How to find_vulnerability_in_software

1. How to nd vulnerability in software ? documented by h2spice [email protected] 113 7 3

2. h2spice.net/secuinside2013_h2spice/ 213 7 3 3. Who am I Sanghwan,Ahn (h2spice) Security Researcher in Team (NSHC.Inc) Vulnerability/Malware Analysis , Hunting Bug , Mobile Security 313 7 3 4. Agenda Introduction about Vulnerability What is The Vulnerability How to Use Vulnerabilities The Reason we must nd vulnerabilities Before nding vulnerability, things we should know What knowledge will help you What experience will help you Think and Act like a hacker 413 7 3 5. Agenda How can we nd vulnerability ? Supercial analysis on the target Internal analysis on the target Occurs Crash Demonstration ActiveX module on Banking / Financial Conclusion 513 7 3 6. Introduction. Vulnerability 613 7 3 7. What is The Vulnerability in a narrow perspective Weakness, Flaw from hardware, software of computer Loopholes in the system , in the design Allows an attacker to reduce systems information assurance (eg. execution of arbitrary code , bypass security mitigation) in a broad perspective refers to all of the information security risks ,including user and administrators negligence or by social engineering weaknesses 713 7 3 8. Financial benets Information stealing APT (Advanced Persistent Threat) PDF, HWP, MSWord Vulnerability 3.20 Korean Terrorism Random Target Attack Via Web Browser Vulnerability Making Zombie How to use the vulnerability [Refer to FireEyes Next-Generation Threats] 813 7 3 9. Percentage of Total Infections [According to FireEye Cyber Attack Landscape] Other : 3% Logistics/Transportation : 5% Retail : 6% Business Services : 6% Telecommunications : 7% Energy/Utillities : 8% Entertainment/Media : 8% Healthcare : 9% Manufacturing : 9% Banking/Finance/Insurance : 14% Technology : 25% Technology : 25% Banking/Finance/Insurance : 14% Manufacturing : 9% Healthcare : 9% Entertainment/Media : 8% Energy/Utillities : 8% Telecommunications : 7% Business Services : 6% Retail : 6% Logistics/Transportation : 5% Other : 3% 913 7 3 10. [According to IBM X-Force Research and Development] 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vulnerability Disclosure Growth by Year Vulnerability disclosure growth by year 1013 7 3 11. Why we must nd vulnerability Attacks used 0-day are dicult to detect and the extent of the damage is huge We discovered vulnerability in advance and there are the best solutions which vulnerability is patched Give me the money ( in Pwn2Own 2013) Google Chrome on Windows7 ($100,000) Microsoft Internet Explorer IE 10 on Windows8 ($100,000) or IE 9 on Windows7 ($75,000) To be hacker, most of them can nd vulnerability on all platform, that is the starting point of hacking 1113 7 3 12. Before nding vulnerability, Things we should know 1213 7 3 13. What knowledge will help you ? Language ASM / C / C++ / Python / Perl Types of Vulnerability Buffer Overow (Stack,Heap,Integer) Null Pointer Dereference Format String Bug Use After Free Etc 1313 7 3 14. What experience will help you ? Vulnerability Analysis Non-CVE Vulnerability Analysis CVE-XXXX-XXXX Vulnerability Analysis 1413 7 3 15. Techniques & Tools Static Analysis IDA Dynamic Analysis IDA, Immunity DBG, OllyDBG, WinDBG Bypass security mitigation DEP, NX-bit, ASLR, ASCII-Armor, Stack Canary, Sandbox, Etc Exploitation Overwriting SEH, RTL, ROP, Egg Hunting, Heap Spraying, Etc 1513 7 3 16. Think and Act like a hacker There is no perfection in software thats because they are made by Human. so the vulnerability exists Check from a small part Do not greedy, take step by step if i cant nd vulnerability, that is my fault. 1613 7 3 17. Supercial Analysis on The Target How to nd vulnerability Internal Analysis on The Target Occurs Crash Exploitation / Weaponizing 1713 7 3 18. Environment Data User Input Data File Data Receive Data Local Remote LibraryLoading Parsing A Program Accessible entry point The Entry point is considered to have potential vulnerability Phase1. Supercial Analysis on The Target 1813 7 3 19. Environment Data User Input Data File Data Receive Data Local Remote LibraryLoading Parsing A Program Accessible entry point Entry point that potentially exist vulnerability Phase1. Supercial Analysis on The Target [+] Buer Overow [-] Based Stack Overow [-] Based Heap Overow [-] Integer Overow [-] Format string Bug [-] Null Pointer Dereference [-] Use after Free [+] Etc [+] DLL Hijacking 1913 7 3 20. Phase2. Internal Analysis on The Target Although there are vary approaches. many hackers are using some popular ones such as SA, Reverse Engineering, Fuzzing SA (Source Code Auditing) Reverse Engineering Fuzzing 2013 7 3 21. Source Code Auditing If you have Source code, you can nd Vulnerability This is the powerful approach Applied in many places 2113 7 3 22. Approach method Code Auditing Reverse Engineering Start if its Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if its Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2213 7 3 23. Approach method Code Auditing