advanced format string attacks - def con® hacking conference
TRANSCRIPT
Advanced Format String AttacksPresented by Paul Haas
Contents
•Background
•Abstract
•Definition
•Context
•Technique
•How-to
•Tools
•Exploits
•Conclusion
•Q&A
Background
•LeadWebApplicationSecurityEngineeratRedspin,Incwithover4yearsexperienceinhundredsofaudits.
•Thistalkisnotassociatedwithmycompany
•Defcon13CTFwinner(Shellphish2005)
•AlumniofUCSB’sComputerSecurityGroup
•MarioKartDS:RobinTankonRainbowRoad
In
#include<stdio.h>
intmain(intargc,char**argv){
printf(argv[1]);
}
Out
Readingarbitrarylocations
Writingarbitrarylocations
Executingarbitrarycode
Getashell
Without
RTFMandWritingityourself!
Format String Attack
•SoftwarevulnerabilityincertainCfunctionsthatperformstringformattingleadingtothepotentialtowritearbitrarydatatoarbitrarylocations
•Despiteeasysolutions,vulnerabilitiesandignoranceofissuestillexist,hencethetalk
•Commoninhackademicexercises
•Talkassumesyouhaveabasicideaoftheattack(%x,%s,%n)
•Talkdetailstechniquebuttoolsdonotrequireit
Brief History
•1990:csh“InteractionEffect”crash:!o%8f
•1999-09-17:proftpd1.2.0pre6“Argumentattack/snprintfVulnerability”(BID650)
•2000-06-22:wu-ftpd2.6.0RemoteFormatStringStackOverwriteVulnerability(BID1387)
•2000-09-09:“FormatStringAttacks”whitepaperbyTimNewsham
•2010-06-30:KVIrcDCCDirectoryTraversalandMultipleFormatStringVulnerabilities(BID40746)
Old Technique
•Manualpoppingupofstackusingstringof‘%x’s
•Getoverwriteaddressusingothertechnique
•SearchforshellcodeincoreafterSEGFAULT
•Characterswrittenusinglongvaluein%xor%c
•Finalwritetoaddressusing%n
•FrequentRTFM
•Writeonce,useonce
Current Technique
•%pgivesdetailedinformationofstacklocation
•%sallowsustoviewknownstackaddressesasstrings
•%NNccontrolsnumberofbyteswritten
•%hhnallowssinglebytewrites
•Directparameteraccessshortensformatstring: %5$n=%p%p%p%p%p%n
New Technique
•FormatStringAttackallowsustodumpstack
•Stackcontainsinterestinginformation:
data,codepointers,stackaddresses
ourformatstring,formatstring’saddress
stackoffsetlocationofalloftheabove
•Knowledgeofthisgivesustheaddressofanyvalueonthestack
•Thesevaluesareenoughtowriteourexploit
Our Vulnerable Code
#include<stdio.h>
intmain(intargc,char**argv){ printf(argv[1]);}#Compileandsetupinsecureenvironment
gccprintf.c-w-O0-ggdb-std=c99-static-D_FORTIFY_SOURCE=0-fno-pie-Wno-format-Wno-format-security-fno-stack-protector-znorelro-zexecstack-oprintf
sudosysctl-wkernel.randomize_va_space=0
Exploit Steps
•Dumpstackvaluesuntilformatstringisfound
•Locatepointeraddressofformatstring
•Chooseouroverwriteaddressonthestack
•Pointformatstringatoverwriteaddressandwriteaddressofshellcodetoendofstring
•Adjustoffsetsfor‘chickenandegg’problem:
Addressofformatstringbasedonitslength
Formatstringneedsitsownaddresstoreference
Stack Dump
•Method1:Passalongstringof%p’s
./printf`perl-E‘say“%p”x200’`
•Method2:Executebinaryinloopwith%NNN$p
foriin{001..200};doecho-n“$i=“;./printf “%$i\$p”;echo;done
•Searchforhexrepresentationofstring
$=0x24,%=0x25,p=0x70
•Resultwillbestackoffsetofformatstring
Format String Address
•Executebinaryinloopwithsequential%NNN$s
WillcauseSEGFAULTS,maytripanyIDSsystems
foriin{001..100};doecho-n“$i=“;./printf “%$i\$p:%$i\$s”;echo;done|grep-v^$
•Createformatstringonlycomprisingofaddressesobtainedfromstackdump
Singleexecution/stringpreventsSEGFAULT
Muchmoreelegant,verifiesconstantstack
Offset + Address = WIN
Matchingupanoffsettoastackaddressallowsustolearntheaddressofanylocationonthestack
Example:
Offset100(0xBFFFF100):Ourformatstring
sizeof(pointer)=4bytes*100pointers=400
Offset1=0xBFFFF100+400=0xBFFFF290
Overwrite Location
•Commonexploitlocationsrequirebinaryexaminationtools:PLT,DTORS,LIBC
•Advanceformatstringattackcouldextractthesefromknownbinaryheaders(difficult)
•Returnaddressesarestoredonthestack
Weknowthestackaddressofeachvalue
•Overwritetheselocationstopointtoshellcode
Issues
•Differentformatstringslengthseffectstackaddresses,yetweassumestackisconstant
Keepallstringstosamemodulusofsizeof(pointer)
•Formatstringmaynotalignwithstackaddress
Keeppaddingrequirementwhenaddressingstring
•Evenwiththecorrectmodulusandpad,ourstringoffsetmaybeoff
Verifyourexploitbeforeweattemptitbyreading ratherthanwritingtoouroverwritelocation
Result
•Itispossibletocreateaformatstringexploitusingonly2executionsofthevulnerableprogramwithnoprogramexceptions
•Mathonly,nobruteforcingnecessary
•Incorporateshellcodeaspartofformatstring
•Smallerformatstringbuffersarealsopossible
8bytestoexamineastackaddress
Formatstringassmallas68bytes+shellcode
Format String Auto Exploitation
•ProofofconcepttoolinPython
•InstructionsforrunningonBacktrack4
•Multipleexploitandoverwriteoptions
•Missingsomeusefulfeatures:
Separateexecutionofindependentsteps
Architecturesindependent(x86&64)
Readarbitrarylocationsratherthanwrite
Finercontroloverexploit
Metasploit Integration
•Controleachstepoftheexploitindividuallyorautomateentireprocess
•Useaspayloadgenerator
•UsesMetasploitpayloadlibraryforshellcode
•Integratesintoothermodulesandinjectionfunctionality
•FunctionalitywillbedemonstratedduringDefcon
Demonstrations
•TestingCode
•OverTheWire
•Knownexploit
•0-Day?
Summary
•Theoutputfromformatstringattacksgivesyoueverythingyouneedtoknowtogofromdiscoverytocompromise
•Theexploitationprocesscanbeautomatedfromstarttofinish
•Formatstringattacksareeasytofix,andnowareeasytoexploitaswell
•Thereareplentyofvulnerableprogramsouttheretodiscoverandexploit
Questions?
Thanks
•Themostrecentversionofthispresentationandassociatedtoolscanbefoundonwww.redspin.comandwww.defcon.org
•LookfortheincorporationofthetoolsinthistalkinMetasploitinthenearfuture
•Anyfollow-upquestionscanbeaddressedtophaasATredspinDOTcom
•ShoutstotheShellphish,G.Vigna”zanardi”andtheGoatsatRedspin{ap3r,jhaddix,fulg0re,D3,OwNpile,Yimmy&b3tty}