K. K. Mookhey Network Intelligence India Pvt. Ltd. Bug-finding K. K. Mookhey Network Intelligence India Pvt. Ltd.

Main types Mainly two types of audits Assembly or Black Box Open Source

Approach There are two main types of methods: Outside-in: Look at all input avenues for the program. Imagine, any input validation that may or may not have been done Try to circumvent it Well-suited to black-box testing Easy bugs get found out fast Reasonable ROI Critical issues usually get missed out Subtle bugs may take years to surface

Approach Inside-out Completely audit the entire code Requires extensive documentation support to make task easier Audit must adopt mindset of programmer Low ROI Must follow all code paths Will uncover subtle bugs Ideal for source-code audits

Black-box Testing Looks Familiar?

Black Box Testing Again two methods Inside-out: Involves assembly code analysis Outside-in: Involves analysis of overall software structure

Assembly Audit Use tools mainly Look for assembly equivalents of strcpy, strcat, sprintf, etc. Figuring out actual path of execution is the challenge Not recommended Less ROI

Black Box Snapshot system before software installation Registry Keys (Regmon) Open Files (Filemon) Open Network Connections (Netmon) All tools are from www.sysinternals.com

Black Box - 2 Install software Run software Note new files added Note new registry keys added See ACLs on these – could be source for potential malcious inputs Run software Again snapshot the system Open Reg keys, Net connections, files, etc.

Black Box Ascertain CIA of data when the following occur: Authorization: Encryption, Credentials, Protocols, etc. Authentication: Privilege Levels, implementation, etc. Auditing: Audit trails, locations, integrity, etc. Input Validation: Buffer Overflows, Format Strings, Directory Traversal, Information Disclosure, etc. Miscellaneous: Cryptanalysis, Unseen threats, etc.

Black Box – 3 Basic Approach Determine all input avenues to the software Imagine as programmers what data structures we will read the data into What input checking could the programmer have missed? Length (Buffer Overflows) Meta characters (SQL Injection, XSS) Format string characters (Format string bugs)

Black Box - 4 Determine bugs in other such software Try those out in your target Examples: Long filenames crashed Winzip. Could they crash other archival software? IE does not validate length of HTTP data from server. Does Opera?

Methods for Black Box Can be done individually More productive if done with team of 2-3 people Too many people reduce productivity One person only might miss some obvious tests

Buffer Overflow #define data_len 500 char buff[data_len]; strcpy (buff, argv[1]); strncpy (buff, argv[1], data_len); strncat (buff, argv[1], sizeoff(buff)); strncat (buff, argv[1], sizeof(buff) - strlen(buf) - 1);

Format String printf(“The value in decimal is %d and in hexadecimal is %x”,dVal,dVal); Normal printf syntax: Format string, followed by valued. Format specifiers are %d, %x, %i, %s, etc. Special format specifier %n. Receives number of bytes formatted. printf(“format%.10x%n”,buffer,num_bytes); Allows us to write a value to memory location specified by num_bytes.

Format String The printf family of functions can also be written without the format string: printf(“user_data”) instead of printf(“%s”,&user_data) Attack method: Send in format specified in user_data to jump specific values up the stack, and write next IP using %n

Format String First identify location of exploit code in memory Say at memory location 0x0012DD00 The printf statement must format 0x0012DD00 characters. Followed by a %n to over write a saved memory location. Enter user_date = %.618112x%.618112x%n

Format String The user_data also needs to include our exploit code, which will be pushed onto stack during execution. user_data = shellcode%.NNNNNNx%n Upon execution, code tries to write data at some address, which also is derived from our user_data. We need to overwrite this with the saved return address determined earlier.

Format String user_data = shellcode%NNNNNNx%nsaved_address Saved_address points to our own string user_data. NNNNNN is used to push up into stack until we reach desired location. Whereupon shellcode will be executed.

Open Source Use RATS for automated code audit Then go to each function, sub-routine Determine inputs Check filtering of inputs Check processing of inputs Follow program execution to see where original input comes from

General Guidelines When testing a software, go especially to the new features that they have added The older modules are likely to be more tested and stable Do the unexpected – go where no one expects you to go

Example – Latest IE Insufficient input validation for data received from a web server in an HTTP reply Some fields not parsed properly – length! – Stack Buffer Overflow Present in the URLMON.dll

Happy bug hunting Questions?