Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Mitigation of Buffer Overflow Attacks
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
CNIT 127: Exploit Development Ch 1: Before you begin.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
1 Figure 9-3: Webserver and E-Commerce Security Importance of Webservice and E-Commerce Security  Cost of disruptions  The cost of loss of reputation.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
Buffer overflow and stack smashing attacks Principles of application software security.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Basic of Buffer Over Flow
Computer Forensics Use of Malicious Input.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Let’s look at an example
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Protecting Memory What is there to protect in memory?
The Hardware/Software Interface CSE351 Winter 2013
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
A Security Review Process for Existing Software Applications
Security mechanisms and vulnerabilities in .NET
Software Security.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
System Calls David Ferry CSCI 3500 – Operating Systems
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
System and Cyber Security
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Outline Introduction Memory protection Buffer overflows
Return-to-libc Attacks
Presentation transcript:

Computer Forensics Use of Malicious Input

Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common. Prototype of an Attack Mode.

Beware of User Input Anonymous FTP should allow access to files selectively. One implementation parsed the file name. Assume /pub/acc is an allowed directory. Request: get /pub/acc/../../../etc/passwd

Beware of User Input This implementation only parsed the first part of the string. Decided access is OK get /pub/acc/../../../etc/passwd Allowed access to any file. Took several versions before the security breach was firmly patched.

Morale: Don’t reinvent the wheel. Other implementations used a sandbox. Community had learned how to get it right. Parsing input is difficult. Users have an incentive to be inventive. ALL INPUT IS EVIL

Canonical Representation Issues Canonicalization: Translates name to standard representation. Canonical Filenames Napster Name Filtering. Court ordered to restrict access to certain songs. Access was denied based on name of the song. Users bypassed it with uncanonical song names Deepest Chill  Deepest Chi11 Candyman  AndymanCay (in pig latin)

ALL INPUT IS EVIL Mac OS X and Apache Vulnerability HFS+ is case insensitive. Apache uses text-based configuration files, that are case sensitive, to determine Disallow access to directory scripts: order deny, allow deny from all </Location

ALL INPUT IS EVIL Denies user request Allows user request

ALL INPUT IS EVIL Sun StarOffice /tmp directory symbolic link vulnerability Symbolic link: file that points to another file. Symbolic links do not share access rights with the file they point to.

ALL INPUT IS EVIL Sun StarOffice creates file /tmp/soffice.tmp with 0777 access mask. Attacker links /tmp/soffice.tmp to /etc/passwd. Root runs StarOffice Permissions on /etc/passwd would get changed to 0777.

Canonicalization Issues Subsystems cooperate. First subsystem does not canonicalize input in the way the second one does.

Canonicalization Issues Common when software make decisions on file names 8.3 representation of file names IIS looks at extensions. Request to ***.asp::$DATA is routed to asp.dll. But this is a NTFS stream, that sends the ASP source code to the user. Trailing dots or slashes “secretFile.doc.” is same as “secretFile.doc” for windows.

Canonicalization Issues \\?\temp\myfile is the same as \temp\myfile Directory traversal../ AOL 5.0 parental controls: Bypass restriction on URL by adding period to file name. Secure IIS verifies incoming and outgoing data Use hexcode: %64elete instead of delete for key words. Use “%2e%2e/” for “../” Two canonalization issues in Security Software!

Canonicalization Issues Lines with carriage returns: Assume logging of file access: Attacker accesses file: Log entry: Mike :02:12 file.txt Tom :02:12 secret.doc file.txt\r\n \tTom \t13:02:12\tsecret.doc

Canonicalization Issues Escaping: Many ways to represent a character US-ASCII Hexadecimal escape codes UTF-8 variable width encoding UCS-2 Unicode encoding HTML escape codes Double Escaping

Canonicalization Issues Homograph Attacks Characters look the same, but are not Latin letter “o” Cyrillic character “o” (U+043E)

Morale Software should not make decisions based on names. If it has do, enforce name restrictions Don’t trust relative paths.

Data Base Inputs Don’t trust the user. Data base access over the web lead to execution of sql code. string sql = “select * from client where name = ‘” + name + “’” Variable name provided by user If name is Schwarz, this executes string sql = “select * from client where name = ‘schwarz’”

Data Base Inputs User enters: Schwarz’ or 1=1 - - The sql statement becomes string sql = “select * from client where name = ‘schwarz’ or 1=1 - -” Selects all clients - - SQL comment, comments out everything behind.

