MachineLevel Programming Advanced Topics n Buffer Overflow Internet

Machine-Level Programming Advanced Topics n Buffer Overflow

Internet Worm and IM War November, 1988 n Internet Worm attacks thousands of Internet hosts. n How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). n MSN Messenger clients can access popular AOL Instant Messaging Service (AIM) servers n AIM client MSN server – 2– MSN client AIM server AIM client CMSC 313, F’ 09

Internet Worm and IM War (cont. ) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. n Microsoft and AOL begin the IM war: n l AOL changes server to disallow Messenger clients l Microsoft makes changes to clients to defeat AOL changes. l At least 13 such skirmishes. n How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! l many Unix functions do not check argument sizes. l allows target buffers to overflow. – 3– CMSC 313, F’ 09

String Library Code n Implementation of Unix function gets() l No way to specify limit on number of characters to read /* gets() - Get a string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = ''; /* NULL terminate */ return dest; } n Similar problems with other Unix functions l strcpy: Copies string of arbitrary length l scanf, fscanf, sscanf, when given %s conversion specification – 4– CMSC 313, F’ 09

Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } /* Way too small! */ int main() { printf("Type a string: "); echo(); return 0; } – 5– CMSC 313, F’ 09

Buffer Overflow Executions unix>. /bufdemo Type a string: 12345678 Segmentation Fault unix>. /bufdemo Type a string: 123456789 ABC Segmentation Fault – 6– CMSC 313, F’ 09

Buffer Overflow Disassembly 080484 f 0 <echo>: 80484 f 0: 55 80484 f 1: 89 e 5 80484 f 3: 53 80484 f 4: 8 d 5 d f 8 80484 f 7: 83 ec 14 80484 fa: 89 1 c 24 80484 fd: e 8 ae ff ff ff 8048502: 89 1 c 24 8048505: e 8 8 a fe ff ff 804850 a: 83 c 4 14 804850 d: 5 b 804850 e: c 9 804850 f: c 3 80485 f 2: e 8 f 9 fe ff ff 80485 f 7: 8 b 5 d fc 80485 fa: c 9 80485 fb: 31 c 0 80485 fd: c 3 – 7– push %ebp mov %esp, %ebp push %ebx lea 0 xfffffff 8(%ebp), %ebx sub $0 x 14, %esp mov %ebx, (%esp) call 80484 b 0 <gets> mov %ebx, (%esp) call 8048394 <puts@plt> add $0 x 14, %esp pop %ebx leave ret call 80484 f 0 <echo> mov 0 xfffffffc(%ebp), %ebx leave xor %eax, %eax CMSC 313, F’ 09 ret

Buffer Overflow Stack Frame for main Return Address Saved %ebp Saved %ebx [3] [2] [1] [0] buf Stack Frame for echo – 8– /* Echo Line */ void echo() { char buf[4]; gets(buf); puts(buf); } echo: pushl movl pushl leal subl movl call. . . %ebp %esp, %ebp %ebx -8(%ebp), %ebx $20, %esp %ebx, (%esp) gets /* Way too small! */ # Save %ebp on stack # # # Save %ebx Compute buf as %ebp-8 Allocate stack space Push buf on stack Call gets CMSC 313, F’ 09

Buffer Overflow Stack Example Stack Frame for main Return Address Saved %ebp Saved %ebx [3] [2] [1] [0] buf Stack Frame for echo – 9– unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0 x 8048583 (gdb) run Breakpoint 1, 0 x 8048583 in echo () (gdb) print /x $ebp $1 = 0 xbfffc 638 (gdb) print /x *(unsigned *)$ebp $2 = 0 xbfffc 658 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0 x 80485 f 7 Stack Frame for main 0 xbfffc 658 Before call to gets 08 04 Address 85 f 7 Return bf Saved ff c 6 %ebp 58 0 xbfffc 638 Saved %ebx xx xx buf Stack Frame for echo 80485 f 2: call 80484 f 0 <echo> 80485 f 7: mov 0 xfffffffc(%ebp), %ebx # Return Point CMSC 313, F’ 09

Buffer Overflow Example #1 Input = “ 1234567” Before Call to gets Stack Frame for main 0 xbfffc 658 08 04 Address 85 f 7 Return bf Saved ff c 6 %ebp 58 0 xbfffc 638 Saved %ebx xx xx buf Stack Frame for echo Stack Frame for main 0 xbfffc 658 08 04 Address 85 f 7 Return bf Saved ff c 6 %ebp 58 0 xbfffc 638 00 37 36 35 34 33 32 31 buf Stack Frame for echo Overflow buf, but no problem – 10 – CMSC 313, F’ 09

Buffer Overflow Stack Example #2 0 xbfffc 658 Stack Frame for main %ebp Input = “ 12345678” 08 04 Address 85 83 Return Saved %ebp bf ff c 6 00 0 xffffc 638 38 37 36 35 34 33 32 31 buf Saved value of %ebp set to 0 xbfffc 600 echo code restores %ebp with corrupted value Stack Frame for echo 0 xbfffc 600 end of echo code: . . . 804850 a: 804850 d: 804850 e: 804850 f: – 11 – 83 c 4 14 5 b c 9 c 3 add pop leave ret $0 x 14, %esp %ebx # # deallocate space restore %ebx movl %ebp, %esp; popl %ebp Return CMSC 313, F’ 09