Reverse Engineering Start if its Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if its Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2313 7 3 24. Approach method Code Auditing Reverse Engineering Start if its Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if its Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2413 7 3 25. Approach method Code Auditing Reverse Engineering Start if its Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if its Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2513 7 3 26. Approach method Code Auditing Reverse Engineering Start if its Open source Software ? Search Library Check Version vulnerable version? Code Analysis Exploitation Find Vulnerability if its Open source Library ? Fuzzing Step Y N N Y Y Code Auditing FlowChart N Decompile 2613 7 3 27. How to analyze source code From user interface Can be accessed Can be manipulated Common vulnerability Buffer Overow (Stack / Heap / Integer) Format string Using an automatic analysis tools RAT, ITS4, FindBugs, Flawnder, Splint Code Analysis Accessible entry point from User interface Common vulnerability 2713 7 3 28. Stack Buffer Overow in Source Code Fixed buer (ex. buffer[4096] or buffer[dene buffer_size] ) In source code, nd dangerous function( ) like a strcpy( ), sprintf( ). mostly used be mapped like abc_strcpy( ) Sometimes buffer overow is caused by termination conditions in the loop Beer Over Flow 2813 7 3 29. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) 2913 7 3 30. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step1. search accessible entry points Program Name Accessible Entry Point File Type File Format VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc Audio a52 / aac / ac3 / adt / adts / etc Play list m3u / wpl / ram / pls / gvp / etc URL mms / rtmp / rtp / rtsp / smb / etc 3013 7 3 31. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step1. search accessible entry points Program Name Accessible Entry Point File Type File Format VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc Audio a52 / aac / ac3 / adt / adts / etc Play list m3u / wpl / ram / pls / gvp / etc URL mms / rtmp / rtp / rtsp / smb / etc Occurs Stack Based Buffer Overow 3113 7 3 32. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step2. nd source code about accessible entry point h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ nd ./ |grep "mms" .//contrib/src/src/goom/goom2k4-xmmslibdir.patch .//modules/access/mms .//modules/access/mms/asf.c .//modules/access/mms/asf.h .//modules/access/mms/buer.c .//modules/access/mms/buer.h .//modules/access/mms/Makele.am .//modules/access/mms/Makele.in .//modules/access/mms/mms.c .//modules/access/mms/mms.h .//modules/access/mms/mmsh.c .//modules/access/mms/mmsh.h .//modules/access/mms/mmstu.c .//modules/access/mms/mmstu.h .//modules/access/mms/Modules.am h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ search accessible entry point you can nd source code about entry point 3213 7 3 33. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step3-1. check dangerous method (eg. strcpy, sprintf, etc) h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "strcpy" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "strcat" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "getwd" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "gets" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "fscanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "scanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "realpath" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "sprintf" grep: ./: Is a directory .//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username, .//mmstu.c:535: sprintf( tmp, .//mmstu.c:592: sprintf( tmp, .//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" ); h2spice-ui-MacBook-Pro:mms h2spice$ search dangerous method 3313 7 3 34. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step3-1. check dangerous method (eg. strcpy, sprintf, etc) h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "strcpy" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "strcat" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "getwd" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "gets" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "fscanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "scanf" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "realpath" grep: ./: Is a directory h2spice-ui-MacBook-Pro:mms h2spice$ nd ./ |xargs grep -n "sprintf" grep: ./: Is a directory .//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username, .//mmstu.c:535: sprintf( tmp, .//mmstu.c:592: sprintf( tmp, .//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" ); h2spice-ui-MacBook-Pro:mms h2spice$ as a result, able to nd code that used dangerous method 3413 7 3 35. