Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Buffer Overflows OWASP Bangalore 11 th  Jan, 2009
Agenda <ul><li>Introduction </li></ul><ul><ul><li>What, How & Why? </li></ul></ul><ul><li>Guidelines </li></ul><ul><ul><li...
Buffer overflow <ul><li>Pushing data more than the capacity of a buffer </li></ul><ul><li>Manipulating execution stack to ...
…so? <ul><li>Arbitrary shell code can be injected as user input </li></ul><ul><li>RET address can be changed to execute th...
Types of Buffer Overflow <ul><li>Stack Overflow </li></ul><ul><li>Heap Overflow </li></ul><ul><li>Integer Overflow </li></...
Function Calls and Stacks <ul><li>Uses stacks to evaluate functions </li></ul><ul><ul><li>foo(bar(delta(arg1, arg2,…))) </...
Example <ul><li>int sum(int a,int b){ </li></ul><ul><li>return a+b; </li></ul><ul><li>} </li></ul><ul><li>int main(){ </li...
RET address FP or BP 13 15 … sum: pushl  %ebp movl  %esp, %ebp movl  12(%ebp), %eax addl  8(%ebp), %eax leave ret … main: ...
<ul><li>#include <string.h>  </li></ul><ul><li>void f(char* s) {  </li></ul><ul><li>char buffer[10];  </li></ul><ul><li>st...
Heap Overflow <ul><li>When data is written beyond the boundaries in the heap </li></ul><ul><li>Overflow </li></ul><ul><ul>...
Integer Overflow <ul><li>Arithmetic overflows </li></ul><ul><li>Processors have fixed width word size </li></ul><ul><ul><l...
<ul><li>#include <stdio.h>  </li></ul><ul><li>#include <string.h>  </li></ul><ul><li>void main(int argc, char *argv[]) {  ...
Format String Overflow <ul><li>Takes advantage of functions which mix data with control information </li></ul><ul><li>“ %x...
Unicode Overflow <ul><li>Windows APIs often convert input string into Unicode before using them </li></ul><ul><li>Input ca...
Are you vulnerable? <ul><li>Yes likely, if your code: </li></ul><ul><ul><li>uses low level languages like C/C++ </li></ul>...
What to do or not to do? <ul><li>Know thy code!!! </li></ul><ul><ul><li>Use safe functions </li></ul></ul><ul><ul><ul><li>...
Compiler tools <ul><li>StackGuard </li></ul><ul><ul><li>Uses an extra canary word (4-bytes) to verify if stack is intact <...
Vulnerability Metrics
(Recent) History <ul><li>Quite many incidents </li></ul><ul><ul><li>RealPlayer ActiveX Import Method Buffer Overflow (July...
Reporting <ul><li>http://www.cert.org/vuls/ </li></ul><ul><li>http:// www.adobe.com/misc/securityform.html </li></ul><ul><...
References <ul><li>http:// www.owasp.org/index.php/Buffer_Overflows </li></ul><ul><li>https://www.securecoding.cert.org/co...
Upcoming SlideShare
Loading in …5
×

