slide 1 Vitaly Shmatikov CS 361S Buffer Overflow and Other Memory Corruption Attacksslide 2 Reading Assignment You MUST read Smashing the Stack for Fun and Profit to understand how to start on the project Read Once Upon a free() • Also on malloc() exploitation: Vudo - An Object Superstitiously Believed to Embody Magical Powers Read Exploiting Format String Vulnerabilities Optional reading • Blended Attacks by Chien and Szor to better understand how overflows are used by malware • The Tao of Windows Buffer Overflow as taught by DilDog from the Cult of the Dead Cowslide 3 Morris Worm Released in 1988 by Robert Morris • Graduate student at Cornell, son of NSA chief scientist • Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service • Now a computer science professor at MIT Morris claimed it was intended to harmlessly measure the Internet, but it created new copies as fast as it could and overloaded infected hosts $10-100M worth of damageslide 4 Morris Worm and Buffer Overflow We will look at the Morris worm in more detail when talking about worms and viruses One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems • By sending a special string to finger daemon, worm caused it to execute code creating a new worm copy • Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy)slide 5 Famous Internet Worms Morris worm (1988): overflow in fingerd • 6,000 machines infected (10% of existing Internet) CodeRed (2001): overflow in MS-IIS server • 300,000 machines infected in 14 hours SQL Slammer (2003): overflow in MS-SQL server • 75,000 machines infected in 10 minutes (!!) Sasser (2004): overflow in Windows LSASS • Around 500,000 machines infected Responsible for user authentication in Windowsslide 6 … And The Band Marches On Conficker (2008-09): overflow in Windows RPC • Around 10 million machines infected (estimates vary) Stuxnet (2009-10): several zero-day overflows + same Windows RPC overflow as Conficker • Windows print spooler service • Windows LNK shortcut display • Windows task scheduler Flame (2010-12): same print spooler and LNK overflows as Stuxnet • Targeted cyberespionage virusslide 7 Buffer is a data storage area inside computer memory (stack or heap) • Intended to hold pre-defined amount of data • If executable code is supplied as “data”, victim’s machine may be fooled into executing it – Code will self-propagate or give attacker control over machine • Many attacks do not involve executing “data” Attack can exploit any memory operation • Pointer assignment, format strings, memory allocation and de-allocation, function pointers, calls to library routines via offset tables … Memory Exploitsslide 8 Stack Buffers Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } When this function is invoked, a new frame (activation record) is pushed onto the stack Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer Top of stack Stack grows this way buf sfp ret addr str Local variables Frame of the calling function Execute code at this address after func() finishes Arguments Pointer to previous frameslide 9 What If Buffer Is Overstuffed? Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy(buf,str); } If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations strcpy does NOT check whether the string at *str contains fewer than 126 characters buf str This will be interpreted as return address! overflow Top of stack Frame of the calling functionslide 10 Executing Attack Code Suppose buffer contains attacker-created string • For example, str points to a string received from the network as the URL When function exits, code in the buffer will be executed, giving attacker a shell • Root shell if the victim program is setuid root code str Frame of the calling function ret Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”) In the overflow, a pointer back into the buffer appears in the location where the program expects to find return address Top of stackint foo (void (*funcp)()) { char* ptr = point_to_an_array; char buf[128]; gets (buf); strncpy(ptr, buf, 8); (*funcp)(); } String grows Stack grows int bar (int val1) { int val2; foo (a_function_pointer); } Attacker-controlled memory Most popular target val1 val2 arguments (funcp) return address Saved Frame Pointer pointer var (ptr) buffer (buf) Stack Corruption: General View slide 11args (funcp) return address SFP pointer var (ptr) buffer (buf) Attack code ① Change the return address to point to the attack code. After the function returns, control is transferred to the attack code. ② … or return-to-libc: use existing instructions in the code segment such as system(), exec(), etc. as the attack code. ① ② set stack pointers to return to a dangerous library function “/bin/sh” system() Attack #1: Return Address slide 12slide 13 Executable attack code is stored on stack, inside the buffer containing attacker’s string • Stack memory is supposed to contain only data, but… For the basic stack-smashing attack, overflow portion of the buffer must contain correct address of attack code in the RET position • The value in the RET position must point to the beginning of attack assembly code in the buffer – Otherwise application will crash with segmentation violation • Attacker must correctly guess in which stack position his buffer will be when the function is called Basic Stack Code Injectionslide 14 Cause: No Range Checking strcpy does not check input size • strcpy(buf, str) simply copies memory contents into buf starting from *str until “\0” is encountered, ignoring the size of area allocated to buf Standard C library functions are all unsafe • strcpy(char *dest, const char *src) • strcat(char *dest, const char *src) • gets(char *s) • scanf(const char *format, …) • printf(const char *format,