Attacking Native Compiled Applications

  • Compiled programs running in native execution environment commonly has vulnerabilities.
    • C and C++ may often have buffer overflow or format string bugs

Buffer Overflow Vulnerabilities

  • Caused by using user-controllable data in a memory buffer not large enough for it.
  • Buffer overflows, causing adjacent memory to be overwritten.
    • Can be used for arbitrary code execution.

Stack Overflows

  • Typically come from unbounded copy operations
    • Like strcpy in C
    • Inserting variable-sized data in a fixed-sized buffer
  • In a stack overflow, attackers attempt to overwrite a return address or adjacent command on the stack
    • Can jump to a given address and execute arbitrary code.

Heap Overflows

  • Instead of overwriting the stack, overwrite the heap.
  • Heap memory adjacent to the buffer is overwritten by user-controllable data.
    • Doubly linked list:
      • Size of the block, pointer to previous block on heap, pointer to next block on heap.
  • Less straightforward
    • May overwrite a major pointer used later on
    • May also overwrite given data or write pointers such that arbitrary code execution can occur.
  • Prevent via:
    • NX-Bit
      • Segregate areas of memory as non-executable.
    • ASLR (Address Space Layout Randomization)
      • Remove predictability of address space

"Off-by-One" Vulnerabilities

  • Programming error allows for writing a single (or few) byte(s) beyond a buffer
  • Book example:
    • Using all 32 bytes of a 32 byte buffer causes a null byte to be written past the buffer, causing corruption of adjacent memory.
  • If the adjacent memory if a frame pointer , changing the lower-end byte to zero can cause it to point to the buffer, allowing one to control the execution flow.
  • Even when using strncpy , copying an entire character array that takes up the entire buffer will leave no possible room for a null terminator.
    • Can cause weird behavior or vulnerabilities

Detecting Buffer Overflow Vulnerabilities

  • Process:
    • Submit a range of long strings slightly longer than common buffer sizes
    • Target one item of data at a time
    • Monitor app responses to find anomalies
      • HTTP 500 status codes
      • Other error messages
      • Partial or malformed responses
      • Closed TCP connection
      • Web application becomes unresponsive
    • Expect crashing and odd behavior with heap-based overflows
    • Expect weird behavior with off-by-one vulnerabilities

Integer Vulnerabilities

Integer Overflows

  • Integers may overflow too, for instance a 16-bit int may be anywhere from 0 to 65535
    • If a program increments an int by one, and a person enters 65535, then it will overflow to a value of 0
    • If this int is then used for allocating memory for a buffer, a 0 sized buffer results and all of the user-input will overflow!

Signedness Errors

  • Integers may also be signed. Some code may check to make sure a string length is small enough to fit in a buffer.
    • Despite this, an overflow can still result.
    • e.g. The code makes sure a string is only smaller than 32 bytes, but if its length is larger than the max value of the int, it will overflow and be negative allowing it all to be copied.

Detecting Integer Vulnerabilities

  • Two typical causes:
    • Passing integer values as parameters
      • Query string, cookies, or message body
    • Pass integer values embedded in larger stream of binary data
  • Process:
    • Test boundaries by sending various values:
      • 0x7f and 0x80 (127 and 128)
      • 0xff and 0x100 (255 and 256)
      • 0x7ffff and 0x8000 (32767 and 32768)
      • 0xffff and 0x10000 (65535 and 65536)
      • 0x7fffffff and 0x80000000 (2147483647 and 2147483648)
      • 0xffffffff and 0x0 (4294967295 and 0)
    • Send little-ending and big-endian versions of test cases
    • Monitor responses

Format String Vulnerabilities

  • Results from user-controllable input being passed in a format string parameter to a function.
  • %n , in the printf function in C, causes the number of bytes written to be saved to the address of a pointer passed.
    • Book example:
      • printf("The value of count is %d%n.\n", count, &written.); printf("%d bytes were printed.\n", written);
  • If an attacker can change all or part of a format string, like printf, they can overwrite process memory.
  • Can result in arbitrary code execution.

Detecting Format String Vulnerabilities

  • Process:
    • Submit strings with containing many %n and %s
      • %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
      • %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
    • If its Windows FormatMessage, try using its given specifiers:
      • %1!n!%2!n!%3!n!%4!n!%5!n!%6!n!%7!n!%8!n!%9!n!%10!n!
      • %1!s!%2!s!%3!s!%4!s!%5!s!%6!s!%7!s!%8!s!%9!s!%10!s!
    • URL-encode % as %25
    • Monitor application responses

results matching ""

    No results matching ""