more software vulnerabilities

Question 1

printf:

Answer 1

: prints a format string to the standard output (screen).
 Format string: a string with special format specifiers (escape sequences
prefixed with `%’)
 printf can take more than one argument. The first argument is the format
string; the rest consist of values to be substituted for the format specifiers

Question 2

Escape sequences are

Answer 2

Escape sequences are essentially instruction.

 Attack works by injecting escape sequences into format strings.

Question 3

how is information leaked from the stack

Answer 3

Correct function: printf(“x value: %d, y value: %d, z value: %d”, x, y, z);
 Four arguments are pushed into the stack as function parameter
Incorrect function: printf(“x value: %d, y value: %d, z value: %d”, x, y);
 The stack does not realize an argument is missing, and will retrieve the
unauthorized data from the stack as the argument to print out.
 Data are thus leaked to the attacker
A neat way to view the stack: printf(“%08x %08x %08x %08x %08x”);

Question 4

Attack 2: Crash the Program

Answer 4

Correct function: printf(“%s”, “Hello, World”);
 The pointer of the string is pushed into the stack as function parameter
Incorrect function: printf(“%s”);
 The stack does not realize an argument is missing, and will retrieve the data from
the stack to print out data at this address.
 This address can be invalidated and program will crash
 No physical address has been assigned to such address
 The address is protected (kernel memory)
Increase the crash probability: printf(“%s%s%s%s%s%s%s%s%s%s%s%s”);

Question 5

Attack 3: Modify the Memory

Answer 5

Correct function: printf(“13579%n”, &i);
 Store the number of characters written so far (5) into an integer (i)
Incorrect function: printf(“13579%n”);
 The stack does not realize an argument is missing, and will retrieve the data from
the stack and write 5 into this address.
 Attacker can achieve the following goal:
 Overwrite important program flags that control access privileges
 Overwrite return addresses on the stack, function pointers, etc.
Writing larger values (e.g., 105) to the stack: printf(“13579%100u%n”);

Question 6

Conversion from 2’s Complement

Answer 6

Flip all the bits and add 1:

Question 7

Integer Overflow

Answer 7

An integer is increased over its maximal value, or decreased below
its minimal value.
 Unsigned overflow: the binary representation cannot represent an integer
value.
 Signed overflow: a value is carried over to the sign bit
In mathematics: 𝑎 + 𝑏 > 𝑎 and 𝑎 − 𝑏 < 𝑎 for 𝑏 > 0
 Such obvious facts are no longer true for binary represented integers

Question 8

Example 1: Bypass Length Checking

Answer 8

OS kernel system-call handler checks string lengths to defend
against buffer overruns
The following condition will pass the checking
 len1 < sizeof(buf), len2 = 0xffffffff
 len2 + 1 = 0 so strncpy and strncat will still be executed.

Question 9

Example 2: Write to Wrong Mem Location

Answer 9

Consider an array starting at memory location 0xBBBB (on a 16-
bit machine)
Write to the element at the index of 0xC445
 0xBBBB + 0xC445 = 0x8000
The memory location at 0x8000 is overwritten!!
Must check lower bounds for array indices.

Question 10

Example 3: JPEG of Death

Answer 10

Jpeg processing in Windows XP and Windows Server 2003
 A Jpeg image is associated with a Comment section, with two fields:
 First two bytes: length field (the total length in byte of this comment, including
these two bytes)
 Rest part: the detailed comments.
 Copy the comments to memory:

Question 11

Integer overflow vulnerability:

Answer 11

Set len as 0
 size is 0xFFFE, size + 1 is 0xFFFF
 Overflow the heap

Question 12

malloc():

Answer 12

: allocate a piece of memory on the heap to a pointer

Question 13

free():

Answer 13

the allocated memory is freed, and the pointer becomes a

dangling pointer.

Question 14

Use-after-free:

Answer 14

: refer to a dangling pointer as it were still valid, after
its memory on the heap is freed.
 Can possibly affect another pointer to the freed memory

Question 15

Overwrite memory region

Answer 15

When buf1 is freed, allocated memory is available for reuse immediately.
 Then buf2 are possibly allocated in that region
 strncpy may overwrite buf2.