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step3-2. simple check via automatic tools (RAT, etc) C:Documents and SettingsAdministratorDesktoprats-2.3-win32rats-2.3>rats.exe mmstu.c Analyzing mmstu.c mmstu.c:459: High: xed size local buer Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buer overow attacks. mmstu.c:535: High: sprintf Check to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. mmstu.c:535: High: sprintf mmstu.c:592: High: sprintf Check to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buer overow. 3513 7 3 36. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) Step4. Analyze source code in detail /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP Static Buffer was Allocated 3613 7 3 37. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP request packet was copied into tmp[4096] buffer Step4. Analyze source code in detail 3713 7 3 38. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP if valid request packet receives, buffer overow doesn.t occur NSPlayer 7.0.0.195 6; {user}; Host:www.h2spice. net Step4. Analyze source code in detail 3813 7 3 39. VLC MMS Stream Handling Buffer Overow (CVE-2012-1775) /*vlc-2.0.0/modules/access/mms/mmstu.c*/ /**************************************************************************** * MMSOpen : Open a connection with the server over mmst or mmsu ****************************************************************************/ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) { access_sys_t *p_sys = p_access->p_sys; int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0; var_buffer_t buffer; char tmp[4096]; uint16_t *p; int i_server_version; int i_tool_version; int i_update_player_url; int i_encryption_type; int i; int i_streams; int i_first; char *mediapath; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /* *** send command 1 : connection request *** */ var_buffer_initwrite( &buffer, 0 ); var_buffer_add16( &buffer, 0x001c ); var_buffer_add16( &buffer, 0x0003 ); sprintf( tmp, "NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s", GUID_PRINT( p_sys->guid ), p_url->psz_host ); tmp[4096] EBP EIP but if invalid request packet receives, buer overow occurs NSPlayer 7.0.0.195 6; {user}; Host:AA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA Step4. Analyze source code in detail 3913 7 3 40. Heap Buffer Overow in Source Code h2spice-ui-MacBook-Pro:rtsp h2spice$ nd ./ |xargs grep -n "malloc" grep: ./: Is a directory .//access.c:168: p_access->p_sys = p_sys = malloc( sizeof( access_sys_t ) ); .//access.c:171: p_sys->p_rtsp = malloc( sizeof( rtsp_client_t) ); .//real.c:433: buf= (char *)malloc(2048); .//real.c:611: char *buf = malloc(256); .//real.c:666: description = malloc(size+1); .//real.c:675: subscribe = malloc(256); .//real_asmrp.c:93: p = malloc (sizeof (asmrp_t)); .//real_rm.c:384: mdpr->type_specic_data = malloc(type_specic_len); .//real_sdpplin.c:70: buf = malloc( BUFLEN ); .//real_sdpplin.c:74: decoded = malloc( BUFLEN ); .//real_sdpplin.c:146: desc->mlti_data = malloc(desc->mlti_data_size); .//real_sdpplin.c:193: buf = malloc( BUFLEN ); .//real_sdpplin.c:200: decoded = malloc( BUFLEN ); .//real_sdpplin.c:262: desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); .//rtsp.c:505: s->host = malloc(hostend+1); Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size search method for memory allocation as a result, you are able to nd the code that used method for memory allocation 4013 7 3 41. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4113 7 3 42. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4213 7 3 43. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4313 7 3 44. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } Heap Buffer Overow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4413 7 3 45. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) { desc->mlti_data_size = vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf ); if ( desc->mlti_data_size ) { desc->mlti_data = malloc(desc->mlti_data_size); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); lprintf("mlti_data_size: %in", desc->mlti_data_size); } } if equal ? check the other malloc( ) and memcpy( ) Heap Buffer Overow in Source Code Search malloc( ), calloc( ), realloc( ), memcpy( ) Compare the allocated memory size to the copied data size 4513 7 3 46. httpdx 1.5.4 Heap Overow Step1. Search malloc( ) or memcpy( ) h2spice-ui-MacBook-Pro:httpdx_src h2spice$ nd ./ |xargs grep -n "malloc" grep: ./: Is a directory .//daemon.cpp:100: //d = (char*)malloc(_size); .//daemon.cpp:191: //mimes = (dblstr_t*)malloc(vc+1);//+1: space for httpdx command virtual le extension .//daemon.cpp:204: mimes = (dblstr_t*)malloc((vc+1)*sizeof(dblstr_t));//+1: space for httpdx command virtual le extension .//ftp.cpp:122: client->transfers[client->transfers_c].d = (char*)malloc(1); .//http.cpp:250: client->d = (char*)malloc(strlen(p[0])+1); .//http.cpp:357: client->d = (char*)malloc(strlen(p[0])+1); .//http.cpp:467: client->d = (char*)malloc(client->ds); .//http.cpp:661: client->pd = (char*)malloc(client->cl+1); .//script.cpp:233: //nodes[*ns].str = (char*)malloc(el+1); .//script.cpp:246: //nodes[*ns].str = (char*)malloc(el+1); .