CSCD 434539

1
CSCD 434Spring 2009
Lecture 10 Attack Phase Buffer Overflows
2
Vulnerabilities are Everywhere

• Some vulnerabilities show up repeatedly
• OSs, Web Applications, Databases, ClientServer
  applications
• Which vulnerability is the most important today?
• Buffer Overflows
• Has been around since the late 70s
• Most important because it is still the most
  prevalent vulnerability

3
Buffer Overflow Attacks

• Introduction
• Even if buffer overflow attack comes in from
  network, considered an application or host type
  of attack
• However, still relevant to understanding network
  security
• Many, many network based problems result of this
  vulnerability
• Something that IDSs try to detect
• Not detected by packet filter firewalls

4
Buffer Overflow Attacks

• Best known example
• Internet Worm Morris 1988
• Used a buffer overflow in fingerd on Unix systems
• Invaded 1000s of machines
• Currently, buffer overflows account for gt 50 of
  all major security bugs
• Is still around ....
• Why is buffer overflow still around today?

5
Buffer Overflow Attacks

• Still around because ...
• Foremost, bad language design
• C and C
• Poor programming practice
• Programmers still dont know how to correctly
  obtain input
• Plus lots of attackers just looking for an
  opening in any application or data
• More applications are Web based and require some
  user input
• SQL user-based queries, input on Web forms

6
Buffer Overflow Attacks

• What can attackers do with buffer overflows?
• In Unix, setuid programs
• Need to run with root privileges
• If regular user runs setuid program, still runs
  with root privilege
• If attacker causes buffer overflow in a setuid
  program they gain root privilege
• xterm, lpr, eject are setuid programs and have
  all been subject to buffer overflow attacks

7
Setuid Root Powerful

• Can make any program setuid root
• Allows normal users to run programs that need
  access to system resources
• Printers, terminal windows, mail programs ...
• Example

8
Buffer Overflow Attacks

• Attacker goals
• Gain access to your machine
• Any access is better than none
• Once in, can run a local buffer overflow to
  escalate privilege ... trying to be root
• Can then install other means for future access
  via a backdoor
• Own your machine

Powned?
9
Buffer Overflow Attack

• History . When did this attack become popular?
• Known about since 1988, but one paper described
  it in detail ... Morris worm finderd overflow
• In 1996, Aleph One wrote the classic paper
• Smashing the Stack for fun and profit
• http//insecure.org/stf/smashstack.html
• Since then, others have published more details
• Wikipedia Collection of Papers and links
• http//en.wikipedia.org/wiki/Buffer_overflow
• Mixter Tutorial
• http//mixter.void.ru/exploit.html

10
Buffer Overflow Attacks

• Overflowing the Stack One way to do it
• Review of the stack
• Stack is a LIFO data structure
• OSs use these for temporary storage when running
  processes
• When calling a function, OS pushes things onto
  stack so it can remember where it was prior to
  calling the function
• Pushes an address, the Return Pointer, so it can
  go back to next instruction in main program
• Also stores an address, Saved Frame Pointer, that
  keeps track of stack memory

11
Buffer Overflow Attacks
void function1 (void)? char buffer20
printf (Does nothing) return main
()? function1()
buffer Saves Stack Frame Pointer Return
Pointer Function Call Arguments
12
Buffer Overflow Attacks
After function1 finishes executing, pop local
variables from the stack buffer the only local
variable
buffer Saves Stack Frame Pointer Return
Pointer Function Call Arguments
Then, Stack Frame Pointer is
popped Return Pointer is loaded into the
instruction pointer and control goes back to main
13
Buffer Overflow Attacks

• Question
• Are contents of buffer zeroed out when it is
  popped off the stack?

