NMCSP
2008 Batch-I
Module XVI
Buffer Overflows
  Scenario
It was a job that Tim wanted right from the start
of his career. Being the Project Manager of a well
known software firm was definitely a sign of
prestige. But now his credibility was at stake!!!
The last project that Tim handled failed as the
application failed to deliver what it was meant to.
The customer of Tim's company suffered a huge
financial loss.
At the back of his mind something was nagging
him.....
Had he asked his Test Engineers to do a thorough
testing of the delivered package this would not
have happened....
   Scenario (contd.)
Since the project was running behind schedule he
hurried up the testing part.
He went with his gut feeling. He had worked with
the same team for the last few projects and no
negative feedback was reported till now from any
of the previous clients about their projects
..nothing would possibly go wrong....
But this time lady luck was not smiling at him. The
web server of Tim's client had succumbed to a
buffer overflow attack. This was due to a flaw in
the coding part as bounds were not checked ...
Is Tim's decision justified?
What next?
Module Objectives
 Why are programs/applications vulnerable?
 What is a Buffer Overflow?
 Reasons for Buffer Overflow attacks.
 Skills required
 Types of Buffer Overflow
 Understanding Stacks
 Shell Code
 How to detect Buffer Overflows in a program?
 Technical details
 Defense against Buffer Overflows
   Flow Diagram for the module
 Reasons for failure        Introduction to     Reasons for Buffer
   of applications          Buffer Overflows     Overflow attacks
                             Types of
  Shellcode                                         Skills Required
                         Buffer Overflows
Understanding          Understanding             Detection of
   Stacks              Assembly code            Buffer Overflow
                                                Attacking a
Countermeasures          NOPS
                                               real program
                        Tools to defend
                        Buffer Overflows
Real World Scenario
On Oct 19 2000, hundreds of flights were grounded, or delayed, due
to a software problem in the Los Angeles air traffic control system.
The cause was attributed to a Mexican Controller typing 9 (instead
of 5) characters of flight-description data, resulting in a buffer
overflow.
    Why are Programs/Applications
    vulnerable?
Since there is lot of pressure on the deliverables;
programmers are bound to make mistakes which are
overlooked most of the time.
   Boundary check are not done.
 Programming languages, such as C, which
programmers still use to develop packages or
applications, have errors.
  The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(),
gets(), and scanf() calls in C can be exploited because
these functions don’t check to see if the buffer,
allocated on the stack, is large enough for the data
copied into the buffer.
   Good programming practices are not adhered to.
 Buffer Overflows
   A buffer overflow occurs when a program allocates a block of memory
    of a certain length and then tries to place more data into the memory
    space than allocated, with the extra data overflowing the space and
    overwriting possibly critical information crucial to the normal
    execution of the program. Consider the following source code:
    #include<stdio.h>
    int main ( int argc , char **argv)
           {
                        char target[5]=”TTTT”;
                        char attacker[11]=”AAAAAAAAAA”;
                        strcpy( attacker,” DDDDDDDDDDDDDD”);
                        printf(“% \n”,target);
                        return 0;
           }
  When this source is compiled into a program, and the program is run,
   it will assign a block of memory 32 bytes long to hold the name string.
This type of vulnerability is prevalent in UNIX and NT based systems
    Reasons for Buffer Overflow attacks
Buffer   overflow attacks depend on two things:
   • the lack of boundary testing, and
   • a machine that can execute code that resides in the data/stack segment.
The  lack of boundary testing is very common and the program
usually ends with a segmentation fault or bus error. In order to
exploit buffer overflows to gain access or escalate privileges, the
offender must create the data to be fed to the application.
Random   data will generate a segmentation fault or bus error,
never a remote shell or the execution of a command.
Knowledge required to Program Buffer
Overflow Exploits
1.   C functions and the stack.
2.   A little knowledge of assembly/machine language.
3.   How system calls are made (at the machine code level).
4.   exec() system calls.
5.   How to 'guess' some key parameters.
Types of Buffer Overflows
   Stack-Based Buffer Overflow
   Heap/BSS based Buffer Overflow
Stack based Buffer Overflow
   Buffer is expecting a maximum number of guests.
   Send the buffer more than x guests.
   If the system does not perform boundary checking, extra guests
    continue to be placed at positions beyond the legitimate locations
    within the buffer. (Java does not permit the code to run off the end
    of an array or string as C and C++ do).
   Malicious code can be pushed on the stack.
   The overflow can overwrite the return pointer so that the flow of
    control switches to the malicious code.
Understanding Assembly Language
Two most important operations in a stack:
   • 1. Push – put one item on the top of the stack
   • 2. Pop - remove one item from the top of the stack
   • Typically returns the contents pointed to by a pointer and
     changes the pointer (not the memory contents)
Understanding Stacks
   The stack is a (LIFO)
    mechanism that
    computers use to pass
    arguments to functions
    as well as to reference
    local variables.
   It acts like a buffer,
    holding all of the
    information that the
    function needs.
   The stack is created at
    the beginning of a
    function and released at
    the end of it.
A Normal Stack
Shellcode
   Shellcode is a method to exploit stack based
    overflows.
