chocolate-doom/pull/1454 ● PoC https://gist.github.com/patricia-gallardo/e8aef21a397b8c928a3aae9e4ae8445f ● Issue: https://github.com/chocolate-doom/chocolate-doom/issues/1453 Doom Vulnerability Resources
  36. 36. TurtleSec @pati_gallardo 36 TurtleSec @pati_gallardo 36 2000 2019 Systems Programming Binary Exploitation
  37. 37. TurtleSec @pati_gallardo 37 @pati_gallardo 37 TurtleSec Bad Binder: Android In-The-Wild Exploit CVE-2019-2215
  38. 38. TurtleSec @pati_gallardo 38 @pati_gallardo 38 CVE-2019-2215 "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel."
  39. 39. TurtleSec @pati_gallardo 39 Kernel space User space Caller Callee Binder Driver: /dev/binder Binder: Androids IPC mechanism
  40. 40. TurtleSec @pati_gallardo 40 TurtleSec @pati_gallardo 40 NSO Group is an Israeli technology firm. They have a product called Pegasus that enables remote surveillance of smartphones. The Bad Binder Android exploit was attributed to NSO Group. When it was reported it was being used in the wild. Threat Actor: NSO Group
  41. 41. TurtleSec @pati_gallardo 41 @pati_gallardo 41 TurtleSec Information available Arbitrary kernel read/write primitive CONFIG_DEBUG_LIST breaks the primitive
  42. 42. TurtleSec @pati_gallardo 42 @pati_gallardo 1. void __list_del_entry(struct list_head *entry) { 2. struct list_head *prev, *next; 3. prev = entry->prev; 4. next = entry->next; 5. 6. if (WARN(next == LIST_POISON1, 7. "list_del corruption, %p->next is LIST_POISON1 (%p)n", 8. entry, LIST_POISON1) || 9. WARN(prev == LIST_POISON2, 10. "list_del corruption, %p->prev is LIST_POISON2 (%p)n", 11. entry, LIST_POISON2) || 12. WARN(prev->next != entry, 13. "list_del corruption. prev->next should be %p, " 14. "but was %pn", entry, prev->next) || 15. WARN(next->prev != entry, 16. "list_del corruption. next->prev should be %p, " 17. "but was %pn", entry, next->prev)) { 18. BUG_ON(PANIC_CORRUPTION); 19. return; 20. } 21. __list_del(prev, next); 22. } lib/list_debug.c CONFIG_DEBUG_LIST breaks the primitive by enabling this check This might look familiar This is the standard unlink vuln mitigation
  43. 43. TurtleSec @pati_gallardo 43 @pati_gallardo 43 TurtleSec How to exploit Use After Free
  44. 44. TurtleSec @pati_gallardo 44 Allocation Exploitation Deallocation Heap: Use After Free P N P N Where What Memory is reallocated: used for attacker controlled data When unlinking is performed after free, this becomes a read/write primitive
  45. 45. TurtleSec @pati_gallardo 45 The unlinking is done in privileged code therefore this becomes: Use-after-free leading to arbitrary kernel read/write primitive
  46. 46. TurtleSec @pati_gallardo 46 @pati_gallardo 46 TurtleSec How to find them Address Sanitizer Static Analysis usually doesn't work very well for Use After Free
  47. 47. TurtleSec @pati_gallardo 47 Tools: Use After Free 1. void TXT_OpenURL(cstring_view url) { 2. size_t cmd_len = url.size() + 30; 3. char * cmd = static_cast<char *>(malloc(cmd_len)); 4. 5. // ... 6. 7. int retval = system(cmd); 8. free(cmd); 9. if (retval != 0) { 10. fmt::fprintf(stderr, 11. "error executing '%s'; return code %dn", 12. cmd, retval); 13. } 14. } textscreen/txt_window.cpp "Local variable 'cmd' may point to deallocated memory" Clang-Tidy: "Use of memory after it is freed"
