Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 3: Format String Vulnerability

Published byἸεφθάε Αυγερινός Modified over 4 years ago

Similar presentations

Presentation on theme: "Week 3: Format String Vulnerability"— Presentation transcript:

1 Week 3: Format String Vulnerability

2 Outline Format string vulnerability and exploitation techniques
Read Art 0x350

3 Format Parameters We all should be very familiar with string format parameters They are commonly used in printf, sprintf, fprintf, and related functions

4 Format Parameters For more information, read the manual for printf (man 3 printf)

5 Format Parameters The “h” length modifier

6 Format Parameter Examples
Before we run the program, can we figure out the expected outputs from the program?

7 Stack Layout for printf

8 Format String Vulnerability

9 Understanding the Vulnerability
Here is the key in order to understand how to exploit a format string vulnerability

10 Reading from Arbitrary Memory Address
Note that if we can read from arbitrary memory address, we can obtain all kinds of valuable information Encryption and decryption keys are often saved in memory Plain passwords and other sensitive information can be found in memory as well (at least sometimes) How? By exploiting a format string vulnerability

11 Reading from Arbitrary Memory Address
The exact command depends on the stack layout and you can find out by doing the following

12 Reading from Arbitrary Memory Address
The exact command depends on the stack layout and you can find out by doing the following

13 Reading from Arbitrary Memory Address
The exact command depends on the stack layout and you can find out by doing the following

14 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system How? Is it possible?

15 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system How? Is it possible? Note that “%n” allows us to write the number of bytes written so far by printf (or other string function) to an address (corresponding to the parameter for “%n”) But the number of bytes we write is often very limited How can we generate an arbitrary memory address?

16 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system How? Is it possible? Note that “%n” allows us to write the number of bytes written so far by printf (or other string function) to an address (corresponding to the parameter for “%n”) But the number of bytes we write is often very limited How can we generate an arbitrary memory address? We can use the field-width option to generate large number of bytes

17 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system How? Is it possible? Note that “%n” allows us to write the number of bytes written so far by printf (or other string function) to an address (corresponding to the parameter for “%n”) But the number of bytes we write is often very limited How can we generate an arbitrary memory address? We can use the field-width option to generate large number of bytes

18 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system How? Is it possible? Note that “%n” allows us to write the number of bytes written so far by printf (or other string function) to an address (corresponding to the parameter for “%n”) But the number of bytes we write is often very limited How can we generate an arbitrary memory address? We can use the field-width option to generate large number of bytes

19 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system However, writing a very large number (such as 0xffffdbff) would be difficult What can we do?

20 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system However, writing a very large number (such as 0xffffdbff) would be difficult What can we do? We can write one byte at a time If we need to write a big number, we can do it by writing multiple bytes

21 Writing to Arbitrary Memory Address
Clearly the ability to be able to write to arbitrary memory address will give a penetration tester much more capabilities to exploit the system However, writing a very large number (such as 0xffffdbff) would be difficult What can we do? We can write one byte at a time If we need to write a big number, we can do it by writing multiple bytes We can use short writes (using “h” length modifier)

22 Writing to Arbitrary Memory Address
The “h” length modifier

23 Writing to Arbitrary Memory Address
The “h” length modifier

24 Writing to Arbitrary Memory Address
Format parameter arguments do not need to be accessed sequentially Even though we do that in most cases A parameter argument can be accessed directly by using “$” For example, “%i$d” would access the ith parameter argument, where i is an integer

25 Writing to Arbitrary Memory Address
Format parameter arguments do not need to be accessed sequentially Even though we do that in most cases A parameter argument can be accessed directly by using “$” For example, “%i$d” would access the ith parameter argument, where i is an integer

26 Overwriting .dtors GNU C compiler generates special table sections .ctors and .dtors for constructors and destructors Constructors are executed before the main() function is executed and destructors are executed just before the main() function exits with an exit system call

27 Overwriting .dtors

28

29

30 Overwriting .dtors We can overwrite the .dtors section in fmt_vuln using the address of an injected shellcode

31 Overwriting the Global Offset Table
GNU C compiler also generates another special section, called .plt (procedure linkage table) It is essentially a table to reference all the functions The section consists of many jump instructions, each one corresponding to the address of a function

32 Overwriting the Global Offset Table

33 Overwriting the Global Offset Table

34 Overwriting the Global Offset Table

35 Overwriting the Global Offset Table
If we can overwrite exit() function using a shellcode segment, we can create a shell

36 Summary By exploiting a format string vulnerability, we can
Read from arbitrary memory location Write to arbitrary memory location, which enables a penetration tester capabilities to develop exploitations by overwriting global offset table, destructors (.dtors), and so on Please keep in mind though the format string vulnerabilities are easy to identify and therefore they can be easily fixed as well

37 Next time We will cover techniques to overflow other segments (such as heap and bss) Section 0x340 They can be done by exploiting other vulnerabilities Such as integer type conversion errors Double free errors

38

Download ppt "Week 3: Format String Vulnerability"

Similar presentations

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup www.stroustrup.com/Programming.

Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Format Strings Lee Eun-Hun. Format Parameters Some format parameters ParameterInput TypeOutput Type %dValueDecimal %uValueUnsigned Decimal %xValueHexadecimal.

Format Strings Lee Eun-Hun. Format Parameters Some format parameters ParameterInput TypeOutput Type %dValueDecimal %uValueUnsigned Decimal %xValueHexadecimal.
Macro Processor.

Macro Processor.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’

Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Software Development and Software Loading in Embedded Systems.

Software Development and Software Loading in Embedded Systems.
Chapter 3: Introduction to C Programming Language C development environment A simple program example Characters and tokens Structure of a C program –comment.

Chapter 3: Introduction to C Programming Language C development environment A simple program example Characters and tokens Structure of a C program –comment.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google