Example #2 Failure Stack Frame for main 0 xbfffc 658 Input = “ 12345678” %esp echo code restores %ebp with corrupted value Subsequent references based on %ebp invalid 0 xbfffc 600 xx xx %ebp Return from echo: 80485 f 2: e 8 f 9 fe ff ff 80485 f 7: 80485 fa: 80485 fb: 80485 fd: – 12 – 8 b 5 d fc c 9 31 c 0 c 3 call 80484 f 0 <echo> mov leave xor ret 0 xfffffffc(%ebp), %ebx # bad ref? # movl %ebp, %esp; popl %ebp %eax, %eax # bad ref CMSC 313, F’ 09

Buffer Overflow Stack Example #3 Before Call to gets Stack Frame for main Input = “ 123456789 ABC” 0 xbfffc 658 Stack Frame for main Return address 08 04 Address 85 83 Return bf Saved ff c 6 %ebp 58 0 xbfffc 638 Saved %ebx xx xx buf Stack Frame for echo 0 xbfffc 658 08 04 Address 85 00 Return 43 Saved 42 41 %ebp 39 0 xbfffc 638 38 37 36 35 34 33 32 31 buf Stack Frame for echo Invalid address No longer pointing to desired return point 80485 f 2: call 80484 f 0 <echo> 80485 f 7: mov 0 xfffffffc(%ebp), %ebx # Return Point – 13 – CMSC 313, F’ 09

Example #3 Failure Input = “ 123456789 ABC” Stack Frame for main 0 xbfffc 658 08 04 Address 85 00 Return 43 Saved 42 41 %ebp 39 0 xbfffc 638 38 37 36 35 34 33 32 31 buf Return address Stack Frame for echo 0 x 43424139 xx xx end of echo code: . . . 804850 a: 804850 d: 804850 e: 804850 f: – 14 – 83 c 4 14 5 b c 9 c 3 add pop leave ret $0 x 14, %esp %ebx # # deallocate space restore %ebx movl %ebp, %esp; popl %ebp Return (Invalid) CMSC 313, F’ 09

Malicious Use of Buffer Overflow Stack after call to gets() return address A void foo(){ bar(); . . . } int bar() { char buf[64]; gets(buf); . . . return. . . ; } foo stack frame data written by gets() B B Return address pad exploit code bar stack frame Input string contains byte representation of executable code n Overwrite return address with address of buffer n When bar() executes ret, will jump to exploit code at B n – 15 – CMSC 313, F’ 09

Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. Internet worm n Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: l finger frey@cs. umbc. edu n Worm attacked fingerd server by sending phony argument: l finger “exploit-code padding new-return-address” l exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker. – 16 – CMSC 313, F’ 09

Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines. IM War AOL exploited existing buffer overflow bug in AIM clients n exploit code: returned 4 -byte signature (the bytes at some location in the AIM client) to server. n When Microsoft changed code to match signature, AOL changed signature location. n – 17 – CMSC 313, F’ 09

Date: Wed, 11 Aug 1999 11: 30: 57 -0700 (PDT) From: Phil Bucking <philbucking@yahoo. com> Subject: AOL exploiting buffer overrun bug in their own software! To: rms@pharlap. com Mr. Smith, I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response. I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year. . It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now *exploiting their own buffer overrun bug* to help in its efforts to block MS Instant Messenger. . . Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security. Sincerely, Phil Bucking Founder, Bucking Consulting philbucking@yahoo. com – 18 – It was later determined that this email originated from within Microsoft! CMSC 313, F’ 09

Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } Use Library Routines that Limit String Lengths n fgets instead of gets n strncpy instead of strcpy n Don’t use scanf with %s conversion specification l Use fgets to read the string l Or use %ns where n is a suitable integer – 22 – CMSC 313, F’ 09

System-Level Protections Randomized stack offsets At start of program, allocate random amount of space on stack n Makes it difficult for hacker to predict beginning of inserted code n Random “signatures” q Place known values at specified stack locations. Check after function calls. unix> gdb bufdemo (gdb) break echo (gdb) run (gdb) print /x $ebp $1 = 0 xffffc 638 (gdb) run (gdb) print /x $ebp $2 = 0 xffffbb 08 (gdb) run (gdb) print /x $ebp $3 = 0 xffffc 6 a 8 Nonexecutable code segments n In traditional x 86, can mark region of memory as either “read-only” or “writeable” l Can execute anything readable n – 23 – Add explicit “execute” permission CMSC 313, F’ 09

Suggested Reading l“Smashing the Stack for Fun And Profit” n By Elias Levy (aka Aleph One) n Phrack Magazine, issue #49, 1996 – 24 – CMSC 313, F’ 09

Final Observations Working with Strange Code n Important to analyze nonstandard cases l E. g. , what happens when stack corrupted due to buffer overflow n – 25 – Helps to step through with GDB CMSC 313, F’ 09