14
Buffer Overflow Attacks

• No. Buffer remains unchanged
• Instruction pointer just moves down the stack
• This is key to how the buffer overflow exploits
  work
• How does a buffer overflow happen?
• Works by stuffing too many things into too small
  a space

15

• More detailed example Buffer Overflow
• void sample_function (char string)?
• char buffer16
• strcpy (buffer, string)
• return
• void main ()?
• char big_buffer256
• int i
• for (i1 i lt 255
  i)?
• big_bufferi
  A
• sample_function
  (big_buffer)
• Strcpy doesnt check size of either source or
  destination string

W
What does this do?
16
Buffer Overflow Attacks

• How does an attacker craft a buffer overflow?
• Attacker wants it to do more than crash
• He needs it to execute some useful instructions
• Stuffs commands into buffer instead of As

1. Function finishes Local buffer with code
popped but information is not cleared 2.
System loads return ptr supplied by
attacker 3. Starts executing instructions
attacker put into buffer
17
Buffer Overflow Attacks

• What gets executed?
• Typically, some type of interactive shell
• In Unix, /bin/sh
• Attacker can run most other commands
• In Windows, want to trigger a specific DLL
• Like Wininit.dll
• Allows attacker to send requests over the network

18
Buffer Overflow Attacks

• How do Buffer Overflows happen in code?
• For many programs using a C library function that
  allows the user to enter data without checking
  for size of input
• C language routines
• strcat, strcpy, gets, fgets, memcpy, plus many
  others
• Programmer allowed to write code by language, no
  check for input bounds!
• Sloppy habits allow this to cause problems

19
Buffer Overflow Attacks

• How are Buffer Overflows Discovered?
• Have source code, look for C functions
• Examine input
• Manually or use an automated tool to do this
• But, DON'T have to have source code
• Can use debugger to find evidence of these
  functions
• Cram data into program see if program crashes ..
  vulnerability
• Known as fuzzing input
• Want to cause an overrun but have the command end
  up in the return pointer
• Looking for ability to overrun the return pointer

How would you do it?
20
Buffer Overflow Attacks

• Crafting the Buffer Overrun
• Determine what value to insert that points to
  beginning of executable code
• Difficult to find exact location of start of
  code, stacks are dynamic
• Could run the program many 100's or 1000's to
  guess the exact place to jump back into stack
• But, better fudge value, doesn't need to be exact
• Do this with NOPs - No-Operation instructions
• What does NOP do?
• Place a lot of them before the first executable
  instruction
• Called a NOP sled ... jump onto the sled

21
Stack-based Buffer Overflow Example
Attacker's exploit code provides this stuff as
input

• To help more accurately guess the value of the
  new return pointer, attackers prepend a NOP sled
  to the front of the exploit

22
Buffer Overflow and Related Exploits

• Building blocks of many exploits include
• NOP Sled
• Code to invoke some system call on the target
  machine
• Such as the execve system call to run a program
• (Typically) Code for invoking a shell to run on
  the target That's why it's called "Shell code"
• (Typically) Instructions for that shell to
  execute
• A return pointer, to trigger the whole package
• The return pointer is set using some exploit,
  such as a buffer overflow, that overwrites a
  return pointer on the stack

23
Buffer Overflow Attacks

• Crafting the Buffer Overrun
• Many NOP's are a signature for many IDS and IPS
  systems
• Better way to do this
• Some NOPS
• But, other instructions too that do nothing
• Examples
• Add zero to register
• Multiply register by 1
• Jump to next instruction
• Can sneak by IDS's this way
• ADMutate - automated tool to create polymorhpic
  instances
• http//www.ktwo.ca/security.html

24
Buffer Overflow Attacks

• Crafting buffer overflows
• Several sites with great GUI's for crafting
  exploits
• Other attacks too, not just buffer overruns
• Bugtrac Archives
• www.packetstormsecurity.com
• Metasploit Project
• www.metasploit.com
• Tools from Shellcode.org
• http//shellcode.org/Exploitation/

25
Buffer Overflow Attacks

• What comes next after smashing the stack?
• Best possible result for attacker
• He/She can run a shell as root or administrator
• If cant locate a program with super-user
  privileges and some vulnerability from across the
  network
• Penetrate a system to gain regular user privilege
  across the network
• Then, use a local buffer overflow to escalate
  their privilege to root

26
Buffer Overflow Attacks

• What comes next after smashing the stack?
• Create a backdoor into the system
• 1) Change inetd.conf to spawn an interactive
  shell with root privileges on a specific port
• 2) Use TFTP to copy netcat, a versatile tool that
  can then export a command shell to attackers
  machine for input
• Attacker will use the back door to come back into
  the machine at their leisure
• At that point they own the machine