   Shellcodes exploit computer bugs with respect
    to how the stack is handled.
   Buffers are soft targets for attackers as they
    overflow very easily if the conditions match.
Heap-based Buffer Overflow
   Variables which are dynamically allocated with
    functions such as malloc() are created on the
    heap.
   Heap is a memory space that is dynamically
    allocated. It is different from the memory which
    is allocated for stack and code.
   In a heap-based buffer overflow attack an
    attacker overflows a buffer which is placed on
    the lower part of the heap, overwriting other
    dynamic variables, which can have unexpected
    and unwanted effects.
How to detect Buffer Overflows in a
program
There are two ways to detect buffer overflows.
   • The first way is by looking at the source code. In this
     case, the hacker can look for strings declared as local
     variables in functions or methods and verify the
     presence of boundary checks. It is also necessary to
     check for improper use of standard functions,
     especially those related to strings and input/output.
   • The second way is by feeding the application huge
     amounts of data and checking for abnormal
     behavior.
Attacking a Real Program
   Assuming that a string function is being exploited, the
    attacker can send a long string as the input.
   This string overflows the buffer and causes a
    segmentation error.
   The return pointer of the function is overwritten and
    the attacker succeeds in altering the flow of execution.
   If he wishes to insert his code in the input, he has to:
    • Know the exact address on the stack
    • Know the size of the stack
    • Make the return pointer point to his code for execution
NOPs
   Most CPUs have a No        An attacker pads the beginning of
    Operation (NOP)             the intended buffer overflow with a
    instruction - it only       long run of NOP instructions (a
    advances the                NOP slide or sled) so the CPU will
                                do nothing until it gets to the 'main
    instruction pointer.
                                event' (which precedes the 'return
   Usually, we can put         pointer').
    some of these ahead        Most intrusion detection systems
    of our program (in          (IDS) look for signatures of NOP
    the string).                sleds. ADMutate (by K2) accepts a
   As long as the new          buffer overflow exploit as an input
    return address points       and randomly creates a
                                functionally equivalent version
    to a NOP we are OK.
                                (polymorphism).
How to mutate a Buffer Overflow
Exploit
For the NOP portion
   Randomly replace NOPs with functionally equivalent segments of
   code (e.g.: x++; x-; ? NOP NOP).
For the "main event"
   Apply XOR to combine code with a random key unintelligible to
   IDS. The CPU code must also decode the gibberish in time in order
   to run the decoder. By itself the decoder is polymorphic and
   therefore hard to spot.
For the "return pointer"
   Randomly tweak LSB of pointer to land in the NOP-zone.
Once the stack is smashed
Once the vulnerable process is commandeered, the
  attacker has the same privileges as the process and can
  gain normal access. He can then exploit a local buffer
  overflow vulnerability to gain super-user access.
Create a backdoor
  Using (UNIX-specific) inetd
  Using Trivial FTP (TFTP) included with Windows 2000
  and some UNIX flavors
Use Netcat to make raw, interactive connection
   Shoot back an Xterminal connection
   UNIX-specific GUI
Defense against Buffer Overflows
   Manual auditing of
    code
   Disabling Stack
    Execution
   Safer C library
    support
   Compiler
    Techniques
Tool to defend Buffer Overflow:
Return Address Defender(RAD)
   RAD is a simple patch for the compiler that
    automatically creates a safe area to store a copy
    of return addresses.
   After that, RAD automatically adds protective
    code into applications that it compiles to defend
    programs against buffer overflow attacks.
   RAD does not change the stack layout.
Tool to defend against Buffer
Overflow: StackGuard
   StackGuard: Protects Systems From Stack Smashing
    Attacks.
   StackGuard is a compiler approach for defending
    programs and systems against "stack smashing" attacks.
   Programs that have been compiled with StackGuard are
    largely immune to stack smashing attacks.
   Protection requires no source code changes at all. When
    a vulnerability is exploited, StackGuard detects the
    attack in progress, raises an intrusion alert, and halts
    the victim program.
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Tool to defend Buffer Overflow:
Immunix System
   Immunix System 7 is an Immunix-enabled RedHat
    Linux 7.0 distribution and suite of application-level
    security tools.
   Immunix secures a Linux OS and applications.
   Immunix works by hardening existing software
    components and platforms so that attempts to exploit
    security vulnerabilities will fail safe. i.e. the
    compromised process halts instead of giving control to
    the attacker, and then is restarted.
http://immunix.org
Vulnerability Search - ICAT
Summary
   A buffer overflow occurs when a program or process
    tries to store more data in a buffer (temporary data
    storage area) than it was intended to hold.
   Buffer overflow attacks depend on two things: the lack
    of boundary testing and a machine that can execute
    code that resides in the data/stack segment.
   Buffer overflow vulnerabilities can be detected by
    skilled auditing of the code as well as through boundary
    testing.
   Once the stack is smashed, the attacker can deploy his
    payload and take control of the attacked system.
   Countermeasures include: checking the code, disabling
    stack execution, safer C library support, using safer
    compiler techniques.
   Tools like StackGuard, Immunix and vulnerability
    scanners help secure systems.