//script.cpp:264: //nodes[*ns].str = (char*)malloc(el+1); h2spice-ui-MacBook-Pro:httpdx_src h2spice$search method for memory allocation as a result, able to nd code that used method for memory allocation 4613 7 3 47. Step2. Compare the allocated memory size to the copied data size int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overow 4713 7 3 48. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overow Step2. Compare the allocated memory size to the copied data size 4813 7 3 49. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overow Step2. Compare the allocated memory size to the copied data size 4913 7 3 50. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overow Step2. Compare the allocated memory size to the copied data size 5013 7 3 51. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); client->pds = client->rs-hs-4; if((client->rs-hs-4) >= client->cl) client->state = STATE_REQD; else client->state = STATE_DATADOWN; }else{ client->state = STATE_ERROR; return (client->code = C_REQUESTENTITYTOOLARGE); } if its not equal , carry out a detailed analysis int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ } } } httpdx 1.5.4 Heap Overow Step3. if not equal, carry out a detailed analysis 5113 7 3 52. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); Source Path Structure Name Variable Type Variable Name Detail Info source/include/http.h phclient_t int socket socket to communicate char host[256] What host client used char * pd post-data: size is allocated with "Content-Length" size_t pds post-data size int cl content-length char req[4096] request buffer int rs request size (by received packet) int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ httpdx 1.5.4 Heap Overow Step3. if not equal, carry out a detailed analysis 5213 7 3 53. int hs = p-client->req; //Get data position in request if(p){ client->pd = (char*)malloc(client->cl+1); int pos = p+4-client->req; memcpy(client->pd,client->req+pos,(client->rs-hs-4)); Source Path Structure Name Variable Type Variable Name Detail Info source/include/http.h phclient_t int socket socket to communicate char host[256] What host client used char * pd post-data: size is allocated with "Content-Length" size_t pds post-data size int cl content-length char req[4096] request buffer int rs request size (by received packet) content-length request size (by received packet) int h_readrequest(phclient_t client){ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ httpdx 1.5.4 Heap Overow Step3. if not equal, carry out a detailed analysis 5313 7 3 54. generate a malformed packet send a packet to the server POST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA heap based buffer[101] Other Space Other Space httpdx 1.5.4 Heap Overow Step3. if it is not equal, carry out a detailed analysis dynamic buffer was allocated 5413 7 3 55. generate a malformed packet send a packet to the server heap based buffer[101] Other Space Other Space httpdx 1.5.4 Heap Overow Step3. if not equal, carry out a detailed analysis POST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA POST/index.ht ml HTTP/1.0 Content-Length :100 Content- Type :text Host: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA request packet was copied into buffer 5513 7 3 56. heap based buffer[101] Other Space Other Space POST/index.ht ml HTTP/1.0 Content-Length :100 Content- Type :text Host: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA httpdx 1.5.4 Heap Overow Step3. if not equal, carry out a detailed analysis generate a malformed packet send a packet to the server if content-length is smaller than requset packet size, buer overow was occurredPOST /index.html HTTP/1.0 Content-Length: 100 Content-Type: text Host: AAAAAAAAA.....AAAAAAAAAAA 5613 7 3 57. Integer Buffer Overow in Source Code 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process diculty in detecting, so massive code analysis is needed it is a negative number since it is interpreted as a sign bit 5713 7 3 58. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow 5813 7 3 59. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow declare variable (signed/unsigned type, static buffer) 5913 7 3 60. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow get size of user input data and then, print size 6013 7 3 61. Example of Integer Buffer Overow h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overow) 6113 7 3 62. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow copy user input data to buffer and then print user input data 6213 7 3 63. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow if variable signed type stored in big data, will occur integing overow 6313 7 3 64. