worm enabling exploits
play

Worm enabling exploits Cyber Security Lab Spring 10 Background - PowerPoint PPT Presentation

Sep 23, 2023 •153 likes •525 views

Worm enabling exploits Cyber Security Lab Spring 10 Background reading Worm Anatomy and Model http://portal.acm.org/citation.cfm?id=948196 Smashing the Stack for Fun and Profit

  1. Worm enabling exploits Cyber Security Lab Spring ‘10

  2. Background reading • Worm Anatomy and Model – http://portal.acm.org/citation.cfm?id=948196 • Smashing the Stack for Fun and Profit – http://www.phrack.com/issues.html?issue=49& • The Shellcoder’s Handbook – At the library

  3. More Reading • Steve Hanna’s Shellcode page – http://vividmachines.com/shellcode/shellcode.html • Once Upon a Free() – http://www.phrack.org/issues.html?issue=57&id=

  4. Outline • Review worm structure • Examine exploited vulnerabilities – Buffer Overflow – Return to Libc – Format String exploits – Heap Overflow

  5. What is a Worm? • An autonomous process that can cause a copy of itself (or a variant) to execute on a remote machine. • Various Goals – Install trojan’s for later access – Install zombies for later DDoS or other activities – Install spies for information gathering – Personal fame • Generally varies from a virus in that it propagates independently. – A virus needs a host program to propagate. – But otherwise, many of the issues between worms and virus are the same

  6. Life Cycle of a Worm • Initialization: – Install software, understand the local machine configuration • Payload Activation: – Activate the worm on the current host • Network Propagation: – Identify new targets and propagate itself – The cycle starts all over on the newly infected devices

  7. Network Propagation in More Detail • Target Acquisition: Identify hosts to attack. – Random address scans (Code Red) or locality biased (Nimda) – Code Red v2 effectiveness changed based on good seeding • Network Reconnaissance: Determine if the target is available and what is running on it • Attack: Attempt to gain root access on the target – Traditionally this has been buffer overflow – Can also attack other weaknesses like weak passwords • Infection: Leverage root access to start the Initialization phase on the new host

  8. Example Worm: LION • Active around 2001 • Three versions • Not a particularly effective worm – Uses a BIND exploit that attacks the “named” daemon • Not activated on default RedHat 6.2 installations • Administrator would have to explicitly add to inetd table and run as root • Variant of the earlier worms – ADMworm, Millenium Worm, Ramen worm

  9. Lion Life Cycle • Attempts connection to TCP port 53 on candidate target hosts – Selects random class B network blocks to scan • If target responds, send malformed UDP IQUERY packet to UDP port 53 – Used to determine if target is running vulnerable version of Linux running BIND 8 • If vulnerable, send overflow packet – Attack code walks file descriptor table of exploited process to find FD of initial TCP connection – Duplicates FD to stdin, stdout, stderr – Spawn /bin/sh running at root

  10. Lion Life Cycle Continued • Now can use original TCP connection as control channel to send shell commands – Download and install software • Versions 1 and 2 download from fixed site • Version 3 uses Ramen distribution code to download from infecting host – Send password files to central location for later analysis – Cover tracks. Erase logs and temporary files

  11. Buffer Overflow Exploits • Write too much data into a stack buffer – Replace return address on the stack with address of attack code – Generally attack code attempts to start a shell • If process is SetUID root, shell will be root • Attack code is often in the buffer

  12. Stack Structure Stack Ptr Low address Buffer[512] Saved void func(char *a) { Frame Ptr char buffer[512]; strcpy(buffer, a); Return …. Address } Function Arguments (a) Frame Ptr Previous High address frames

  13. Shell Code • Insert code to spawn a shell • Phrack article discusses how to do this from first principles – Create assembly code to exec /bin/sh – Use GDB to get hex of machine code – Rework assembly as necessary to avoid internal 0’s • Could break attack if strcpy is used by attack target • Will result in a hex string like: – “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x4 6\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x 80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/ sh”

  14. Structure of Buffer • Buffer more than 512 bytes will replace other information on the stack (like return address) • Problem is determining absolute address in buffer to jump to and ensuring you replace the return address – Pad with leading NOPs and trailing return addresses – Then your guesses on the stack structure do not need to be exact NOPs Shell Code Return Address Replacements

  15. Copied Stack Address X NOPs Buffer[512] Shell Code Saved Frame Ptr Return N copies of Address Address X Function Arguments Previous Previous frames frames

  16. Calculating New Return Address • If you have source – Use GDB to find stack address at appropriate invocation • GDB reporting may not be accurate, might take several guesses – Use Eggshell program • Approximate target program • Takes buffer size and offset arguments • Computes candidate buffers • Emits buffers in environment variable named EGG • Creates new shell on the way out so EGG is available after program has completed • If you don’t have source – Brute force? – Examination of core files or other dumps

  17. Return to libc • Make stack non-executable to protect from buffer overflow – Newer windows feature – Feature in some flavors of Unix/Linux • Adapt by setting the return address to a known library – Libc is home to nice functions like system, which we can use to spawn a shell.