Buffer Overflows

4,501 views

Published on

Published in: Technology
  • Be the first to comment

Buffer Overflows

  1. 1. Buffer Overflows OWASP Bangalore 11 th Jan, 2009
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><ul><li>What, How & Why? </li></ul></ul><ul><li>Guidelines </li></ul><ul><ul><li>Are you vulnerable? </li></ul></ul><ul><ul><li>What to do or not to do? </li></ul></ul><ul><li>Vulnerability History </li></ul><ul><li>Demo (in next session) </li></ul>
  3. 3. Buffer overflow <ul><li>Pushing data more than the capacity of a buffer </li></ul><ul><li>Manipulating execution stack to reveal/modify process specific data </li></ul><ul><li>Few examples: </li></ul><ul><ul><li>strcpy(target_buffer,large_string); </li></ul></ul><ul><ul><li>printf(str_ptr); /*unescaped data from str_ptr*/ </li></ul></ul>
  4. 4. …so? <ul><li>Arbitrary shell code can be injected as user input </li></ul><ul><li>RET address can be changed to execute the arbitrary code </li></ul><ul><li>Do anything afterwards… </li></ul><ul><li>Worst if the vulnerable application was running in “root”/”superuser” mode </li></ul>
  5. 5. Types of Buffer Overflow <ul><li>Stack Overflow </li></ul><ul><li>Heap Overflow </li></ul><ul><li>Integer Overflow </li></ul><ul><li>Format String Overflow </li></ul><ul><li>Unicode Overflow </li></ul>
  6. 6. Function Calls and Stacks <ul><li>Uses stacks to evaluate functions </li></ul><ul><ul><li>foo(bar(delta(arg1, arg2,…))) </li></ul></ul><ul><ul><li>foo1(bar1(arg1), delta1(arg1, arg2,…)) </li></ul></ul><ul><li>From L->R </li></ul><ul><ul><li>LIFO </li></ul></ul>
  7. 7. Example <ul><li>int sum(int a,int b){ </li></ul><ul><li>return a+b; </li></ul><ul><li>} </li></ul><ul><li>int main(){ </li></ul><ul><li>int a[5]; </li></ul><ul><li>a[0]=sum(15,13); </li></ul><ul><li>} </li></ul>… sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret
  8. 8. RET address FP or BP 13 15 … sum: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret … main: pushl %ebp movl %esp, %ebp subl $40, %esp … . pushl $13 pushl $15 call sum addl $8, %esp movl %eax, -40(%ebp) leave ret
  9. 9. <ul><li>#include <string.h> </li></ul><ul><li>void f(char* s) { </li></ul><ul><li>char buffer[10]; </li></ul><ul><li>strcpy(buffer, s); </li></ul><ul><li>} </li></ul><ul><li>void main(void) { </li></ul><ul><li>f(&quot;01234567890123456789&quot;); </li></ul><ul><li>} </li></ul><ul><li>[root /tmp]# ./stacktest </li></ul><ul><li>Segmentation fault </li></ul>Attempted to overwrite other sections of the executable
  10. 10. Heap Overflow <ul><li>When data is written beyond the boundaries in the heap </li></ul><ul><li>Overflow </li></ul><ul><ul><li>strcpy(a,long_string); </li></ul></ul><ul><li>Similar to stack overflows </li></ul>0xB1 0xB8 Array a[8] Array b[11] 0xC2 0xCC
  11. 11. Integer Overflow <ul><li>Arithmetic overflows </li></ul><ul><li>Processors have fixed width word size </li></ul><ul><ul><li>8-bit processor can handle 0 to 255 or -127 to +127 </li></ul></ul><ul><ul><li>16-bit processor can handle 0 to 65535 or -32767 to +32767 </li></ul></ul><ul><li>A value beyond the range, causes overflow </li></ul>
  12. 12. <ul><li>#include <stdio.h> </li></ul><ul><li>#include <string.h> </li></ul><ul><li>void main(int argc, char *argv[]) { </li></ul><ul><li>int i = atoi(argv[1]); // input from user </li></ul><ul><li>unsigned short s = i; // truncate to a short </li></ul><ul><li>char buf[50]; // large buffer </li></ul><ul><li>if (s > 10) { // check we're not greater than 10 </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul><ul><li>memcpy(buf, argv[2], i); // copy i bytes to the buffer </li></ul><ul><li>buf[i] = ''; // add a null byte to the buffer printf(&quot;%s &quot;, buf); // output the buffer contents </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul><ul><li>[root /tmp]# ./inttest 65580 foobar </li></ul><ul><li>Segmentation fault </li></ul>
