more software vulnerabilities Flashcards
printf:
: prints a format string to the standard output (screen).
Format string: a string with special format specifiers (escape sequences
prefixed with `%’)
printf can take more than one argument. The first argument is the format
string; the rest consist of values to be substituted for the format specifiers
Escape sequences are
Escape sequences are essentially instruction.
Attack works by injecting escape sequences into format strings.
how is information leaked from the stack
Correct function: printf(“x value: %d, y value: %d, z value: %d”, x, y, z);
Four arguments are pushed into the stack as function parameter
Incorrect function: printf(“x value: %d, y value: %d, z value: %d”, x, y);
The stack does not realize an argument is missing, and will retrieve the
unauthorized data from the stack as the argument to print out.
Data are thus leaked to the attacker
A neat way to view the stack: printf(“%08x %08x %08x %08x %08x”);
Attack 2: Crash the Program
Correct function: printf(“%s”, “Hello, World”);
The pointer of the string is pushed into the stack as function parameter
Incorrect function: printf(“%s”);
The stack does not realize an argument is missing, and will retrieve the data from
the stack to print out data at this address.
This address can be invalidated and program will crash
No physical address has been assigned to such address
The address is protected (kernel memory)
Increase the crash probability: printf(“%s%s%s%s%s%s%s%s%s%s%s%s”);
Attack 3: Modify the Memory
Correct function: printf(“13579%n”, &i);
Store the number of characters written so far (5) into an integer (i)
Incorrect function: printf(“13579%n”);
The stack does not realize an argument is missing, and will retrieve the data from
the stack and write 5 into this address.
Attacker can achieve the following goal:
Overwrite important program flags that control access privileges
Overwrite return addresses on the stack, function pointers, etc.
Writing larger values (e.g., 105) to the stack: printf(“13579%100u%n”);
Conversion from 2’s Complement
Flip all the bits and add 1:
Integer Overflow
An integer is increased over its maximal value, or decreased below
its minimal value.
Unsigned overflow: the binary representation cannot represent an integer
value.
Signed overflow: a value is carried over to the sign bit
In mathematics: 𝑎 + 𝑏 > 𝑎 and 𝑎 − 𝑏 < 𝑎 for 𝑏 > 0
Such obvious facts are no longer true for binary represented integers
Example 1: Bypass Length Checking
OS kernel system-call handler checks string lengths to defend
against buffer overruns
The following condition will pass the checking
len1 < sizeof(buf), len2 = 0xffffffff
len2 + 1 = 0 so strncpy and strncat will still be executed.
Example 2: Write to Wrong Mem Location
Consider an array starting at memory location 0xBBBB (on a 16-
bit machine)
Write to the element at the index of 0xC445
0xBBBB + 0xC445 = 0x8000
The memory location at 0x8000 is overwritten!!
Must check lower bounds for array indices.
Example 3: JPEG of Death
Jpeg processing in Windows XP and Windows Server 2003
A Jpeg image is associated with a Comment section, with two fields:
First two bytes: length field (the total length in byte of this comment, including
these two bytes)
Rest part: the detailed comments.
Copy the comments to memory:
Integer overflow vulnerability:
Set len as 0
size is 0xFFFE, size + 1 is 0xFFFF
Overflow the heap
malloc():
: allocate a piece of memory on the heap to a pointer
free():
the allocated memory is freed, and the pointer becomes a
dangling pointer.
Use-after-free:
: refer to a dangling pointer as it were still valid, after
its memory on the heap is freed.
Can possibly affect another pointer to the freed memory
Overwrite memory region
When buf1 is freed, allocated memory is available for reuse immediately.
Then buf2 are possibly allocated in that region
strncpy may overwrite buf2.
Overwrite different types of data
The function address and buffer address can be possibly overwritten by y.
Calling this function will give unexpected results.
malloc(): again
Maintains a doubly-linked list of free and allocated memory regions:
A chunk tag is used to store information about the region
Free bit: whether the chunk is allocated or free
Links to the previous and next chunk tag
Double-Free Vulnerability
free() is called more than once with the same memory address.
Chunk tag can be corrupted and allow a malicious user to write values in arbitrary memory
spaces.
After the 1st free():
The attacker might have a chance to write the freed regions and generate a fake chunk tag
with wrong links
For the 2nd free():
When merging the links, wrong data will be filled in the wrong location
Unexpected behaviors will happen
Scripting languages
Construct commands (scripts) from predefined code fragments and user
input at runtime
Script is then passed to another software component where it is executed.
It is viewed as a domain-specific language for a particular environment.
It is referred to as very high-level programming languages
Example:
Bash, PowerShell, Perl, PHP, Python, Tcl, Safe-Tcl, JavaScript
Vulnerabilities in Scripting languages
An attacker can hide additional commands in the user input.
The system will execute the malicious command without any awareness
Common Gateway Interface
Define a standard way in which information may be passed to and from the
browser and server.
Example: CGI Script
Consider a server running the following command
cat $file | mail $clientaddress
$file and $clientaddress are provided by the client.
Normal case:
A client sets $file=hello.txt, and $clientaddress=127.0.0.1
cat hello.txt | mail 127.0.0.1
Compromised Input
The attacker sets $file = hello.txt, and $clientaddress=127.0.0.1 | rm –rf /
The command becomes:
cat hello.txt | mail 127.0.0.1 | rm -rf /
After mailing the file, all files the script has permission to delete are deleted!
Structured Query Language
A domain-specific language for database
Particularly useful for handling structured data
SQL Injection Vulnerabilities
Consider a database system that runs the following SQL commands
SELECT * FROM client WHERE name= $name
Requires the user client to provide the input $name
Normal case:
A user sets $name=Bob:
SELECT * FROM client WHERE name= Bob
Compromised input
The attacker sets $name = Bob’ OR 1=1 –
SELECT * FROM client WHERE name= Bob’ OR 1=1 –
1=1 is always true. So the entire client database is selected, and – is a comment
erasing anything that would follow.