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow because type2 it has been set negative number, to bypass code that prevent buffer overow 6413 7 3 65. Example of Integer Buffer Overow #include #include #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overow/sample/poc $ ./integer_overow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overow/sample/poc$ Output 1 - Normal Output 2 - Integer Overow as a result, occur stack buffer overow 6513 7 3 66. nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) 6613 7 3 67. nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step1. Collect information about variable Source Path Structure Name Function Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none ngx_uint_t state src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none off_t size signed type src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none off_t length signed type src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) size_t size unsigned type src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) u_char buffer [4096] xed buffer src/http/ ngx_http_request_body.c ngx_http_read_discarded_request_body (ngx_http_request_t *r) /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_request_s none ngx_http_header_in_t headers_in struct pointer src/http/ ngx_http_request.h ngx_http_request_s none ngx_http_header_out_t headers_out struct pointer src/http/ ngx_http_request.h ngx_http_request_s none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_header_in_t none off_t content_length_n signed type src/http/ ngx_http_request.h ngx_http_header_in_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ src/http/ ngx_http_request.h ngx_http_header_out_t none off_t content_length_n signed type src/http/ ngx_http_request.h ngx_http_header_out_t none /*other variable was omitted *//*other variable was omitted *//*other variable was omitted */ 6713 7 3 68. Step2. Step by step, analyze source code static ngx_int_t ngx_http_static_handler(ngx_http_request_t *r) { u_char *last, *location; size_t root, len; ngx_str_t path; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->method & NGX_HTTP_POST) { return NGX_HTTP_NOT_ALLOWED; } rc = ngx_http_discard_request_body(r); if (rc != NGX_OK) { return rc; } log->action = "sending response to client"; r->headers_out.status = NGX_HTTP_OK; r->headers_out.content_length_n = of.size; r->headers_out.last_modified_time = of.mtime; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/modules/ngx_http_static_module.c ] ngx_http_discard_request_body( ) was called nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) 6813 7 3 69. ngx_int_t ngx_http_discard_request_body(ngx_http_request_t *r) { ssize_t size; ngx_int_t rc; ngx_event_t *rev; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/ngx_http_request_body.c ] Check chunked data in the header nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code 6913 7 3 70. ngx_int_t ngx_http_discard_request_body(ngx_http_request_t *r) { ssize_t size; ngx_int_t rc; ngx_event_t *rev; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ [ src/http/ngx_http_request_body.c ] ngx_http_discard_request_body_lter( ) was called nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code 7013 7 3 71. ngx_http_parse_chunked( ) was called static ngx_int_t ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b) { size_t size; ngx_int_t rc; ngx_http_request_body_t *rb; if (r->headers_in.chunked) { rb = r->request_body; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for ( ;; ) { rc = ngx_http_parse_chunked(r, b, rb->chunked); if (rc == NGX_OK) { /* a chunk has been parsed successfully */ size = b->last - b->pos; if ((off_t) size > rb->chunked->size) { b->pos += rb->chunked->size; rb->chunked->size = 0; } else { rb->chunked->size -= size; b->pos = b->last; } continue; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code that exists integer overow vulnerability 7113 7 3 72. ngx_int_t ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b, ngx_http_chunked_t *ctx) { /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for (pos = b->pos; pos < b->last; pos++) { ch = *pos; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ switch (state) { case sw_chunk_start: if (ch >= '0' && ch size = ch - '0'; break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c size = c - 'a' + 10; break; } goto invalid; case sw_chunk_size: if (ch >= '0' && ch size = ctx->size * 16 + (ch - '0'); break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c size = ctx->size * 16 + (c - 'a' + 10); break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if ctx->size stored high number, occurs integer overow by (ctx->size = ctx->size * 16 + @) Source Path Structure Name Function Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t none ngx_uint_t state off_t size signed type off_t length signed type so ctx->size can be misinterpreted as negative number nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code 7213 7 3 73. switch (state) { /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ case sw_chunk_size: if (ch >= '0' && ch size = ctx->size * 16 + (ch - '0'); break; } c = (u_char) (ch | 0x20); if (c >= 'a' && c size = ctx->size * 16 + (c - 'a' + 10); break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ data: ctx->state = state; b->pos = pos; switch (state) { case sw_chunk_start: ctx->length = 3 /* "0" LF LF */; break; case sw_chunk_size: ctx->length = 2 /* LF LF */ + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0); break; /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ and then ctx->length was stored negative number nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code Source Path Structure Name Variable Type Variable Name Detail Info src/http/ngx_http.h ngx_http_chunked_s, ngx_http_chunked_t ngx_uint_t state off_t size signed type off_t length signed type 7313 7 3 74. