Download - When good code goes bad
![Page 1: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/1.jpg)
WHEN GOOD CODE GOES WHEN GOOD CODE GOES BAD!BAD!
A SHOWCASE OF MODERN PROGRAMMING MISHAPS
(SensePost 2006)
![Page 2: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/2.jpg)
Introduction
• Who we are.. (SensePost)• Who we are.. (charl && haroon)• What this talk is about..
– Answer some of those questions you never ask..
– Some real world examples (of shocking code)– Some real world repercussions– Mind the Gap
• Constraints…
![Page 3: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/3.jpg)
Agenda
• What is this stack overflow stuff?
• Then what’s a format string vulnerability?
• Hmmm.. What’s all this about dangerous Integers?
• What happens if we fix all the code?
• Questions..
![Page 4: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/4.jpg)
What’s this Stack Overflow stuff?
• This is really old news.. (Morris Worm 1988)
• Is it even still a problem?
• Super simple explanation:• The Stack..• Dangerous functions
![Page 5: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/5.jpg)
Super Simple Explanation..
1
2
Saved Return Address
Base Pointer
void foo(int a, int b)
{
char buf1[8];
char buf2[8];
gets(buf2);
}
int main(void)
{
foo(1,2);
printf(“All done!”)
}
Buf1
Buf2
SAVED RETURN ADDRESS
![Page 6: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/6.jpg)
Buf1
Typical Attack..
1
2
Saved Return Address
Base Pointer
void foo(int a, int b)
{
char buf1[8];
char buf2[8];
gets(buf2);
}
int main(void)
{
foo(1,2);
printf(“All done!”)
}
SAVED RETURN ADDRESS
FAKE NEW ADDRESS
![Page 7: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/7.jpg)
What’s this Stack Overflow stuff?
• This is really old news.. (Morris Worm 1988)
• Is it even still a problem?• Super simple explanation:
• The Stack..• Dangerous functions
• Who would make such a silly mistake?• Everyone…
• How easy is this to take advantage of?• Today? Point & Click ownage!
![Page 8: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/8.jpg)
Then what’s a format string bug?
• Spot the bug ?
• “Safe Version”• See it yet?
void syslog(char *buff)
{
printf(buff)
}
void syslog(char *buff)
{
printf(“%s”, buff)
}
![Page 9: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/9.jpg)
Then what’s a format string bug?
printf(“%s”, buff); printf(buff);
![Page 10: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/10.jpg)
Then what’s a format string bug?
printf(“%s”, buff);buff = “%s”;
printf(buff);
C:\> issa_format.exe
![Page 11: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/11.jpg)
What’s a dangerous Integer?
![Page 12: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/12.jpg)
What’s a dangerous Integer?
• Same size as a pointer
• Fixed size (32 bits for our purposes)
• MAXINT + 1 == ?
• ISO C99 “Causes Undefined Behavior”
• 0xffffffff + 0x1 == 0 {Integer Wrap Around}
• Why is this dangerous ?
![Page 13: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/13.jpg)
Ugly Pseudo-Code
1.) get data from user (buffer)2.) add trailing \0 character3.) add 1 to length of buffer (for our \0)4.) If(length > 80)5.) { 6.) printf(“Sorry your buffer is too
long!”; 7.) exit -18.) }9.) else0.) { copy(other_buffer, buffer); }
![Page 14: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/14.jpg)
What happens if we fix all the code?
• The proliferation of “Managed Code”
• Better and better static code analysis..
• Is the end in sight for bug hunters?– RealVNC Authentication Bypass– ActiveX Control
![Page 15: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/15.jpg)
RealVNC Authentication Bypass
• Discovered by Steve Wiseman of intelliadmin.com (by mistake)
![Page 16: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/16.jpg)
RealVNC Authentication Bypass
“show us”
![Page 17: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/17.jpg)
What does this mean?
1. Vendors:• There are lots of defects that tools can not easily
detect..• (There are lots of defects they can!)• No vendor is safe just because they have deeper
pockets (or “more eyeballs”)
2. ISO’s:• Defense in Depth..• End-point-security..• Patch Management ?• If it can happen to Microsoft …
![Page 18: When good code goes bad](https://reader034.vdocuments.us/reader034/viewer/2022042623/5455b5d9af7959664b8b5b8e/html5/thumbnails/18.jpg)
Questions ?Questions [email protected]