Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common.

Published byDamian Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common."— Presentation transcript:

1 Computer Forensics Use of Malicious Input

2 Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common. Prototype of an Attack Mode.

3 Beware of User Input Anonymous FTP should allow access to files selectively. One implementation parsed the file name. Assume /pub/acc is an allowed directory. Request: get /pub/acc/../../../etc/passwd

4 Beware of User Input This implementation only parsed the first part of the string. Decided access is OK get /pub/acc/../../../etc/passwd Allowed access to any file. Took several versions before the security breach was firmly patched.

5 Morale: Don’t reinvent the wheel. Other implementations used a sandbox. Community had learned how to get it right. Parsing input is difficult. Users have an incentive to be inventive. ALL INPUT IS EVIL

6 Canonical Representation Issues Canonicalization: Translates name to standard representation. Canonical Filenames Napster Name Filtering. Ordered to restrict access to certain songs. Access was denied based on name of the song. Users bypassed it with uncanonical song names Deepest Chill  Deepest Chi11 Candyman  AndymanCay (in pig latin)

7 ALL INPUT IS EVIL Mac OS X and Apache Vulnerability HFS+ is case insensitive. Apache uses text-based configuration files, that are case sensitive, to determine Disallow access to directory scripts: order deny, allow deny from all </Location

8 ALL INPUT IS EVIL Denies user request Allows user request http://www.mysite.org/scripts/index.html http://www.mysite.org/SCRIPTS/index.html

9 ALL INPUT IS EVIL Sun StarOffice /tmp directory symbolic link vulnerability Symbolic link: file that points to another file. Symbolic links do not share access rights with the file they point to.

10 ALL INPUT IS EVIL Sun StarOffice creates file /tmp/soffice.tmp with 0777 access mask. Attacker links /tmp/soffice.tmp to /etc/passwd. Root runs StarOffice Permissions on /etc/passwd would get changed to 0777.

11 Canonicalization Issues Subsystems cooperate. First subsystem does not canonicalize input in the way the second one does.

12 Canonicalization Issues Common when software make decisions on file names 8.3 representation of file names IIS looks at extensions. Request to ***.asp::$DATA is routed to asp.dll. But this is a NTFS stream, that sends the ASP source code to the user. Trailing dots or slashes “secretFile.doc.” is same as “secretFile.doc” for windows.

13 Canonicalization Issues \\?\temp\myfile is the same as \temp\myfile Directory traversal../ AOL 5.0 parental controls: Bypass restriction on URL by adding period to file name. Secure IIS verifies incoming and outgoing data Use hexcode: %64elete instead of delete for key words. Use “%2e%2e/” for “../” Two canonalization issues in Security Software!

14 Canonicalization Issues Lines with carriage returns: Assume logging of file access: Attacker accesses file: Log entry: 111.11.11.11 Mike 2004-02-19 13:02:12 file.txt 127.0.0. 1 Tom 2004-02-19 13:02:12 secret.doc file.txt\r\n127.0.0.1\tTom2004-02-19\t13:02:12\tsecret.doc

15 Canonicalization Issues Escaping: Many ways to represent a character US-ASCII Hexadecimal escape codes UTF-8 variable width encoding UCS-2 Unicode encoding HTML escape codes Double Escaping

16 Canonicalization Issues Homograph Attacks Characters look the same, but are not Latin letter “o” Cyrillic character “o” (U+043E)

17 Morale Software should not make decisions based on names. If it has do, enforce name restrictions Don’t trust relative paths.

18 Data Base Inputs Don’t trust the user. Data base access over the web lead to execution of sql code. string sql = “select * from client where name = ‘” + name + “’” Variable name provided by user If name is Schwarz, this executes string sql = “select * from client where name = ‘schwarz’”

19 Data Base Inputs User enters: Schwarz’ or 1=1 - - The sql statement becomes string sql = “select * from client where name = ‘schwarz’ or 1=1 - -” Selects all clients - - SQL comment, comments out everything behind.

20 Buffer Overflow Attacks Stack: push and pop

21 Buffer Overflow Attacks Stack is area of program memory that contains static allocated variables, return addresses, etc.

22 Buffer Overflow Attack void foo(const char* input) { char buf[10]; printf("Hello World\n"); } int main(int argc, char* argv[]) { foo(argv[1]); return 0; }

23 Buffer Overflow Attack

24 Works by overwriting the return address to jump somewhere else.

25 Buffer Overflow Attack #pragma check_stack(off) #include void foo(const char* input) { char buf[10]; printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); strcpy(buf, input); printf("%s\n", buf); printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); }

26 Buffer Overflow Attack void bar(void) { printf("Augh! I've been hacked!\n"); }

27 Buffer Overflow Attack int main(int argc, char* argv[]) { printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) { printf("Please supply a string as an argument!\n"); return -1; } foo(argv[1]); return 0; }

28 Buffer Overflow Attack Chapter05>stackoverrun.exe Hello Address of foo = 00401000 Address of bar = 00401050 My stack looks like: 00000000 00000A28 7FFDF000 0012FEE4 004010BB 0032154D Hello Now the stack looks like: 6C6C6548 0000006F 7FFDF000 0012FEE4 004010BB 0032154D

29 Buffer Overflow Attack

30

31

32

33 Fun, but useless. Real attack: overwrite return address so that code execution jumps into the input given by attacker.

34 Buffer Overflow Attack To protect against signatures, structure input Varying stuff execve(/bin/sh) (gives new shell with program privileges in UNIX) Pointer to execve statement.

35 Buffer Overflow Attack Finding vulnerabilities Script-kiddies scan target with automated tool. Tool creator has detailed analysis of vulnerabilities. Look for strcpy, gets, getws, memcpy memmove, scanf, … Alternatively, just cram the application until it crashes. Crash used to give you locations of registers.

36 Buffer Overflow Attack Example: Cram in lots of input of As. Program crashes, EIP has value 41414141. Sign of buffer overflow. Now try to feed more specific input.

37 Buffer Overflow Attack

38 Attack signature can be used by IDS. Vary the NOP commands. Many alternatives.

39 Buffer Overflow Attack Protection Make stack non-executable. Use canary birds.

40 Buffer Overflow Attack Stack Guard MS Visual Studio use canaries.

41 Buffer Overflow Attack MS Outlook Vcard: Virtual business card buffer overflow vulnerability. IIS 5 Internet Printing Protocol

42 Heap Overflow Attack These protections do not apply to heaps, where dynamically allocated memory resides. Some of this memory contains the addresses of functions that are going to be called. Harder to find, harder to protect against.

43 Remember: People attack computer systems because they can.

Download ppt "Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common.

Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks Standard Tool to Break Into Systems. Used for Access Escalation. Very Common.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Computer Forensics Use of Malicious Input.

Computer Forensics Use of Malicious Input.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.

Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
The OWASP Top 10 and Buffer Overflow Attacks

The OWASP Top 10 and Buffer Overflow Attacks
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Similar presentations

Ads by Google