Software Vulnerabilities
Introduction

- Who I am
- Who this talk is for
Roaclmap

Buffer overflows — stack and heap. 
Format String bugs
  Integer problems
Memory problems
a Race conditions
Roaclmap

EXAMPLES? 

0|’. ..

- Local vs Remote exploitation
- Post exploitation payloads
~ Protection
The overflow

for(
i =  0;
user_buf[i] ! = ‘O’; 
store_buf[i] =  user_buf[i++]

);
Other data

BOUNDARY

WRITE BUFFER
Stack based overflow

Saved frame pointer:  Saved variables: 

call vuln_function void (*fn)(void) =  (void)&time; 
char o...
Heap based overflow

. bss overwrite:  Control structure overwrite: 

char p1[100],  p2[100];  V0id fn(V°id)
{
int main(vo...
What is the trend’? 

- You sequentially overwrite data beyond(/ before)
an allocated memory space. 

- You rely on the po...
Format String Bugs

char *p =  user_supp1ied_format_st; ring; 
printf (p) ;
user supplied format string

AAAABBBB%08x%08x%08x%08xm
DP/ — — °/ oi 2 etc

-overwrite_addr1 = 
stack_offset(user; buffer); 

-overwrite_addr2 = 
stack_offset(user_buffer) + 4;
°/ o h n

-Write 1 = 
1ow_word(shel1code_addr) -
bytes(already_output); 

-Write 2 = 
high_word(shellcode_addr) -
bytes(al...
What is the trend’? 

* User input describes the format string used to
describe argument types to format functions. 

- Th...
Integer problems

Jr : .un. ,.]
i. rii' r-v i'-'~i, riI W [irwn : i.. ~. iv»: 
n mgr:  I

| -. w.  ml. -.-.1
>Ll'JL7JL r. ...
Arithmetic overflow

unsigned len =  user_assigned_int32(); 
char *buf =  ma1loc(1en + 1); 
memcpy(buf,  user_supplied_inp...
Signedness Bugs

signed len =  user_assigned_int32(); 
if(1en > sizeof(buffer)) return; 
memcpy(buffer,  user_supplied_inp...
What is the trend? 

- Arithmetic operations on integers that an
attacker can control are dangerous. 

- Promotions can ha...
Memory problems

- Memory leak - do not free() allocated
memory. 

- Uninitialized variables - Do not initialize
variables...
Memory leak

void f(void)

{
char *s =  ma11oc(100); 
if(! s) return -1;
[W]

return 0;

}

int main(void)

I
char *p; 
wh...
Un—initialized variables

unsigned int we are; 

if(we_are = = 31337)
{

root_us(); 

}
Uri-initializecl memory cont. 

£or(chnk =  head;  chnk;  chnk =  chnk->next)
I
memset(chnk,  0x00, chnk->len); 
free (chn...
What is the trend? 

Memory leaks can lead to some exploitable conditions
when no further error checking is done on alloca...
Race Conditions

File handling race. 
Signal handling race. 
Threaded race.
File Handling Race Condition

struct stat st: 
FILE ‘fp; 

if(stat(argv[1],  est) < O) (
perror("stat"); 
exit(); 

I

if(...
Signal Handling Race Conditions

void sh(int dummy) {
syslog(LOG_NOTICE, "%sn", what); 
free(g1oba12); 
free(g1oba11); 
s1...
Thread race conditions

unsigned long v; 

void * thread1(void *p)
{

V
V

1,
+ 2;

I

void * thread2(void *p)
{

v +=  10...
What is the trend? 

- It is just that — a “race” — between files, 
threads,  and signals. 

- Any non-atomic operation ma...
EXAMPLES?
Local vs Remote

- Environment challenges
- Blind exploitation
- Service identification
Post exploitation

- Architecture spanning shellcode
- Platform independent shellcode
Protections

r Address space layout randomization
(ASLR)

—i- Control structure sanitization
- No Execute
mercy@fe| inemenace. org
Upcoming SlideShare
Loading in …5
×

Software Vulnerabilities

1,855 views

Published on

Software Vulnerabilities - Mercy

Published in: Technology, Education
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,855
On SlideShare
0
From Embeds
0
Number of Embeds
56
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Software Vulnerabilities