Buffer Overflow Attacks Stack: push and pop

Buffer Overflow Attacks Stack is area of program memory that contains static allocated variables, return addresses, etc.

Buffer Overflow Attack When the assembly call is executed to call test Place variables on stack (lifo) abcdabcd void test( int a, int b, int c, int d) { char flag; char buffer[10]; } Stack:

Buffer Overflow Attack When the assembly call is executed to call test Place variables on stack (lifo) Place return address on stack ret a b c d void test( int a, int b, int c, int d) { char flag; char buffer[10]; }

Buffer Overflow Attack When the assembly call is executed to call test … Place SFP (EBP) on stack Saved frame pointer Used to address local variables Allocate local variables flag, buffer void test( int a, int b, int c, int d) { char flag; char buffer[10]; } buffer[0] buffer[1]. buffer[9] flag sfp ret a b c d

Buffer Overflow Attack When function returns Pop the local variables By resetting the stackpointer. Restore the frame pointer. Reload the value in ret into the program counter. Pop arguments. void test( int a, int b, int c, int d) { char flag; char buffer[10]; } buffer[0] buffer[1]. buffer[9] flag sfp ret a b c d

Buffer Overflow Attack Buffer overflow: If user can input value into buffer without checking numbers, then we can overwrite important parts of the stack.

Buffer Overflow Attack User inputs 16 “AA” bytes When PC is restored, we load this value. User can control program flow. void test( int a, int b, int c, int d) { char flag; char buffer[10]; scanf(“%s\n”, buffer) } “AA”. “AA” “AAAA” a b c d

Buffer Overflow Attack void foo(const char* input) { char buf[10]; printf("Hello World\n"); } int main(int argc, char* argv[]) { foo(argv[1]); return 0; }

Buffer Overflow Attack Windows example: Compilers vary

Buffer Overflow Attack #pragma check_stack(off) #include void foo(const char* input) { char buf[10]; printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); strcpy(buf, input); printf("%s\n", buf); printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); } void bar(void) { printf("Augh! I've been hacked!\n"); }

Buffer Overflow Attack int main(int argc, char* argv[]) { printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) { printf("Please supply a string as an argument!\n"); return -1; } foo(argv[1]); return 0; }

Buffer Overflow Attack Chapter05>stackoverrun.exe Hello Address of foo = Address of bar = My stack looks like: A28 7FFDF FEE BB D Hello Now the stack looks like: 6C6C F 7FFDF FEE BB D

Buffer Overflow Attack

Perl Scripts are handy

Buffer Overflow Attack

Fun, but useless. Real attack: overwrite return address so that code execution jumps into the input given by attacker.

Buffer Overflow Attack To protect against signatures, structure input Varying stuff execve(/bin/sh) (gives new shell with program privileges in UNIX) Pointer to execve statement.

Buffer Overflow Attack Finding vulnerabilities Script-kiddies scan target with automated tool. Tool creator has detailed analysis of vulnerabilities. Look for strcpy, gets, getws, memcpy memmove, scanf, … Alternatively, just cram the application until it crashes. Crash used to give you locations of registers.

Buffer Overflow Attack Finding vulnerabilities Disassembly code for which a source is not available.

Buffer Overflow Attack Example: Cram in lots of input of As. Program crashes, EIP has value Sign of buffer overflow. Now try to feed more specific input.

Buffer Overflow Attack

Attack signature can be used by IDS. Vary the NOP commands. Many alternatives.

Buffer Overflow Attack Protection Make stack non-executable. Use canary birds.

Buffer Overflow Attack Stack Guard MS Visual Studio use canaries.

Buffer Overflow Attack MS Outlook Vcard: Virtual business card buffer overflow vulnerability. IIS 5 Internet Printing Protocol

Buffer Overflow Attacks But the first MS implementation made it worse. When Canary was overwritten, program executed user written handler. Attacker could use buffer overflow to overwrite the address of the handler function. The overwriting value would point to the stack. The very same mechanism intended to prevent some buffer overflow attacks can be used to

Heap Overflow Attack These protections do not apply to heaps, where dynamically allocated memory resides. Some of this memory contains the addresses of functions that are going to be called. Harder to find, harder to protect against.

Overflow Attacks When the vulnerable program runs at administrator level, overflow attacks give escalation of privileges.

Remember: People attack computer systems because they can.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.