  18. Return to Libc Stack Buffer[512] Libc Buffer[512] Segement Y X – new Saved system() frame ptr Frame Ptr Return Y Address Z – new return Z Function exit() ptr to /bin/sh Arguments Frame X Ptr Previous Previous frames frames

  19. Protections • No execute bit • Address space randomization • Canaries • Use type safe languages • Avoid known bad libraries

  20. Address Space Randomization • Vary the base stack address with each execution – Stack smashing must have absolute address to over write function return address – Enabled by default in some linuxes (e.g., FC3) • Wastes some address space – Less of an issue once we have 64 bit address space • Not absolute – Try many times and get lucky • Does not help return to libc or heap overflows

  21. Tools for Buffer Overflow Protection • LibSafe – http://www.research.avayalabs.com/project/libsafe/ – Intercept calls to functions with known problems and perform extra checks – Source is not necessary • StackGuard and SSP/ProPolice – Place “canary” values at key places on stack • http://en.wikipedia.org/wiki/Stack-smashing_protecti – Terminator (fixed) or random values – ProPolice patch to gcc

  22. LibSafe Target Buffer Uses LD_PRELOAD to intercept all Buffer[512] “dangerous” calls. Use Frame pointer and buffer address to detect corruption of stack Saved Frame Ptr Return Address Function Arguments Frame Pointer Previous frames

  23. Canary Values Address X NOPs Buffer[512] Shell Code Canary Saved Frame Ptr Return N copies of Address Address X Function Arguments Previous Previous frames frames

  24. Non-Executable Stack • Set page as non-executable – Supported by newer AMD and x86 chips – Supported by some OS’s • Does not protect against return to libc or heap attacks.

  25. Format String Errors • What is a format string? – printf(“Foo 0x%x %d\n”, addr, count); • What happens if the arguments are missing? – printf(“Foo 0x%x, %d\n”); • What if the end user can specify his own format string? – printf(fmtstring)

  26. Information Disclosure • By specifying arbitrary %x’s (or %d’s) you can read the stack – Made easier by direct parameter access – “%128\$x” – print the 128’th argument as a hex • Looking at the stack you can see the address to your own format string

  27. Reading arbitrary addresses • You can load an address into the first 4 bytes of your format string • If you know the offset of the format string on the stack, use %s to read the string starting at that address – formatstr = $’\x55\x4d\x06\x08%272$s’; – printf(formatstr) • So, we leak information, but printf is read only, right?

  28. Writing data with printf • The %n parameter writes the number of bytes written so far by printf to the corresponding int * pointer • Kind of awkward, but does enable the dedicated fiddler to write arbitrary data at arbitrary locations – Only writes one byte at a time • Likely targets – Return addresses – Data, like terminating passwords we are checking – Global Offset Table (GOT) – library function pointer table

  29. Format string errors easily avoided • Never accept raw format strings from end user – Never allow • printf(buf) – Instead do • printf(“%s”, buf);

  30. Heap overflows • Gain control by overflowing heap allocated buffer • Heap imposes additional structure on large blocks of memory given by OS • Control structures intermingled with user data in heap memory – Specific attacks very dependent on details of particular malloc implementation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo

ring worm ring worm herpes ring worm herpes staphylococcal ring worm herpes impetigo staphylococcal ring worm herpes 3-4 weeks 2-3 weeks impetigo staphylococcal 1 week 1 week wrestlers are 16x more likely than other athletes to

613 views • 60 slides
Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading

Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading

Malware and Exploit Enabling Code Information Assurance CS461/ECE422 Fall 2009 Reading Material CS Chapter 22 Ken Thompson and Trojans http://cm.bell-labs.com/who/ken/trust.html Worm Anatomy and Model

744 views • 63 slides
Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to

Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to

SSN presents: Easy Worm Composting at Home What is vermicomposting? Utilizing worms and microorganisms to convert organic waste into a nutrient rich humus like material known as vermicompost (worm castings) Why do it? Produce your own

