KEMBAR78
Buffer overflow attacks | PPTX
Network Security:Buffer Overflow AttacksJoe McCarthy
Today’s AgendaWhat is Network Security?Why should you care?What is a network security attack?What is a buffer overflow attack?Where can you learn more?All in 30 minutes …
What is Network Security?Computer SecurityThe protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)February 2004http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdfNetwork Security Essentials, 4/EWilliam StallingsPrentice Hall, 2011
Why study Network Security?Multi-disciplinaryComputer science, mathematics, psychology, sociology, politics, ethics, economics, forensics, …New way of thinking: security mind setPreventing undesirable behavior vs. enabling desirable behaviorPersonal relevanceKeeping your personal data & devices safeProfessional relevance
TCSS 431: Network SecurityCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2/EEd SkoudisTom ListonPrentice Hall,  2006Network Security:Private Communication in a Public World, 2/ECharlie KaufmanRadia PerlmanMike SpecinerPrentice Hall, 2002
Today’s Agenda  1. Introduction  2. Networking Overview  3. Linux and UNIX Overview  4. Windows NT/000/XP/00 Overview  5. Phase 1: Reconnaissance  6. Phase 2: Scanning  7. Phase 3: Gaining Access Using Application & OS Attacks          Script Kiddie Exploit Trolling          Pragmatism for More Sophisticated Attackers          Buffer Overflow Exploits          Password Attacks          Web Application Attacks          Exploiting Browser Flaws  8. Phase 4: Gaining Access Using Network Attacks  9. Phase 4: Denial-of-Service Attacks10. Phase 4: Maintaining Access: Trojans, Backdoors& Rootkits11. Phase 5: Covering Tracks & Hiding12. Putting It All Together: Anatomy of an Attack13. The Future, References & ConclusionsCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2/ESkoudis & ListonPrentice Hall,  2006
Anatomy of an AttackReconnaissance“casing the joint”Discovery of physical & online sensitive informationNames, contact info (phone, email), IP addressesSocial engineering, dumpster diving, GoogleScanning“trying doorknobs & windows”Search for openings, network topology, OS type(s)Wireless access points, TCP ports, routers, gatewaysInventory of target system & possible vulnerabilitiesGaining access“breaking in”Application & OS attacks (Chapter 7)Stack-based & Heap-based Buffer Overflow Attacks
Brief review of Main MemoryDataDataHeapStackCodeStackHeapCodeuser view of memorylogical memory spaceEach page is only a piece of memory but has no meaning.
A program is a collection of segments such as:
main program,
procedure,
function,
global variables,
common block,
stack,
symbol tablehttp://courses.washington.edu/css430/ppt/Memory.ppt
Stack-based Buffer Overflow Attacks
Stack-based Buffer Overflow Attacks
Stack-based Buffer Overflow Attacks
Stack-based Buffer Overflow Attacks
Stack-based Buffer Overflow Attacks
C library functions considered harmful
C library functions considered harmfulFrank Rubin. (March 1987)Communications of the ACM 30 (3): 195–196. Donald Moore, Chuck Musciano, Michael J. Liebhaber, Steven F. Lott and Lee Starr.(May 1987)Communications of the ACM 30 (5): 351–355. http://en.wikipedia.org/wiki/Considered_harmful
Finding stack-based buffer overflow vulnerabilitiesExamine source code (if available)Use debugger on executableto find exploitable libraryApply brute forceInundate application with input dataExamine stack traces after crashesBut what would you input … & what would you look for?
Sample program#include <stdio.h>void f() {  char s[9];printf( "_________12345678901234567890\n" );printf( "Enter s: " );  gets( s );printf( "You entered: %s\n", s );  return;}main() {f();}
Running the program
Running the program
Running the program
Running the program
Running the program0x49 = “I”, 0x48 = “H”, 0x47 = “G”, 0x46 = “F”
Running the program0x49 = “I”, 0x48 = “H”, 0x47 = “G”, 0x46 = “F”
Strategy & Structure of a “Sploit”“Fuzzing”Repeated input patternsAAAA… (“A” = 0x41)ABCDEFG…DEF1, DEF2, DEF3, …NOP (No Operation)0x90 on x86Also:Add 0Multiply by 1Jump to next instruction…NOP sled
Heap-based Buffer Overflow Attacks
Heap-based Buffer Overflow Attacks
Script Kiddies & Exploit CollectionsAttacks (exploits) are widely availableFrench Security Response Team (FrSIRT)http://www.vupen.com/english/“Only available to trusted organizations”Packet Storm Securityhttp://packetstormsecurity.org/Security Focus Bugtraq Archiveshttp://www.securityfocus.com/bidMetasploit Projecthttp://www.metasploit.comLittle or no knowledge required

Buffer overflow attacks

  • 1.
  • 2.
    Today’s AgendaWhat isNetwork Security?Why should you care?What is a network security attack?What is a buffer overflow attack?Where can you learn more?All in 30 minutes …
  • 3.
    What is NetworkSecurity?Computer SecurityThe protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)February 2004http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdfNetwork Security Essentials, 4/EWilliam StallingsPrentice Hall, 2011
  • 4.
    Why study NetworkSecurity?Multi-disciplinaryComputer science, mathematics, psychology, sociology, politics, ethics, economics, forensics, …New way of thinking: security mind setPreventing undesirable behavior vs. enabling desirable behaviorPersonal relevanceKeeping your personal data & devices safeProfessional relevance
  • 5.
    TCSS 431: NetworkSecurityCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2/EEd SkoudisTom ListonPrentice Hall, 2006Network Security:Private Communication in a Public World, 2/ECharlie KaufmanRadia PerlmanMike SpecinerPrentice Hall, 2002
  • 6.
