Generic exploitation of invalid memory writes Jonathan Brossard CEO – Toucan System jonathan@ toucan-system.com
Agenda <ul><li>The case of invalid writes </li></ul>Determining the type of error Taxonomy of invalid memory access Memory...
Introduction Maybe you did some fuzzing and found some bugs ? Welcome in 2010 : exploitation is more difficult than findin...
Memory permissions This is  the  key to modern exploitation...
Memory permissions Under x86 : permissions are set at MMU (+ Kernel) level using three flags : R : read permission W : wri...
Memory permissions Where to get my shellcode executed in memory ?? Alternatively (when not using shellcode) : where to ret...
Memory permissions What is or not executable depends on : - your cpu (NX flag) + BIOS Config. - your kernel (PaX, PAE...) ...
DEMO Using readelf and /proc/pid/maps to check what permissions  should  be. Using paxtest to verify what is  actually  ex...
Taxonomy of invalid memory access What's the impact of this bug ? int main(int argc, char **argv){ printf(argv[1]) ; retur...
Exemple 1 Truth is : we  can't  know from C source : we have to check at instruction level to see if the c library was act...
Segfault at... mov  DWORD PTR [eax], edx eax  0x4000e030 ecx  0xbffff848 edx  0x0 ebx  0x40199ff4 => Invalid write.
(more complex) exemple: fld  QWORD PTR [eax+0x8] => Read ? Write ? Both ??
DEMO Triggering the bug in xpdf Determining the error type of complex bugs using valgrind
Summarizing At instruction level, an invalid memory access can be of three kinds : - invalid read - invalid write - invali...
Exploiting invalid exec Trivial if jump location is user controled. eg : call [eax] Exploitation strategy : Have eax point...
Exploiting invalid exec (2/2) Fairly rare in userland Used to be a major problem in kernel land (invalid Null ptr derefere...
Exploiting invalid reads Cannot hijack control flow directly :( Exploitation strategy: - Either use no memory corruption (...
Exploiting invalid writes This is the meat ! Exploitation strategy : - Either overwrite important data (eg : tast_struct->...
The case of invalid writes : different levels of control X86 allows accessing either : - 8 bytes - 4 bytes (most instructi...
The case of invalid writes : different levels of control - If both destination and value are fully user controled : overwr...
Problem is... Out of 3Gb of user land, how to find a suitable function pointer to overwrite or truncate ?
Exploitation strategy - Dump the content of every section of the binary - Parse the +W ones - Check for pointers to +X loc...
DEMO Triggering an invalid write in Opera Using livedump to chose potential candidates
Memory alignement Most Intel instructions only allow reads/writes on aligned boundaries. Typically : 4b aligned memory
(Common) Worst case scenario If only 0x00000000 can be written, in 4b aligned memory locations... => Then pointer truncati...
Naive exploitation strategy  - Trigger the bug - set a signal handler for signal 5 which re enables single stepping - set ...
Elite exploitation strategy with livedump - Trigger the bug - set the « align » cpu flag - setup a signal handler for SIGB...
DEMO Using livedump to detect unaligned memory access
Questions ? Thank you for coming
Upcoming SlideShare
Loading in …5
×

[h2hc] Generic exploitation of invalid memory writes

2,177 views

Published on

Talk generic exploitation of invalid memory writes as given in Sao Paulo at the h2hc 2010 Conference.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,177
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[h2hc] Generic exploitation of invalid memory writes

