When good code goes bad

687 views

Published on

Presentation by Haroon Meer and Charl van der Walt at ISSA in 2006.

The presentation begins with an explanation of a stack overflow attack and format string vulnerability, both with example code. Dangerous integers are also explained. The presentation ends with a discussion on ActiveX control.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
687
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

When good code goes bad

  1. 1. WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)
  2. 2. Introduction <ul><li>Who we are.. (SensePost) </li></ul><ul><li>Who we are.. (charl && haroon) </li></ul><ul><li>What this talk is about.. </li></ul><ul><ul><li>Answer some of those questions you never ask.. </li></ul></ul><ul><ul><li>Some real world examples (of shocking code) </li></ul></ul><ul><ul><li>Some real world repercussions </li></ul></ul><ul><ul><li>Mind the Gap </li></ul></ul><ul><li>Constraints… </li></ul>
  3. 3. Agenda <ul><li>What is this stack overflow stuff? </li></ul><ul><li>Then what’s a format string vulnerability? </li></ul><ul><li>Hmmm.. What’s all this about dangerous Integers? </li></ul><ul><li>What happens if we fix all the code? </li></ul><ul><li>Questions.. </li></ul>
  4. 4. What’s this Stack Overflow stuff? <ul><li>This is really old news.. (Morris Worm 1988) </li></ul><ul><li>Is it even still a problem? </li></ul><ul><li>Super simple explanation: </li></ul><ul><ul><ul><li>The Stack.. </li></ul></ul></ul><ul><ul><ul><li>Dangerous functions </li></ul></ul></ul>
  5. 5. Super Simple Explanation.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
  6. 6. Typical Attack.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
  7. 7. What’s this Stack Overflow stuff? <ul><li>This is really old news.. (Morris Worm 1988) </li></ul><ul><li>Is it even still a problem? </li></ul><ul><li>Super simple explanation: </li></ul><ul><ul><ul><li>The Stack.. </li></ul></ul></ul><ul><ul><ul><li>Dangerous functions </li></ul></ul></ul><ul><li>Who would make such a silly mistake? </li></ul><ul><ul><ul><li>Everyone… </li></ul></ul></ul><ul><li>How easy is this to take advantage of? </li></ul><ul><ul><ul><li>Today? Point & Click ownage! </li></ul></ul></ul>
  8. 8. Then what’s a format string bug? <ul><li>Spot the bug ? </li></ul><ul><li>“Safe Version” </li></ul><ul><li>See it yet? </li></ul>void syslog(char *buff) { printf(buff) } void syslog(char *buff) { printf(“%s”, buff) }
  9. 9. Then what’s a format string bug? printf(“%s”, buff); printf(buff);
  10. 10. Then what’s a format string bug? printf(“%s”, buff); buff = “%s”; printf(buff); C:> issa_format.exe
  11. 11. What’s a dangerous Integer?
  12. 12. What’s a dangerous Integer? <ul><li>Same size as a pointer </li></ul><ul><li>Fixed size (32 bits for our purposes) </li></ul><ul><li>MAXINT + 1 == ? </li></ul><ul><li>ISO C99  “Causes Undefined Behavior” </li></ul><ul><li>0xffffffff + 0x1 == 0 {Integer Wrap Around} </li></ul><ul><li>Why is this dangerous ? </li></ul>
  13. 13. Ugly Pseudo-Code <ul><li>1.) get data from user (buffer) </li></ul><ul><li>2.) add trailing 0 character </li></ul><ul><li>3.) add 1 to length of buffer (for our 0) </li></ul><ul><li>4.) If(length > 80) </li></ul><ul><li>5.) { </li></ul><ul><li>6.) printf(“Sorry your buffer is too long!”; </li></ul><ul><li>7.) exit -1 </li></ul><ul><li>8.) } </li></ul><ul><li>9.) else </li></ul><ul><li>0.) { copy(other_buffer, buffer); } </li></ul>
  14. 14. What happens if we fix all the code? <ul><li>The proliferation of “Managed Code” </li></ul><ul><li>Better and better static code analysis.. </li></ul><ul><li>Is the end in sight for bug hunters? </li></ul><ul><ul><li>RealVNC Authentication Bypass </li></ul></ul><ul><ul><li>ActiveX Control </li></ul></ul>
  15. 15. RealVNC Authentication Bypass <ul><li>Discovered by Steve Wiseman of intelliadmin.com (by mistake) </li></ul>
  16. 16. RealVNC Authentication Bypass <ul><li>“ show us” </li></ul>
  17. 17. What does this mean? <ul><li>Vendors: </li></ul><ul><ul><li>There are lots of defects that tools can not easily detect.. </li></ul></ul><ul><ul><li>(There are lots of defects they can!) </li></ul></ul><ul><ul><li>No vendor is safe just because they have deeper pockets (or “more eyeballs”) </li></ul></ul><ul><li>ISO’s: </li></ul><ul><ul><li>Defense in Depth.. </li></ul></ul><ul><ul><li>End-point-security.. </li></ul></ul><ul><ul><li>Patch Management ? </li></ul></ul><ul><ul><li>If it can happen to Microsoft … </li></ul></ul>
  18. 18. <ul><li>Questions ? </li></ul><ul><li>[email_address] </li></ul><ul><li>[email_address] </li></ul>

×