Question 16

Overwrite different types of data

Answer 16

The function address and buffer address can be possibly overwritten by y.
 Calling this function will give unexpected results.

Question 17

malloc(): again

Answer 17

 Maintains a doubly-linked list of free and allocated memory regions:
 A chunk tag is used to store information about the region
 Free bit: whether the chunk is allocated or free
 Links to the previous and next chunk tag

Question 18

Double-Free Vulnerability

Answer 18

free() is called more than once with the same memory address.
 Chunk tag can be corrupted and allow a malicious user to write values in arbitrary memory
spaces.
After the 1st free():
 The attacker might have a chance to write the freed regions and generate a fake chunk tag
with wrong links
For the 2nd free():
 When merging the links, wrong data will be filled in the wrong location
 Unexpected behaviors will happen

Question 19

Scripting languages

Answer 19

 Construct commands (scripts) from predefined code fragments and user
input at runtime
 Script is then passed to another software component where it is executed.
 It is viewed as a domain-specific language for a particular environment.
 It is referred to as very high-level programming languages
 Example:
 Bash, PowerShell, Perl, PHP, Python, Tcl, Safe-Tcl, JavaScript

Question 20

Vulnerabilities in Scripting languages

Answer 20

An attacker can hide additional commands in the user input.

 The system will execute the malicious command without any awareness

Question 21

Common Gateway Interface

Answer 21

Define a standard way in which information may be passed to and from the
browser and server.

Question 22

Example: CGI Script

Answer 22

Consider a server running the following command
cat $file | mail $clientaddress
 $file and $clientaddress are provided by the client.

Normal case:
 A client sets $file=hello.txt, and $clientaddress=127.0.0.1
cat hello.txt | mail 127.0.0.1
Compromised Input
 The attacker sets $file = hello.txt, and $clientaddress=127.0.0.1 | rm –rf /
 The command becomes:
cat hello.txt | mail 127.0.0.1 | rm -rf /
 After mailing the file, all files the script has permission to delete are deleted!

Question 23

Structured Query Language

Answer 23

A domain-specific language for database

 Particularly useful for handling structured data

Question 24

SQL Injection Vulnerabilities

Answer 24

Consider a database system that runs the following SQL commands
SELECT * FROM client WHERE name= $name
 Requires the user client to provide the input $name
Normal case:
 A user sets $name=Bob:
SELECT * FROM client WHERE name= Bob
Compromised input
 The attacker sets $name = Bob’ OR 1=1 –
SELECT * FROM client WHERE name= Bob’ OR 1=1 –
 1=1 is always true. So the entire client database is selected, and – is a comment
erasing anything that would follow.

Question 25

Real-World SQL Injection Attacks

Answer 25

CardSystems (2006)
 A major credit card processing company. Stealing 263,000 accounts and 43 million
credit cards.
7-Eleven (2007)
 Stealing 130 million credit card numbers
Turkish government (2013)
 Breach government website and erase debt to government agencies.
Tesla (2014)
 Breach the website, gain administrative privileges and steal user data.
Cisco (2018)
 Gain shell access.
Fortnite (2019)
 An online game with over 350 million users. Attack can access user data

Question 26

Cross-Site Scripting (XSS)

Answer 26

Targeting the web applications
 Some websites may require users to provide input, e.g., searching
Vulnerabilities
 A malicious user may encode executable content in the input, which can be
echoed back in a webpage
 A victim user later visits this web page and his web browser may execute
the malicious commands on his computer

Question 27

Stored XSS Attack (Persistent)

Answer 27

Attack steps
 The attacker discovers a XSS vulnerability in a website
 The attacker embeds malicious commands inside the input and sends it to
the website.
 Now the command has been injected to the website.
 A victim browses the website, and the malicious command will run on the
victim’s computers.

Question 28

Reflected XSS Attack (Non-persistent)

Answer 28

Attack steps
 The attacker discovers a XSS vulnerability in a website
 The attacker creates a link with malicious commands inside.
 The attacker distributes the link to victims, e.g., via emails
 A victim accidently clicks the link, which actives the malicious commands.