SSD 951 SECURE SOFTWARE DEVELOPMENT SECURE PROGRAMMING BUFFER
SSD 951: SECURE SOFTWARE DEVELOPMENT SECURE PROGRAMMING: BUFFER OVERFLOW Dr. Shahriar Bijani Shahed University Fall 2016
SLIDES’ REFERENCES Avinash Kak, Buffer Overflow Attack, Computer & Network Security, Purdue University, April 2016. David A. Wheeler, Secure Software Design & Programming: Low-level attacks (Buffer overflow and friends), SWE 681/ISA 681, George Mason University, Aug 2014. Hossein Saiedian, Computer Security: Principles and Practice, Chapter 10: Buffer Overflow, University of Kansas, Fall 2014. UO Security Club, Stack Buffer Overflow, Fall 2014. 2
DEFINITION OF BUFFER OVERFLOW Buffer overflows = buffer overruns Buffer overflow is an event that occurs when we have: Fixed-length data buffer (e. g. , string) At least one value intended for buffer is written outside that buffer's boundaries (usually past its end) Some definitions also include reading outside buffer NIST’s definition: “A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. ”
BUFFER OVERFLOW: A WELL KNOWN PROBLEM Noted in “Computer Security Technology Planning Study” (1972) If exploitable Attacker can often completely control program Attacker can typically cause denial-of-service Many defenses simply downgrade from “control program” to Do. S Still of major concern due to legacy of widely deployed buggy codes careless programming techniques 2 Types: Stack overrun. Buffer in stack; attack is called “stack smashing” Heap overrun. Buffer in heap; attack is called “heap smashing”
BUFFER OVERFLOW EXAMPLES 1988: Morris worm – took down Internet via gets() in fingerd command 1998: University of Washington IMAP (mail) server 1999: RSA crypto reference implementation Subverted PGP, Open. SSH, Apache’s Mod. SSL, etc. 2001: Code Red worm – buffer overflow in Microsoft’s Internet Information Services (IIS) 5. 0 2003: SQL Slammer worm compromised machines running Microsoft SQL Server 2000 ~2008: Twilight hack – unlocks Nintendo Wii consoles Creates a strange long horse name for “The Legend of Zelda: Twilight Princess” that includes a program
IMPORTANCE OF BUFFER OVERFLOW “Practically every worm that has been unleashed in the Internet has exploited a buffer overflow vulnerability in some networking software. ”* 6
A REAL BUFFER OVERFLOW EXAMPLE: TELNET SERVICE The Telnet protocol (telnet command) allows a user to establish a terminal session on a remote machine for the purpose of executing commands there. telnet is not a secure service, so, remote terminal sessions are now created with the SSH command But it is still used: By human users to gain terminal access to other hosts For some computer-to-computer exchanges within networks 7
HOW TELNET WORKS? Telnet server monitors port 23 for incoming connection requests from Telnet clients a client runs telnet program to establish a connection with a remote server the client sends its socket number to the server Socket number = IP + port number The server receives the client socket number and send beck its own socket number 8
ATTACK ON TELNET (10 Feb 2007) US-CERT (United States Computer Emergency Readiness Team) issued the following Vulnerability Note: Vulnerability Note VU#881872 OVERVIEW: A vulnerability in the Sun Solaris telnet daemon (in. telnetd) could allow a remote attacker to log on to the system with elevated privileges. Description: The Sun Solaris telnet daemon may accept authentication information vis the USER environment variable. However, the daemon does not properly sanitize this information before passing it on to the login program and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. . . This vulnerability is being exploited by a worm. . . 9
ATTACK ON TELNET (31 Dec 2004) CISCO issued the following security advisory: Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability Document ID: 61671 Revision 2. 4 Summary: A specifically crafted TCP connection to a telnet or a revers e telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, remote shell (RSH), secure shell (SSH), and in some cases HTTP access to the Cisco device. Data Link Switching (DLSw) and protocol translation connections may also be affected. Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior to exploitation are not affected. . . This vulnerability affects all Cisco devices that permit access via telnet or reverse telnet. . . Telnet, RSH, and SSH are used for remote management of Cisco I OS devices. . 10
ATTACK ON TELNET (7 Feb 2002) Microsoft released the following security bulletin: Microsoft Security Bulletin MS 02 Problem: A vulnerability exists in some Microsoft Telnet Se rver products that may cause a denial-of-service or allow an attacker to execute code on the system. Platform: Telnet Service in Microsoft Windows 2000 Damage: A successful attack could cause the Telnet Server to fail, or in some cases, may allow an attacker to execute code of choice on the system. . . Vulnerability Assessment: The risk is HIGH. Exploiting this vulnerability may allow an attacker complete control of the system. Summary: Unchecked buffer in telnet server could lead to arbitrary code execution. . . The server implementation. . . contains unchecked buffers in code that handles the processing of telnet protocol options 11
12
BUFFER OVERFLOW BASICS Caused by programming error Allows more data to be stored than capacity available in a fixed sized buffer can be on stack, heap, global data Overwriting adjacent memory locations corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker
PROGRAMMING LANGUAGES & BUFFER OVERFLOW Some languages allow buffer overflow C, C++, Objective-C, Vala, Forth, assembly language Most languages counter buffer overflow… Ada strings, Pascal: Detect/prevent overflow Java, Python, perl, Ada unbounded_string: Auto-resize Using other languages doesn’t give immunity Most language implementations are in C/C++ Many libraries/components/OSs include C/C++ Some languages/compilers allow disabling protection Including languages C# and Ada Choosing another language helps – but not completely