  48. 48. TurtleSec @pati_gallardo 48 ● Bad Binder: Finding an Android In The Wild (video), Maddie Stone, https://youtu.be/TAwQ4ezgEIo ● Bad Binder: Finding an Android In The Wild (blog post), Maddie Stone, https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wil d-exploit.html ● CVE-2019-2215, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215 ● Issue 1942: Android: Use-After-Free in Binder driver, https://bugs.chromium.org/p/project-zero/issues/detail?id=1942 CVE-2019-2215 Resources
  49. 49. TurtleSec @pati_gallardo 49 @pati_gallardo 49 TurtleSec 2002
  50. 50. TurtleSec @pati_gallardo 50 @pati_gallardo 50 2002 TurtleSec
  51. 51. TurtleSec @pati_gallardo 51 Ho In Herre Dilemma f . Kelly Rowland 2002 : 20 years ago
  52. 52. TurtleSec @pati_gallardo 52 ● Basic Integer Overflows, blexim, 2002-12-28 Phrack Magazine, http://phrack.org/issues/60/10.html Integer Overflows Resources
  53. 53. TurtleSec @pati_gallardo 53 @pati_gallardo 53 TurtleSec Signed Integer Overflow Unsigned Int Wraparound
  54. 54. TurtleSec @pati_gallardo 54 Copying buffers first second buf first second first_len second_len buf_len Is it safe to copy first and second into buf? 1. if(first_len + second_len < buf_len) 2. copy(first, second, buf);
  55. 55. TurtleSec @pati_gallardo 55 second_len MAX_INT Exploitation: Buffer Overflow first second buf first second first_len buf_len 1. if(first_len + second_len < buf_len) 2. copy(first, second, buf); Signed Integer Overflow Result is negative Buffer Overflow
  56. 56. TurtleSec @pati_gallardo 56 buf_len (small) second_len MAX_UINT Exploitation: Buffer Overflow first second buf first second first_len 1. buf_len = first_len + second_len; 2. buf = allocate(buf_len); 3. copy(first, second, buf); Unsigned Integer Wraparound Result is small Buffer Overflow
  57. 57. TurtleSec @pati_gallardo 57 TurtleSec @pati_gallardo 57 2002 2017 Systems Programming Binary Exploitation
  58. 58. TurtleSec @pati_gallardo 58 @pati_gallardo 58 TurtleSec CVE-2017-15416 Google Chrome
  59. 59. TurtleSec @pati_gallardo 59 CVE-2017-15416 @pati_gallardo 59 "Heap buffer overflow in Blob API in Google Chrome [...] allowed a remote attacker to potentially exploit heap corruption"
  60. 60. TurtleSec @pati_gallardo 60 Example: CVE-2017-15416 Heap buffer overflow in Blob API in Google Chrome 1. // Validate our reference has good offset & length. 2. - if (input_element.offset() + length > ref_entry->total_size()) { 3. + uint64_t end_byte; 4. + if (!base::CheckAdd(input_element.offset(), length) 5. + .AssignIfValid(&end_byte) || 6. + end_byte > ref_entry->total_size()) { 7. status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS; 8. return; 9. } chromium/storage/browser/blob/blob_storage_context.cc Check against ref_entry total_size Assign to end_byte If add is safe
  61. 61. TurtleSec @pati_gallardo 61 ● CVE-2017-15416, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15416 ● CVE-2017-15416 (fix), https://chromium.googlesource.com/chromium/src.git/+/11bd4bc92f3fe704 631e3e6ad1dd1a4351641f7c%5E%21/ ● Popping Calc with Hardware Vulnerabilities CVE-2017-15416 (exploitation), Stephen Roettger, https://youtu.be/ugZzQvXUTIk CVE-2017-15416 Resources
  62. 62. TurtleSec @pati_gallardo 62 TurtleSec @pati_gallardo 62 2002 2021 Systems Programming Binary Exploitation
  63. 63. TurtleSec @pati_gallardo 63 @pati_gallardo 63 TurtleSec Apple iOS, iPadOS and macOS CVE-2021-30860
  64. 64. TurtleSec @pati_gallardo 64 CVE-2021-30860 @pati_gallardo 64 "An integer overflow was addressed [...] Processing a maliciously crafted PDF may lead to arbitrary code execution."
