Memory Corruption ExploitsReading AssignmentVariable Arguments in CImplementation of Variable ArgsFrame with Variable ArgumentsFormat Strings in CWriting Stack with Format StringsUsing %n to Mung Return AddressBad Format Strings in the WildTargets of Memory CorruptionExample: Web Server SecurityExploiting Null HTTP Heap OverflowNull HTTP CGI-BIN ExploitAnother Web Server: GHTTPDSSH Authentication CodeReducing Lifetime of Critical DataTwo’s ComplementInteger OverflowActionScript ExploitProcessing SWF Scene Records (1)Processing SWF Scene Records (2)ActionScript Virtual Machine (AVM2)AVM2 VerifierRelevant Verifier CodeExecuting Invalid OpcodesBreaking AVM2 VerifierSlide 27Further ComplicationsBuffer Overflow: Causes and CuresWX / DEPWhat Does WX Not Prevent?return-to-libc on SteroidsChaining RETs for Fun and ProfitOrdinary ProgrammingReturn-Oriented ProgrammingNo-opsImmediate ConstantsControl FlowGadgets: Multi-instruction Sequences“The Gadget”: July 1945Gadget DesignConditional JumpsPhase 1: Perform ComparisonPhase 2: Store 1-or-0 to MemoryPhase 3: Compute Delta-or-ZeroPhase 4: Perturb ESP by DeltaFinding Instruction SequencesUnintended Instructionsx86 Architecture HelpsSPARC: the Un-x86ROP on SPARCslide 1Vitaly ShmatikovCS 380SMemory Corruption ExploitsSlides on return-oriented programmingcourtesy of Hovav Shachamslide 2Reading Assignmentscut / team teso. “Exploiting format string vulnerabilities”.Dowd. “Leveraging the ActionScript Virtual Machine”.Chen et al. “Non-control-data attacks are realistic threats” (Usenix Security 2005).Roemer et al. “Return-oriented programming”.Optional:•“Basic integer overflows”, “w00w00 on heap overflows”, “Once upon a free()...”slide 3Variable Arguments in CIn C, can define a function with a variable number of arguments•Example: void printf(const char* format, …)Examples of usage:Format specification encoded byspecial %-encoded characters• %d,%i,%o,%u,%x,%X – integer argument• %s – string argument• %p – pointer argument (void *)• Several othersImplementation of Variable ArgsSpecial functions va_start, va_arg, va_end compute arguments at run-timeslide 4slide 5Frame with Variable Argumentsva_start computeslocation on the stackpast last staticallyknown argumentva_arg(ap,type) retrieves next arg from offset apslide 6Proper use of printf format string:… int foo=1234; printf(“foo = %d in decimal, %X in hex”,foo,foo); …–This will print foo = 1234 in decimal, 4D2 in hexSloppy use of printf format string:… char buf[13]=“Hello, world!”; printf(buf); // should’ve used printf(“%s”, buf); …–If buffer contains a format symbol starting with %, location pointed to by printf’s internal stack pointer will be interpreted as an argument of printf. This can be exploited to move printf’s internal stack pointer!Format Strings in Cslide 7%n format symbol tells printf to write the number of characters that have been printed… printf(“Overflow this!%n”,&myVar); …–Argument of printf is interpeted as destination address–This writes 14 into myVarWhat if printf does not have an argument?… char buf[16]=“Overflow this!%n”; printf(buf); …–Stack location pointed to by printf’s internal stack pointer will be interpreted as the address into which the number of characters will be written!Writing Stack with Format Stringsslide 8Using %n to Mung Return AddressRET“… attackString%n”, attack code&RETOverwrite location under printf’s stackpointer with RET address; thenprintf(buffer) will write the number of characters in attackString into RETReturnexecution tothis addressBuffer with attacker-supplied input stringNumber of characters inattackString must be equal to … what?See “Exploiting Format String Vulnerabilities” for detailsC has a concise way of printing multiple symbols: %Mx will print exactly M bytes (taking them from the stack). If attackString contains enough “%Mx” so that its total length is equal to the most significant byte of the address of the attack code, this byte will be written into &RET. Repeat three times (four “%n” in total) to write into &RET+1, &RET+2, &RET+3, replacing RET with the address of attack code.This portion containsenough % symbolsto advance printf’sinternal stack pointerslide 9Chen and Wagner study (2007)•“Large-scale analysis of format string vulnerabilities in Debian Linux”Analyzed a large fraction of the Debian Linux 3.1 distribution using CQual, a static taint analysis tool•92 million lines of C and C++ code•Objective: find “tainted” format strings (controlled by user, yet used in printf and similar functions)Taint violations reported in 1533 packagesEstimated 85% are real format string bugs(Why not 100%?)Bad Format Strings in the Wildslide 10Configuration parameters•E.g., directory names that confine remotely invoked programs to a portion of the server’s file systemPointers to names of system programs•E.g., replace the name of a harmless script with an interactive shell (not the same as return-to-libc)•System call interposition doesn’t help unless it verifies call arguments and not just the name of the routineBranch conditions in input validation codeTargets of Memory Corruptionslide 11Example: Web Server SecurityCGI scripts are executables on the server that can be invoked by remote user via a special URL•http://www.server.com/cgi-bin/SomeProgramDon’t want remote users executing arbitrary programs with Web server’s privileges•Especially if the Web server runs with root privileges•Need to restrict which programs can be executedCGI-BIN is the directory name which is always prepended to the name of the CGI script•If CGI-BIN is /usr/local/httpd/cgi-bin, the above URL will execute /usr/local/httpd/cgi-bin/SomeProgramslide 12Exploiting Null HTTP Heap OverflowNull HTTPD had a heap overflow vulnerability•When corrupted buffer is freed, an overflown value is copied to a location whose address is read from an overflown memory area•This enables attacker to copy an arbitrary value into a memory location of his choiceStandard exploit: copy address of attack code into the table containing addresses of library functions•Transfers control to attacker’s code next time the library function is calledAlternative: overwrite the value of CGI-BINslide 13Null HTTP CGI-BIN Exploitslide 14Another