CS703 - Advanced Operating Systems By Mr. Farhan Zaidi
Lecture No. 42
Overview of today’s lecture Trojan Horses Login spoofing attacks Logic bombs Trap doors Buffer and stack overflow attacks Unsafe C library functions
Trojan Horses (from Tanenbaum’s book) Free program made available to unsuspecting user Actually contains code to do harm Place altered version of utility program on victim's computer trick user into running that program
Login Spoofing (a) Correct login screen (b) Phony login screen
Logic Bombs Company programmer writes program potential to do harm OK as long as he/she enters password daily ff programmer fired, no password and bomb explodes
Trap Doors (a) Normal code. (b) Code with a trapdoor inserted
Buffer overflows First major exploit: 1988 Internet Worm. fingerd. Extremely common bug. First major exploit: 1988 Internet Worm. fingerd. 10 years later: over 50% of all CERT advisories: 1997: 16 out of 28 CERT advisories. 1998: 9 out of 13 -”- 1999: 6 out of 12 -”- Often leads to total compromise of host. Fortunately: exploit requires expertise and patience. Two steps: Locate buffer overflow within an application. Design an exploit.
Buffer Overflow (a) Situation when main program is running (b) After program A called (c) Buffer overflow shown in gray
What are buffer overflows? Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } When the function is invoked the stack looks like: What if *str is 136 bytes long? After strcpy: str ret-addr sfp buf top of stack str top of stack *str ret
Basic stack exploit Program P: exec( “/bin/sh” ) Main problem: no range checking in strcpy(). Suppose *str is such that after strcpy stack looks like: When func() exits, the user will be given a shell !! Note: attack code runs in stack. To determine ret guess position of stack when func() is called. Use a stream of NOPs top of stack *str ret Code for P Program P: exec( “/bin/sh” ) (exact shell code by Aleph One)
Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) printf (conts char *format, … ) How does an attacker actually launches this attack. Inspection of source code Help of Debuggers Cramming a lot of data into a program
Exploiting buffer overflows Suppose web server calls func() with given URL. Attacker can create a 200 byte URL to obtain shell on web server. Some complications: Program P should not contain the ‘\0’ character. Overflow should not crash program before func() exists. Sample buffer overflows of this type: Overflow in MIME type field in MS Outlook. Overflow in ISAPI in IIS.