  65. 65. TurtleSec @pati_gallardo 65 @pati_gallardo Guint numSyms; numSyms = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { numSyms += ((JBIG2SymbolDict *)seg)->getSize(); } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { error(errSyntaxError, getPos(), "Invalid segment reference in JBIG2 text region"); delete codeTables; return; } } // ... // get the symbol bitmaps syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); kk = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { symbolDict = (JBIG2SymbolDict *)seg; for (k = 0; k < symbolDict->getSize(); ++k) { syms[kk++] = symbolDict->getBitmap(k); } } } } 32 bit uint Increment with attacker controlled data Allocate a buffer too small based on wrapped uint Overflow too small buffer
  66. 66. TurtleSec @pati_gallardo 66 ● A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution, Project Zero team at Google, https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zer o-click.html ● FORCEDENTRY, https://en.wikipedia.org/wiki/FORCEDENTRY ● CVE-2021-30860, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860 ● FORCEDENTRY: Sandbox Escape, Ian Beer & Samuel Groß, https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-esc ape.html CVE-2021-30860 Resources
  67. 67. TurtleSec @pati_gallardo 67 @pati_gallardo 67 TurtleSec How to find them UB Sanitizer Integer Sanitizer
  68. 68. TurtleSec @pati_gallardo 68 @pati_gallardo 68 C++20 Safe Integer Comparisons 1. #include <utility> 2. 3. int main() 4. { 5. static_assert( sizeof(int) == 4 ); 6. 7. static_assert( -1 > 1U ); 8. static_assert( 0xFFFFFFFFU > 1U ); 9. static_assert( 0xFFFFFFFFU == static_cast<unsigned>(-1) ); 10. 11. static_assert( std::cmp_less( -1, 1U ) ); 12. static_assert( std::cmp_less_equal( -1, 1U ) ); 13. static_assert( ! std::cmp_greater( -1, 1U ) ); 14. static_assert( ! std::cmp_greater_equal( -1, 1U ) ); 15. 16. static_assert( -1 == 0xFFFFFFFFU ); 17. static_assert( std::cmp_not_equal( -1, 0xFFFFFFFFU ) ); 18. } Example Code from cppreference.com C++20
  69. 69. TurtleSec @pati_gallardo 69 @pati_gallardo 69 TurtleSec 2010
  70. 70. TurtleSec @pati_gallardo 70 Rihanna - Rude Boy Lady Gaga - Bad Romance 2010 : 12 years ago
  71. 71. TurtleSec @pati_gallardo 71 @pati_gallardo 71 TurtleSec 2010
  72. 72. TurtleSec @pati_gallardo 72 ● A Eulogy for Format Strings, Captain Planet, 2010-11-17 Phrack Magazine, http://phrack.org/issues/67/9.html ● Advances in format string exploitation, riq & gera, 2002-07-28 Phrack Magazine, http://phrack.org/issues/59/7.html Format String Vulnerability Resources
  73. 73. TurtleSec @pati_gallardo 73 Format String Vulnerabilities @pati_gallardo 73 TurtleSec
  74. 74. TurtleSec @pati_gallardo 74 Format String Features A couple of Lesser Known @pati_gallardo 74 TurtleSec
  75. 75. TurtleSec @pati_gallardo 75 @pati_gallardo TurtleSec field_width.c 1. int main(void) { 2. printf("% 17dn", 10); 3. printf("% *dn", 18, 10); 4. printf("%2$ *1$dn", 19, 10); // Direct Access 5. } $ clang -o field_width field_width.c $ ./field_width 10 10 10 Field width 17 18 19
  76. 76. TurtleSec @pati_gallardo 76 @pati_gallardo TurtleSec chars_written_1.c 1. int main(void) { 2. int num = 0; 3. printf("abcdef%nn", &num); 4. printf("%dn", num); 5. } $ clang -o chars_written chars_written_1.c $ ./chars_written abcdef 6 Chars written
  77. 77. TurtleSec @pati_gallardo 77 @pati_gallardo TurtleSec chars_written_2.c 1. int main(void) { 2. int num = 0; 3. printf("%42d%nn", 1, &num); // Field width 4. printf("%dn", num); 5. } $ clang -o chars_written chars_written_2.c $ ./chars_written 1 42 Chars written 42
  78. 78. TurtleSec @pati_gallardo 78 TurtleSec @pati_gallardo 78 2002 2021 Systems Programming Binary Exploitation 2010
  79. 79. TurtleSec @pati_gallardo 79 @pati_gallardo 79 TurtleSec Apple iOS CVE-2021-30800
  80. 80. TurtleSec @pati_gallardo 80 CVE-2021-30800 @pati_gallardo 80 "Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution."
  81. 81. TurtleSec @pati_gallardo 81 CVE-2021-30800
  82. 82. TurtleSec @pati_gallardo 82 @pati_gallardo 82 TurtleSec How to find them Address Sanitizer GCC & Clang: -Wformat=2
  83. 83. TurtleSec @pati_gallardo 83 TurtleSec @pati_gallardo 83 2000 2022 Systems Programming Binary Exploitation
  84. 84. TurtleSec @pati_gallardo 84 @pati_gallardo 84 TurtleSec Living in the future
  85. 85. TurtleSec @pati_gallardo 85 Cross community learning @pati_gallardo 85 TurtleSec
  86. 86. TurtleSec @pati_gallardo 86 Questions? Photos from pixabay.com and Wikipedia Patricia Aas, TurtleSec Turtle Sec
  87. 87. TurtleSec @pati_gallardo 87 Turtle Sec @pati_gallardo

×