  13. 13. Format String Overflow <ul><li>Takes advantage of functions which mix data with control information </li></ul><ul><li>“ %x” – Read data from stack </li></ul><ul><li>“ %s” – Read string from process memory </li></ul><ul><li>“ %n” – Write an integer to locations in process memory </li></ul><ul><li>“ %p” – representation of a memory location </li></ul><ul><li>Ex: </li></ul><ul><ul><li>fprint, fprintf, sprintf, snprintf </li></ul></ul><ul><ul><li>vfprintf, vprintf, vsprintf, vsnprintf </li></ul></ul><ul><ul><li>a user input can be formatted to access values from the stack, e.g. </li></ul></ul><ul><ul><ul><li>printf(“%08x.%08x.%08x.%08x.%08x”) will print top 5 stack values </li></ul></ul></ul>
  14. 14. Unicode Overflow <ul><li>Windows APIs often convert input string into Unicode before using them </li></ul><ul><li>Input can be convoluted to cause an overflow and manipulate exception handlers </li></ul><ul><li>Unicode conversion may generate special interrupt instructions on the stack </li></ul>
  15. 15. Are you vulnerable? <ul><li>Yes likely, if your code: </li></ul><ul><ul><li>uses low level languages like C/C++ </li></ul></ul><ul><ul><li>directly accesses memory </li></ul></ul><ul><ul><li>interacts with OS activities and process stacks </li></ul></ul><ul><li>However: </li></ul><ul><ul><li>reduces risk if you know what you are doing!! </li></ul></ul><ul><li>Not likely, if your code uses high level languages like Java, .NET </li></ul>
  16. 16. What to do or not to do? <ul><li>Know thy code!!! </li></ul><ul><ul><li>Use safe functions </li></ul></ul><ul><ul><ul><li>strncpy instead of strcpy, strncat instead of strcat, snprintf instead of sprintf etc. </li></ul></ul></ul><ul><ul><li>Grant processes least required privileges to run </li></ul></ul><ul><li>Be a paranoid </li></ul><ul><ul><li>don’t trust user inputs </li></ul></ul><ul><ul><li>always validate </li></ul></ul><ul><li>Do comprehensive code auditing and reviews. Use static code analysis tools: RATS, findbugs, flawfinder </li></ul><ul><li>Use compiler tools: StackShield, StackGuard and Libsafe </li></ul>
  17. 17. Compiler tools <ul><li>StackGuard </li></ul><ul><ul><li>Uses an extra canary word (4-bytes) to verify if stack is intact </li></ul></ul><ul><ul><ul><li>0x000D0AFF (0x00 NULL, 0x0D CR, 0x0A LF, 0xFF EOF) </li></ul></ul></ul><ul><ul><ul><li>Or a random number difficult to predict </li></ul></ul></ul><ul><li>StackShield </li></ul><ul><ul><li>Copies the expected return address in a different stack for later verification </li></ul></ul><ul><li>LibSafe </li></ul><ul><ul><li>intercepts all calls to vulnerable library functions and substitutes a corresponding version that implements the original functionality still contains any buffer overflows within the current stack frame </li></ul></ul>
  18. 18. Vulnerability Metrics
  19. 19. (Recent) History <ul><li>Quite many incidents </li></ul><ul><ul><li>RealPlayer ActiveX Import Method Buffer Overflow (July 2008) </li></ul></ul><ul><ul><li>Microsoft GDI Stack Overflow Vulnerability (Aug 2008) </li></ul></ul><ul><ul><li>Heap based buffer overflow in QuickTime and iTunes (Sep 2008) </li></ul></ul><ul><ul><li>Adobe Reader Javascript Printf Buffer Overflow (Nov 2008) </li></ul></ul>
  20. 20. Reporting <ul><li>http://www.cert.org/vuls/ </li></ul><ul><li>http:// www.adobe.com/misc/securityform.html </li></ul><ul><li>http://www.microsoft.com/technet/security/bulletin/alertus.aspx </li></ul><ul><li>http://www.apple.com/support/security/ </li></ul>
  21. 21. References <ul><li>http:// www.owasp.org/index.php/Buffer_Overflows </li></ul><ul><li>https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards </li></ul><ul><li>Also updated at http ://www.owasp.org/index.php/Buffer_Overflows </li></ul>

×