Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-

Similar presentations


Presentation on theme: "Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-"— Presentation transcript:

1 Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' `-' CS3695 – Network Vulnerability Assessment & Risk Mitigation –

2 Buffer Overflows Buffer Overflows have been “all the rage” lately... THE definitive resources for this topic – XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Smashing The Stack For Fun And Profit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX by Aleph On –The Tao of Windows Buffer Overflow as taught by DilDog Essence Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain Essence Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain

3 In it’s simplest terms, a buffer overflow attack places an oversized input into a variable... overflowing its boundaries and writing over some other code. If properly placed, this will point the program to perform our code (now residing inside that variable’s memory location) In Simple Terms...

4 Poor programmers don’t check for a valid size input, and some languages (C/C++ for example; used to write most of our modern day programs and OS’) will over-write other locations in memory when an input is larger then it’s variable... Why Does This Happen?

5

6 Processes and the OS... –When a process (in simple terms a program) starts, the OS allots a certain amount of memory to manage that process –It is broken down into three parts: TEXT: the main code DATA: static data SEGMENT: scratch pad area for functions... HEAP: for malloc() calls for memory allocation –Lets see how this works... Background

7 Program starts and allocates memory... filling the text and data portions... Memory Allotment Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables Grows Up

8 Once the program starts to run, it sets up the STACK as functions are called... The stack’s end point is tracked in a register called Stack Point (SP) Memory Allotment Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables STACK: Function “Scratch Pad” Free Memory Grows Down HEAP: Malloc() HEAP: Malloc()

9 Each function called will be set up with its own frame... Pushing on to the stack that function’s arguments, parameters, and more... Stack Frames Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables STACK: Grows Down HEAP: Malloc() HEAP: Malloc()

10 As the functions are called, and the frames created, some registers that track locations change... FP (or EBP) shows where the frame started... SP (or ESP) tracks the new end of the stack EI (EIP) tracks the next instruction Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) some address in main (back in the TEXT section) Variables (buffers) 0xFF12 Previous FP (EBP) Grows Down Stack Pointer (SP) or ESP {shows the “end” of the stack} Frame Pointer (FP) or EBP {shows the “end” of the last frame} 0xFF120xFFFF 0xFF48 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF48

11 As a new, second function is called by the first function, the second function’s frame causes some more register changes... Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) inst in main Variables (buffers) 0xFF12 Arguments Return Address (previous EBP) inst in function 1 Variables (buffers) First Functions Frame Second Functions Frame 0xDD45 Previous FP (EBP) FFFF Previous FP (EBP) FFFF Grows Down Stack Pointer (SP) or ESP {shows the “end” of the stack} 0xDD45 Frame Pointer (FP) or EBP {shows the “end” of the last frame} 0xFF12 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF00

12 So where does the buffer overflow really come in? We can overwrite the Return Address to point to some code we want to execute... by overflowing our code and the address of our code in a variable in the buffers... Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) inst in main Variables (buffers) 0xFF12 Arguments Return Address (previous EBP) inst in function 1 Variables (buffers) First Functions Frame Second Functions Frame 0xDD45 Previous FP (EBP) FFFF Previous FP (EBP) FFFF Address of our code... NOP Our exploit code Grows Down 0xFF00 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF00

13 A list from Eric Cole’s “Hacker Beware” –Netmeeting –Outlook –Linuxconf –Tooltalk –IMPAD –AOL IM –IIS 4/5 –SQL –Our latest... RPC Some Example Exploits

14 The Threat Programs that run as [SUID] to root. –In general, a program executable (the binary) has a “context” that determines privileges –The context is based on, or is a subset of, the user’s (the owner) privileges. –For example, if Bob rights a program, the executable will have the same privileges as Bob

15 The Threat (2) Sometimes a program requires extended privileges to work properly –We discussed the passwd program in class The passwd command runs as a [SUID] program such that the executable is associated with the file owner and NOT the user –In this case root owns passwd binary. The program runs with root privileges against the passwd and shadow files.

16 The Threat (3) Some programs start at boot and run in the background… –Unix daemons –Windows services Many times they will run with extended privileges as open ports to the world and they are always on. –These are possible targets for buffer overflows

17 DCOM Buffer Overflow First reported in July 2003 It is a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access (system level) and execute any code on a target machine, leaving it compromised. DCOM is a protocol that enables programs to communicate over the network, while RPC is a protocol used by a program to request services from another program on a remote machine The following platforms are affected by this vulnerability: ・ –Windows NT 4.0 ・ Windows 2000 Professional & Server ・ Windows 2000 Advance Server ・ Windows XP Home ・ Windows XP Professional –The following RPC-related ports can be attacked to exploit this vulnerability: ・ 135 ・ 139 ・ 445 ・ 593

18 Metasploit It’s a framework for penetration testing that allows you to choose an exploit and payload combination against a remote host –It has a very clean version of dcom, so we will use it in the lab…

19 Hardware Level Prevention Of Buffer Overflow Intel Q965 Express Chipset prevent certain classes of viruses or worms that exploit buffer overflow vulnerabilities AMD's Athlon 64 processors can detect buffer overflows and trigger an overflow exception that crashes an application or operating system Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Page 2605

20 How to Detect Buffer Overflows in a Program One way is to look at the source code In this case, the attacker can look for strings declared as local variables in functions or methods and verify the presence of boundary checks It is also necessary to check for improper use of standard functions, especially those related to strings and input/output Another way is to feed the application with huge amounts of data and check for the abnormal behavior Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

21 Defense Against Buffer Overflows ManualDisablingSafer C Compiler auditing ofstacklibrary techniques the codeexecutionsupport Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Also include: 1.Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space 2.PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. Also include: 1.Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space 2.PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. Page 2363


Download ppt "Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-"

Similar presentations


Ads by Google