    Today’s Agenda 1. Introduction  2. Networking Overview  3. Linux and UNIX Overview  4. Windows NT/000/XP/00 Overview  5. Phase 1: Reconnaissance  6. Phase 2: Scanning  7. Phase 3: Gaining Access Using Application & OS Attacks     Script Kiddie Exploit Trolling     Pragmatism for More Sophisticated Attackers     Buffer Overflow Exploits     Password Attacks     Web Application Attacks     Exploiting Browser Flaws  8. Phase 4: Gaining Access Using Network Attacks  9. Phase 4: Denial-of-Service Attacks10. Phase 4: Maintaining Access: Trojans, Backdoors& Rootkits11. Phase 5: Covering Tracks & Hiding12. Putting It All Together: Anatomy of an Attack13. The Future, References & ConclusionsCounter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2/ESkoudis & ListonPrentice Hall, 2006
  • 7.
    Anatomy of anAttackReconnaissance“casing the joint”Discovery of physical & online sensitive informationNames, contact info (phone, email), IP addressesSocial engineering, dumpster diving, GoogleScanning“trying doorknobs & windows”Search for openings, network topology, OS type(s)Wireless access points, TCP ports, routers, gatewaysInventory of target system & possible vulnerabilitiesGaining access“breaking in”Application & OS attacks (Chapter 7)Stack-based & Heap-based Buffer Overflow Attacks
  • 9.
    Brief review ofMain MemoryDataDataHeapStackCodeStackHeapCodeuser view of memorylogical memory spaceEach page is only a piece of memory but has no meaning.
  • 10.
    A program isa collection of segments such as:
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
    C library functionsconsidered harmful
  • 24.
    C library functionsconsidered harmfulFrank Rubin. (March 1987)Communications of the ACM 30 (3): 195–196. Donald Moore, Chuck Musciano, Michael J. Liebhaber, Steven F. Lott and Lee Starr.(May 1987)Communications of the ACM 30 (5): 351–355. http://en.wikipedia.org/wiki/Considered_harmful
  • 25.
    Finding stack-based bufferoverflow vulnerabilitiesExamine source code (if available)Use debugger on executableto find exploitable libraryApply brute forceInundate application with input dataExamine stack traces after crashesBut what would you input … & what would you look for?
  • 26.
    Sample program#include <stdio.h>voidf() { char s[9];printf( "_________12345678901234567890\n" );printf( "Enter s: " ); gets( s );printf( "You entered: %s\n", s ); return;}main() {f();}
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
    Running the program0x49= “I”, 0x48 = “H”, 0x47 = “G”, 0x46 = “F”
  • 32.
    Running the program0x49= “I”, 0x48 = “H”, 0x47 = “G”, 0x46 = “F”
  • 33.
    Strategy & Structureof a “Sploit”“Fuzzing”Repeated input patternsAAAA… (“A” = 0x41)ABCDEFG…DEF1, DEF2, DEF3, …NOP (No Operation)0x90 on x86Also:Add 0Multiply by 1Jump to next instruction…NOP sled
  • 34.
  • 35.
  • 36.
    Script Kiddies &Exploit CollectionsAttacks (exploits) are widely availableFrench Security Response Team (FrSIRT)http://www.vupen.com/english/“Only available to trusted organizations”Packet Storm Securityhttp://packetstormsecurity.org/Security Focus Bugtraq Archiveshttp://www.securityfocus.com/bidMetasploit Projecthttp://www.metasploit.comLittle or no knowledge required
  • 37.
  • 38.
    Sample PayloadsBind shellto current portBind shell to arbitrary portReverse shellWindows VNC Server DLLReverse VNC DLL InjectInject DLL into running applicationCreate local admin userThe Meterpreter (Metasploit Interpreter)
  • 39.
  • 40.
  • 41.
    Pros & Consof Exploit Frameworks
  • 42.
    Pros & Consof Exploit FrameworksAdvantages for AttackersReduced timeIncreased qualityAdvantages for DefendersIncreased accuracy of security assessmentsVulnerability scans yield many false positives (30-50%)Scan, then sploit to find “real” problemsVerify IDS / IPS functionalityMalfunctions, misconfiguration, pre-emptive attacksImproving management awareness“Please don’t steal this file!”
  • 43.
    Defenses against BufferOverflow AttacksSafer programmingStackGuard, Stack ShieldSecurity reviewsITS4 (“It’s the Software, Stupid - Security Scanner”)RATS (Rough Auditing Tool for Security)Flawfinder
  • 44.
    For more information“Smashingthe Stack for Fun and Profit”Aleph One, aleph1@underground.org http://www.phrack.org/issues.html?id=14&issue=49Common Vulnerabilities & Exposureshttp://cve.mitre.org/cve/Total CVEs: 45,149Stack-based overflow vulnerabilities1200+: IE, Safari, Firefox, Opera, RealPlayer, QuickTime, WMP, WinAmp, DB2, Excel, Access, Word, PowerPoint, OpenOffice, Eudora, Acrobat, Reader, JDK, JRE, Norton, McAfee, eTrust, RAZRHeap-based overflow vulnerabilities900+: IE, Opera, Firefox, Thunderbird, Apache, VB, ColdFusion, Skype, PHP, Oracle, PostgreSQL, AIM, Windows Live Messenger, WordPerfect, Outlook Express, PageMaker, PowerPoint, Excel, Netscape, McAfee, DirectX, Shockwave, Subversion, QuickTime, Norton, Sophos, Kaspersky, RSA SecurID, PuTTY, iTunes, RealPlayer, WinAmp, OpenOffice, JRE, Facebook Photo Uploader ActiveX, Blackberry