  1. 1. Software Vulnerabilities
  2. 2. Introduction - Who I am - Who this talk is for
  3. 3. Roaclmap Buffer overflows — stack and heap. Format String bugs Integer problems Memory problems a Race conditions
  4. 4. Roaclmap EXAMPLES? 0|’. .. - Local vs Remote exploitation - Post exploitation payloads ~ Protection
  5. 5. The overflow for( i = 0; user_buf[i] ! = ‘O’; store_buf[i] = user_buf[i++] );
  6. 6. Other data BOUNDARY WRITE BUFFER
  7. 7. Stack based overflow Saved frame pointer: Saved variables: call vuln_function void (*fn)(void) = (void)&time; char overf1ow_me[4]; push %ebp [overflow] movl %esp, %ebp fn(); [overflow] movl %ebp, %esp popl %ebp
  8. 8. Heap based overflow . bss overwrite: Control structure overwrite: char p1[100], p2[100]; V0id fn(V°id) { int main(void) char *p1 = ma11oc(100); { char *p2 = ma11oc(100); overflow(p1); overf1ow(P1); } [free(), malloc(), whatever()] return;
  9. 9. What is the trend’? - You sequentially overwrite data beyond(/ before) an allocated memory space. - You rely on the position of the buffer to determine the way to attack (heap, stack). * The attack is nothing more then modifying data at particular offsets to values that will leverage exploitation.
  10. 10. Format String Bugs char *p = user_supp1ied_format_st; ring; printf (p) ;
  11. 11. user supplied format string AAAABBBB%08x%08x%08x%08xm
  12. 12. DP/ — — °/ oi 2 etc -overwrite_addr1 = stack_offset(user; buffer); -overwrite_addr2 = stack_offset(user_buffer) + 4;
  13. 13. °/ o h n -Write 1 = 1ow_word(shel1code_addr) - bytes(already_output); -Write 2 = high_word(shellcode_addr) - bytes(already_output);
  14. 14. What is the trend’? * User input describes the format string used to describe argument types to format functions. - The condition “write anything anywhere” allows an attacker to write arbitrary values to any memory location of their choice. - s slog(), p_rintf(? , sprinf(), vfprintf(), hand made “ ormat string” unctions providing arbitrary read| |write functionality, etc are vulnerable to this style of attack.
  15. 15. Integer problems Jr : .un. ,.] i. rii' r-v i'-'~i, riI W [irwn : i.. ~. iv»: n mgr: I | -. w. ml. -.-.1 >Ll'JL7JL r. -r~i, .~_
  16. 16. Arithmetic overflow unsigned len = user_assigned_int32(); char *buf = ma1loc(1en + 1); memcpy(buf, user_supplied_input, len);
  17. 17. Signedness Bugs signed len = user_assigned_int32(); if(1en > sizeof(buffer)) return; memcpy(buffer, user_supplied_input, len);
  18. 18. What is the trend? - Arithmetic operations on integers that an attacker can control are dangerous. - Promotions can happen to signed/ unsigned values which result in logic errors. - When these appear in loops or memory access/ allocation an attacker is usually able to leverage an overflow or “write anything anywhere” condition.
  19. 19. Memory problems - Memory leak - do not free() allocated memory. - Uninitialized variables - Do not initialize variables before use. - Uninitialized variables - Use an already free()’d memory block.
  20. 20. Memory leak void f(void) { char *s = ma11oc(100); if(! s) return -1; [W] return 0; } int main(void) I char *p; whi1e(! f()); p = mal1oc(size); write to(p);
  21. 21. Un—initialized variables unsigned int we are; if(we_are = = 31337) { root_us(); }
  22. 22. Uri-initializecl memory cont. £or(chnk = head; chnk; chnk = chnk->next) I memset(chnk, 0x00, chnk->len); free (chnk) ; I
  23. 23. What is the trend? Memory leaks can lead to some exploitable conditions when no further error checking is done on allocations. Sensitive data may be re-used or leaked somehow. Not initializing data can result in attacker—supplied data being used instead — leading to possibly exploitable scenanos. Referencing memory that has been free’d can lead to “un—expected" results.
  24. 24. Race Conditions File handling race. Signal handling race. Threaded race.
  25. 25. File Handling Race Condition struct stat st: FILE ‘fp; if(stat(argv[1], est) < O) ( perror("stat"); exit(); I if(st. st uid ! = getu1d()) I fprintf(stderr, "you must be the owner of 'is‘n", argv[1]); exit(); I if(lS, ISREG(st. st, mode)) ( fprintf(stderr, "is is not a normal file! n", argv[1]); exit(); I i£((fp = fopon(argv[1], "w")) = = NULL) ( fprint£(stderr, "Failed to open %sn", argv[1]); exit(); I fprintf(fp, "$sn", argv[2]);
  26. 26. Signal Handling Race Conditions void sh(int dummy) { syslog(LOG_NOTICE, "%sn", what); free(g1oba12); free(g1oba11); s1eep(10); exit(0); I int main(int argc, char* argv[]) { what= argv[1]; globa11=strdup(argv[2]); global2=ma11oc(340); signa1(SIGHUP, sh); signal(SIGTERM, sh); s1eep(10); exit(0);
  27. 27. Thread race conditions unsigned long v; void * thread1(void *p) { V V 1, + 2; I void * thread2(void *p) { v += 100; I
  28. 28. What is the trend? - It is just that — a “race” — between files, threads, and signals. - Any non-atomic operation may be exploitable.
  29. 29. EXAMPLES?
  30. 30. Local vs Remote - Environment challenges - Blind exploitation - Service identification
  31. 31. Post exploitation - Architecture spanning shellcode - Platform independent shellcode
  32. 32. Protections r Address space layout randomization (ASLR) —i- Control structure sanitization - No Execute
  33. 33. mercy@fe| inemenace. org

×