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ for ( ;; ) { rc = ngx_http_parse_chunked(r, b, rb->chunked); if (rc == NGX_OK) { /* a chunk has been parsed successfully */ /*~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ continue; } if (rc == NGX_DONE) { /* a whole response has been parsed successfully */ r->headers_in.content_length_n = 0; break; } if (rc == NGX_AGAIN) { /* set amount of data we want to see next time */ r->headers_in.content_length_n = rb->chunked->length; break; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ r->headers.in.content_length_n was stored negative number Source Path Structure Name Variable Type Variable Name Detail Info src/http/ ngx_http_request.h ngx_http_header_in_t off_t content_length_n signed type ngx_http_header_out_t off_t content_length_n signed type nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code 7413 7 3 75. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ if (r->headers_in.content_length_n headers_in.chunked) { return NGX_OK; } size = r->header_in->last - r->header_in->pos; if (size || r->headers_in.chunked) { rc = ngx_http_discard_request_body_filter(r, r->header_in); if (rc != NGX_OK) { return rc; } if (r->headers_in.content_length_n == 0) { return NGX_OK; } } rc = ngx_http_read_discarded_request_body(r); if (rc == NGX_OK) { r->lingering_close = 0; return NGX_OK; } if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { return rc; } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ ngx_http_read_discarded_request_body( ) was called nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code that exists stack based overow vulnerability 7513 7 3 76. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ #define ngx_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) Already, r->header_in.content_length has been set negative number nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code as a result, able to bypass code that prevent buffer overow 7613 7 3 77. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code buffer[4096] EBP EIP chunked data was copied into buffer 7713 7 3 78. static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r) { size_t size; ssize_t n; ngx_int_t rc; ngx_buf_t b; u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE]; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http read discarded body"); ngx_memzero(&b, sizeof(ngx_buf_t)); b.temporary = 1; for ( ;; ) { if (r->headers_in.content_length_n == 0) { r->read_event_handler = ngx_http_block_reading; return NGX_OK; } if (!r->connection->read->ready) { return NGX_AGAIN; } size = (size_t) ngx_min(r->headers_in.content_length_n, NGX_HTTP_DISCARD_BUFFER_SIZE); n = r->connection->recv(r->connection, buffer, size); /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/ nginx 1.4.0 Stack Buffer Overow (CVE-2013-2028) Step2. Step by step, analyze source code buffer[4096] EBP EIP AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA if chunked data is bigger than 4096 bytes, occurs stack buer overow 7813 7 3 79. Reverse Engineering 7913 7 3 80. Reverse Engineering Some software codes have a large range that can not be imagined ; ridiculous but possible Its hard to nd vulnerability with reverse engineering and dynamic analysis. but can nd unique bugs which fuzzer wont nd usually Be specic with the big picture rst Call graphs / System calls / Associated Data Then dive into smaller parts Recognize well-known routines eg. crypto(RC4, RSA, etc), memcpy, strcpy, etc 8013 7 3 81. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall ow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8113 7 3 82. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall ow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8213 7 3 83. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Understand Overall ow Reverse Engineering FlowChart Search Entry Point Check Arguments Function Analysis Check it whether makes logical problem or not ? Y N 8313 7 3 84. Can be reduced the amount of code by using a script. #include void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } Call ow Debugging with script 8413 7 3 85. #include void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call Debugging with script Can be reduced the amount of code by using a script. 8513 7 3 86. #include void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call Debugging with script Can be reduced the amount of code by using a script. 