736 views • 14 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION &

REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION &

REVIEW OF MICROSTRUCTURE AND PROPERTIES OF NON- FERROUS ALLOYS FOR WORM GEAR APPLICATION & ADVANTAGES OF CENTRIFUGALLY CAST GEARS GIRI RAJENDRAN JASON HASSEN MCC INTERNATIONAL INC OVERVIEW OF NON-FERROUS (BRONZE) MATERIAL FOR WORM

628 views • 38 slides
MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26 TODAY: Functions and inverse functions Watch videos 4.3, 4.3 by Wednesday Worm up A worm is crawling across a table. The path of the worm looks

399 views • 6 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris

Automatic Worm Defense (I) Dawn Song dawnsong@cs.berkeley.edu 1 Primer on Internet Worms (I) First Instance: Morris worm (1988) Infected 6000 machines (10% of Internet) $10M for downtime & cleanup Whats a worm?

512 views • 13 slides
Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt

Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt

Simulation of Gauge-Higgs models using the worm algorithm Y. Delgado , C. Gattringer, A. Schmidt Karl-Franzens-Universitt Graz Sarajevo, February 2013 Y. Delgado (KFU) Worm algorithm Excited QCD 2013 1 / 19 Motivation: Sign problem of QCD

450 views • 28 slides
Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

495 views • 35 slides
PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

Introduction Internet worm models Continuous Approximation Quantified analysis Conclusions PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September 2005 Joint work with Jeremy Bradley and Stephen

1.34k views • 98 slides
Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

759 views • 43 slides
Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet

Worm Detection Packet Content Matching Port Number Matching Worm Detection ICMP Packet Analysis Ankur Agiwal 1 2 Packet Content Matching Packet Content Matching Which characteristic of worm is exploited? Should whole packet

325 views • 7 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

591 views • 37 slides
Overview Overview What is a worm? What is a worm? Origin? Origin? How does it

Overview Overview What is a worm? What is a worm? Origin? Origin? How does it

Overview Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an How does it take up resources of an infected node? infected node?

213 views • 20 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.2 T RIES R-way tries ternary search tries

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.2 T RIES R-way tries ternary search tries

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.2 T RIES R-way tries ternary search tries character-based operations Algorithms F O U R T H E D I T I O N R OBERT S EDGEWICK | K EVIN W AYNE http://algs4.cs.princeton.edu Summary of

986 views • 51 slides
What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to

What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to

What is an Algorithm? Quite generally, an algorithm is a set of instructions that lead to some desired Fundamentals: All About result Algorithms Must first decompose a problem, and then express its method of solution as a Computer

407 views • 7 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #18 Oct 28 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 Thurs, Nov 4 th A week from today How to

695 views • 50 slides
Engineering Geology Earth Structure Hussien aldeeky 1 Earth major spheres 1. Hydrosphere

Engineering Geology Earth Structure Hussien aldeeky 1 Earth major spheres 1. Hydrosphere

Engineering Geology Earth Structure Hussien aldeeky 1 Earth major spheres 1. Hydrosphere Ocean is the most prominent feature of the hydrosphere. - Is nearly 71% of Earth's surface - Holds about 97% of Earth's water Fresh water

221 views • 20 slides
Lexical Translation Models 1 January 24, 2013 Thursday, January 24, 13 Lexical Translation

Lexical Translation Models 1 January 24, 2013 Thursday, January 24, 13 Lexical Translation

Lexical Translation Models 1 January 24, 2013 Thursday, January 24, 13 Lexical Translation How do we translate a word? Look it up in the dictionary Haus : house, home, shell, household Multiple translations Different word senses,

1.23k views • 103 slides
The Sources of Certainty in Computation and Formal Systems Michael J. ODonnell The University

The Sources of Certainty in Computation and Formal Systems Michael J. ODonnell The University

The Sources of Certainty in Computation and Formal Systems Michael J. ODonnell The University of Chicago (revised 2010 November 16) computation = derivation in formal system Familiarity makes a difference 1 computational is a synonym

718 views • 51 slides
Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid Jeff Chase Duke University The need for access control Processes run programs on behalf of users. ( subjects )

1.02k views • 70 slides
Experiences with High Performance Intrusion Detection in the HPC Environment Cray Users Group

Experiences with High Performance Intrusion Detection in the HPC Environment Cray Users Group

Experiences with High Performance Intrusion Detection in the HPC Environment Cray Users Group 2011 Presentation Jim Mellander Scott Campbell NERSC Agenda NERSC Description Operational Philosophy Science-Driven Cybersecurity

597 views • 23 slides

More recommend