27
Buffer Overflow Attacks

• Heap Overflows
• Exploiting a heap overflow is harder than
  exploiting the stack
• Consists of large blocks of memory
• Each block has a small header that describes the
  block
• Each OS and compiler uses a different method for
  managing the heap
• Best to reverse engineer the heap system
• On a heap two records are stored near each other
  in memory

28
Buffer Overflow Attacks

• Heap Overflows continued
• Records are stored near each other but not
  contiguously like on the stack
• If there is actual program code in between the
  heap variables and we over-write it ...
• Then we may crash the program before it gets to
  the malicious code we want to execute
• Heap overflows, not as common but still done
• Skoudis book covers this in more detail Chapter
  7

29
Defenses for Buffer Overflows

• Two Categories of Defense
• System Administration
• Management, configuration and security defenses
• Software Development
• Careful programming practices
• Automated tools help with discovery

30
Defenses for Buffer Overflows

• System Administration
• Keep systems patched
• Stay on top of vulnerability discovery
• Bugtraq, US-Cert and application vendor lists
• Configure systems with minimum number of
  unnecessary services and software
• Includes filtering and controlling outgoing
  traffic
• System settings for
• Non-executable stack,
• Address Randomizaton
• Stack-smashing detection canary values

31
Non-executable Stack

• System Administration
• Configure system with Non-executable stack
• Majority of stack based buffer overflows will
  fail with a non-executable stack
• Windows XP Service Pack 2
• Windows uses NX protection on critical Windows by
  default
• Windows XP or Server 2003, the feature is called
  Data Execution Prevention (abbreviated DEP)?
• Can be configured through the advanced properties
  of the "My Computer"
• If the x86 processor supports this feature in
  hardware, then the NX features are turned on
  automatically in Windows XP/Server 2003 by
  default
• If the feature not supported by the x86
  processor, no protection is given

32
Hardware Enabled No Execution - NX

• AMD first to implement NX on Athlon 64 processors
  2004
• Intel added this Execute Disable bit to Celeron
  and Pentium 4 processors - 2005
• NX No execute bit
• When set, memory page is regarded as data
• Won't execute code
• Prevents typical buffer overflow on stack or heap
• Must be supported by OS

33
Hardware Enabled No Execution - NX

• Linux
• Support for this feature in the 64-bit mode on
  x86-64 CPUs was added in 2004
• Later same year, added support in 32-bit mode on
  64-bit CPUs
• These features have been in the stable Linux
  kernel since release 2.6.8 in August 2004
• Some issues with compatibility so implemented as
  a patch

34
Hardware Enabled No Execution - NX

• On the other hand ... can turn it off!
• Software developers will be able to selectively
  disable execution protection for 32-bit
  applications
• DisableNX fix in Win SP2's compatibility toolkit
• End users will be able to switch the feature on
  and off for the entire system or for individual
  applications
• In Linux Execstack (8)
• Allows you to set, clear or query for ELF binaries

35
Non-Executable Stack Workaround

• Hackers have workarounds too
• Don't need code on the stack
• Use system calls to libraries to do dirty work
• Return into libc technique doesn't use the
  stack
• Return pointer replaced by address of another
  instruction
• Additional portion of stack is overwritten to
  provide arguments to this function
• libc is most likely target, always linked to
  program, and it provides useful calls for an
  attacker (such as the system() call to execute an
  arbitrary program

36
Non-Executable Stack Workaround

• http//www.infosecwriters.com/text_resources/pdf/r
  eturn-to-libc.pdf
• Return into libc
• Stack-smashing protection can prevent or obstruct
  exploitation
• Address randomization on 32 bit CPU's does not
  help with this attack
• Also been around a long time, 1997

37
OS Address Randomization

• Address Space Layout Randomization (ASLR)?
• Classic buffer overflows and methods working
  around non-executable stacks
• Rely on known fixed addresses
• ASLR addresses by randomizing the addresses of
  certain pages in the process address space

38
OS Address Randomization

• Traditionally ...
• Libraries, stack and heap assigned fixed
  addresses within executable
• ASLR randomizes these to varying degrees
• Each page has virtual address, references real
  memory via page tables so
• ASLR randomizes some bits of virtual address
• Linux
• Since 2.6.12, Linux ASLR enabled by default
• Windows
• On by default since Vista Beta2