  1. 1. Generic exploitation of invalid memory writes Jonathan Brossard CEO – Toucan System jonathan@ toucan-system.com
  2. 2. Agenda <ul><li>The case of invalid writes </li></ul>Determining the type of error Taxonomy of invalid memory access Memory permissions Introduction
  3. 3. Introduction Maybe you did some fuzzing and found some bugs ? Welcome in 2010 : exploitation is more difficult than finding trivial bugs. The goal of this talk is to detail (and automate !) the steps to successful exploitation of invalid memory writes.
  4. 4. Memory permissions This is the key to modern exploitation...
  5. 5. Memory permissions Under x86 : permissions are set at MMU (+ Kernel) level using three flags : R : read permission W : write permission X : execution permission 5 years back, everything was in fact +X !!
  6. 6. Memory permissions Where to get my shellcode executed in memory ?? Alternatively (when not using shellcode) : where to return in memory to execute something usefull (think ROP).
  7. 7. Memory permissions What is or not executable depends on : - your cpu (NX flag) + BIOS Config. - your kernel (PaX, PAE...) and more globally your toolchain. - the dynamic loader (shared libs).
  8. 8. DEMO Using readelf and /proc/pid/maps to check what permissions should be. Using paxtest to verify what is actually executable or not.
  9. 9. Taxonomy of invalid memory access What's the impact of this bug ? int main(int argc, char **argv){ printf(argv[1]) ; return 0; }
  10. 10. Exemple 1 Truth is : we can't know from C source : we have to check at instruction level to see if the c library was actually built with a write primitive...
  11. 11. Segfault at... mov DWORD PTR [eax], edx eax 0x4000e030 ecx 0xbffff848 edx 0x0 ebx 0x40199ff4 => Invalid write.
  12. 12. (more complex) exemple: fld QWORD PTR [eax+0x8] => Read ? Write ? Both ??
  13. 13. DEMO Triggering the bug in xpdf Determining the error type of complex bugs using valgrind
  14. 14. Summarizing At instruction level, an invalid memory access can be of three kinds : - invalid read - invalid write - invalid exec
  15. 15. Exploiting invalid exec Trivial if jump location is user controled. eg : call [eax] Exploitation strategy : Have eax pointing to our shellcode
  16. 16. Exploiting invalid exec (2/2) Fairly rare in userland Used to be a major problem in kernel land (invalid Null ptr dereference in exec mode from kernel land). First page not mappable without privs since kernel 2.6.23
  17. 17. Exploiting invalid reads Cannot hijack control flow directly :( Exploitation strategy: - Either use no memory corruption (eg : information leakage) - Or trigger a bug latter in the code (either invalid exec or invalid write) - … Or it is just plain non exploitable :(
  18. 18. Exploiting invalid writes This is the meat ! Exploitation strategy : - Either overwrite important data (eg : tast_struct->uid in kernel land) - Or try to hijack the control flow
  19. 19. The case of invalid writes : different levels of control X86 allows accessing either : - 8 bytes - 4 bytes (most instructions) - 2 bytes - 1 byte
  20. 20. The case of invalid writes : different levels of control - If both destination and value are fully user controled : overwrite .dtors, liked list in at_exit, function pointers... (ideal case such as missing format strings, easy !) - If only destination is user controled : attempt a pointer truncation on a given function pointer.
  21. 21. Problem is... Out of 3Gb of user land, how to find a suitable function pointer to overwrite or truncate ?
  22. 22. Exploitation strategy - Dump the content of every section of the binary - Parse the +W ones - Check for pointers to +X locations => exhaustive, reduced list of potential candidates. Then chose one based on actual binary constraints (will truncation point to a user controled location ?)
  23. 23. DEMO Triggering an invalid write in Opera Using livedump to chose potential candidates
  24. 24. Memory alignement Most Intel instructions only allow reads/writes on aligned boundaries. Typically : 4b aligned memory
  25. 25. (Common) Worst case scenario If only 0x00000000 can be written, in 4b aligned memory locations... => Then pointer truncation won't be possible on 4b aligned sections :-(
  26. 26. Naive exploitation strategy - Trigger the bug - set a signal handler for signal 5 which re enables single stepping - set the « trap » cpu flag => Single step until exit and monitor unaligned reads/writes. => Slow, painfull, per thread :(
  27. 27. Elite exploitation strategy with livedump - Trigger the bug - set the « align » cpu flag - setup a signal handler for SIGBUS => every read/write to unaligned memory will be trapped and give potential truncation candidates
  28. 28. DEMO Using livedump to detect unaligned memory access
  29. 29. Questions ? Thank you for coming

×