8613 7 3 87. Debugging with script #include void code1(void) { ! printf("code1n"); } void code2(void) { ! printf("code2n"); } void main(void) { ! printf("hello worldn"); ! code1(); ! code2(); } j_?code1@@YAXXZ call ?code1@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call j_?code2@@YAXXZ call ?code2@@YAXXZ call _printf call __stbuf call __isatty call __output call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call __chkesp call _main_0 call _main call _printf call __stbuf call __isatty call __malloc_dbg call __nh_malloc_dbg call __heap_alloc_dbg call __CrtDefaultAllocHook call __heap_alloc_base call _memset call _memset call _memset call __output call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call write_char call __ftbuf call __ush call __write call Can be reduced the amount of code by using a script. 8713 7 3 88. Fuzzing Throw random bits at the program, and see if it handles them Popular robust testing mechanism for software Fast and Effective Easy to implement Two type of Fuzzing Dumb Fuzzing Smart Fuzzing 8813 7 3 89. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classication Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 8913 7 3 90. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classication Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9013 7 3 91. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classication Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9113 7 3 92. Approach method Code Auditing Reverse Engineering Start Exploitation Find Vulnerability Fuzzing Step Smart Fuzz Data Analysis if you know structure ? Dumb FuzzData Modeling Data Type Classication Fuzzing FlowChart if Occurs Crash ? Crash Analysis N Y Y N 9213 7 3 93. Specic Target through Fuzzing File Format (File Fuzzing) Network Protocol (Network Fuzzing) ActiveX (ActiveX Fuzzing) Browser (Browser Fuzzing) Etc 9313 7 3 94. Type of Fuzzing - Dumb Fuzzing Dumb Fuzzing Based on mutation Little or no knowledge for the structure of the inputs is assumed Most of the input data are invalid Anomalies may be completely random or follow some heuristics Anomalies are added to existing valid inputs Example ex) m3u, pls, asx, etc 9413 7 3 95. Dumb fuzzing sample File Format [AAAAAAA....AAAA] [normal data] + [AAAAAAA....AAAA] [header] + [AAAAAAA....AAAA] + [eof] Mutated normal le Network Protocol GET /AAAAAAA....AAAA.html HTTP/1.1 AAAAAAA....AAAA /indext.html HTTP/1.1 GET /index.html HTTTTTTTTTTTTTTTP/1.1 9513 7 3 96. Type of Fuzzing - Smart Fuzzing Smart Fuzzing Based on generation Knowledge for the structure of the inputs is needed Test cases are generated from some description of the format RFC, Documents Consideration of data structure such as offset , checksum 9613 7 3 97. Smart fuzzing sample File Format Consideration of data structure or relations Variety of attack vectors length, offset, object, etc Use 010 binary editor template free binary templates (*.bmp , *.zip , *wav) int int int ag int length stringstring int length datadatadatadata int int intint datadatadatadata 9713 7 3 98. Smart fuzzing sample POST index.html HTTP/ 1.1HTTP/ 1.1 Content-TypeContent-Type application/x-www- form-urlencoded application/x-www- form-urlencoded Accept-EncodingAccept-Encoding gzip deate User-AgentUser-Agent Mozilla/ 4.0 Content-LengthContent-LengthContent-Length 100 HOSTHOST localhost :8080 Network Protocol Consideration of data structure or relations Variety of attack vectors host, content-length, etc 9813 7 3 99. Smart fuzzing sample Active X Parameter extraction Input data to parameter big data, invalid data, etc Generate HTML Document classID parameter value {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} A String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} B String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} C String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} D Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} E Integer{AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} F String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} G Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} H Integer {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} I String {AAAAAAAA-BBBB-CCCC- DDDD-EEEEEEEEEEEE} J String 9913 7 3 100. Smart fuzzing sample Browser Take W3C specication Group together (methods / attributes / properties) Replace input values with getRandomValue( ) CVE-2012-2896 10013 7 3 101. Phase 3. Crash 5 Type of Crash Read Access Violation near NULL Read Access Violation not near NULL Write Access Violation near NULL Write Access Violation not near NULL Unknown 10113 7 3 102. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx 10213 7 3 103. Demonstration ActiveX module on Banking / Financial / Etc 10313 7 3 104. Demonstration ActiveX module on Banking / Financial / Etc 10413 7 3 105. Demonstration ActiveX module on Banking / Financial / Etc 10513 7 3 106. Demonstration ActiveX module on Banking / Financial / Etc Occurs Stack Buffer Overow via strcpy( ) 10613 7 3 107. 10713 7 3 108. Conclusion Source Code Auditing Fuzzing Reverse Engineering 10813 7 3 109. Conclusion Difng Taint Analysis Symbolic Execution Source Code Auditing Fuzzing Reverse Engineering 10913 7 3 110. Thank You :) 11013 7 3