39
Can we turn ASLR off?

• So, can we for Linux or Windows?
• Linux
• cat /proc/sys/kernel/randomize_va_space (see
  value)?
• sudo sysctl -w kernel.randomize_va_space0
• (setting it to 0 turns off randomization)?
• Windows
• A registry setting is available to forcibly
  enable or disable ASLR for all executables and
  libraries
• Other memory protections too can be bypassed
• See paper below for nice explanation, all memory
• http//taossa.com.nyud.net8080/archive/bh08sotiro
  vdowd.pdf

40
Canary Values for Stack

• Before address randomization, before
  non-executable stack ...
• What if we place a small canary value by the
  return pointer and just detect if its been
  changed?
• Concept behind Stackguard,
• StackGuard compiler extension that enhances the
  executable code produced by the compiler
• Detect change return address before function
  returns, or prevent write to return address
• Another type of program PointGuard that moves
  variables around to protect return pointer

41
Canary Values for Stack

• gcc implemented changes, ProPolice
• 1.Reordering of local variables to place buffers
  after pointers to avoid the corruption of
  pointers
• 2.Copying of pointers in function arguments to an
  area preceding local variable buffers to prevent
  the corruption of pointers
• compiler option -fstack-protector,
  -fno-stack-protector enables and disables the
  protection.
• compiler option -fstack-protector-all,
  -fno-stack-protector-all enables and disables the
  protection of every function, not only function
  character array

42
Defenses for Buffer Overflows

• Software
• Automated codechecking tools
• Search for known problems
• ITS4 Its the Software Stupid
• www.cigital.com/its4/
• RATS Rough Auditing Tool for Security
• http//www.fortify.com/security-resources/rats.jsp
  
• Flawfinder
• www.dwheeler.com/flawfinder

43
Defenses for Buffer Overflows

• Software
• Automated tools for fuzzing testing, see paper
• http//www.packetstormsecurity.com/papers/
• attack/fuzzing-auatfb.pdf
• Learn to write more secure programs
• Writing Secure Code book
• http//www.amazon.com/Writing-Secure-Second-Michae
  l-Howard/dp/0735617228
• Howard and Leblanc
• Linux and Unix
• White paper on developing secure code
• www.dwheeler.com/secure-programs

44
Defenses for Buffer Overflows

• Java Code Issues
• Widely assumed that Java is immune to Buffer
  Overflow problems
• Java has a type-safe memory model
• However, Java has been subject to buffer overflow
  attacks. How?

45
Defenses for Buffer Overflows

• Java Code Issues
• Many Java based services are written in C or C
• Integrating Java with support libraries written
  in C and C is done routinely
• Java also supports loading of DLLs and code
  libraries
• Exported functions can be used directly in Java
• Opens up possibilities buffer overflows may be
  exploited in support libraries

46
Buffer Overflow Attacks

• Summary
• Buffer overflows are an outgrowth of poor memory
  models compounded by programmer carelessness ...
  yes, some programmers are careless
• For each safeguard StackGuard, non-executable
  stack, hackers have workarounds
• One downside of the safeguards
• People have a false sense of security!!

47
Buffer Overflow Attacks

• Summary
• Lots more overflows in other types of content
• Databases SQL strings
• Data files MP3 files Header of file for a
  string
• HTTP Cookies Apache HTTPD overflow
• Environment Variables - HOME, TERM others
• Many others ...

48
More References

• Other tutorials
• http//www.tutorialized.com/view/tutorial/Buffer-O
  verflow-In-Action-Tutorial/19445
• http//www.securiteam.com/securityreviews/5OP0B006
  UQ.html
• Shellcode References
• http//www.vividmachines.com/shellcode/shellcode.h
  tml
• http//www.infosecwriters.com/hhworld/shellcode.tx
  t
• http//shellcode.org/
• Metasploit Framework
• 3-part Article
• http//www.securityfocus.com/infocus/1789
• http//www.securityfocus.com/infocus/1790
• http//www.securityfocus.com/infocus/1800
• http//www.syngress.com/book_catalog/327_SSPC/samp
  le.pdf

49
The End

• Finally a bit of hacker humor
• http//geekz.co.uk/lovesraymond/archive/nop-nop-no
  p-nop-nop
• There is a lab, buffer overflow
• More Attacks
• Continue Counter Hack Chapter 7