1 / 13

Format String Vulnerabilities

Paper by: Scut/team teso September 1, 2001. Format String Vulnerabilities. Overview. Exploit of the ANSI C format functions. Occurs when attacker can provide the format string in part or as a whole. Proper use: Vulnerable use:. print_msg( char *msg ) { printf( &quot;%s<br>&quot;, msg ); }

johancock
Télécharger la présentation

Format String Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Paper by: Scut/team teso September 1, 2001 Format String Vulnerabilities

  2. Overview Exploit of the ANSI C format functions. Occurs when attacker can provide the format string in part or as a whole. Proper use: Vulnerable use: print_msg( char *msg ) { printf( "%s\n", msg ); } print_msg( char *msg ) { printf( msg ); }

  3. Attacks Crash the program. View stack contents. View any memory location in process. Change any memory location in process. Take control of process. Execute system commands.

  4. Why cover it? No longer common Compilers will flag vulnerable use An ideal teaching vehicle Exploitation requires understanding of stack, function calls, pointers, decimal/hexadecimal, assembly code, binary analysis, PLT/GOT Serves as an example of how arbitrary memory corruption can lead to code execution by adversary

  5. Format Functions Many format functions: fprintf, printf, sprintf, snprintf, vfprintf, vprintf, vsprintf, vsnprintf Others with format strings: setproctitle, syslog, err*, verr*, warn*, vwarn*

  6. Variable Arguments In C, a variable number of arguments can be passed to functions. The called function must determine the number and type of arguments. The format string tells the format function what arguments to expect.

  7. Stack In printf() call below Single argument with no variable arguments Should never result in access in print_msg() frame stack growth print_msg() VARARG ptr void print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()

  8. But... What if the buffer contains a string like:“%s %s %s %s %s” Causes values on the stack in print_msg() frame to be interpreted as pointers to strings (most likely crashing program)! %s %s %s %s %s print_msg() VARARG ptr print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()

  9. Reading Stack Memory An attacker can read stack memory with a string like this:“%08x %08x %08x %08x %08x” Each stack word above the printf() stack frame will be printed in hexidecimal. Given a large enough buffer, potentially all of stack memory can be retrieved. %08x %08x %08x %08x %08x print_msg() VARARG ptr print_msg( char *msg ) { char buffer[512]; strncpy( buffer, msg, 511 ); buffer[511] = ‘\0’; printf( buffer ); } printf()

  10. Reading Arbitrary Memory Notice that in this case the buffer is on the stack. If the buffer contains something like:“AAAA_%08x_%08x…|%s” Then we can move the vararg pointer until it points to the address represented by “AAAA” ( which is0x41414141), then the %s will display memory at that address. VARARG ptr

  11. Writing Arbitrary Memory Using a similar approach we can modify memory with the %n flag. If the buffer contains something like:“AAAA_%08x_%08x…%n” Then we can move the vararg pointer until it points to the address represented by “AAAA” ( which is 0x41414141), then the %n will write the current count of bytes written to that address. VARARG ptr

  12. Writing Arbitrary Memory The count can be incremented with format specifiers like %<num>u where <num>is an integer. Types of exploits Update return pointer on stack to point at code stored in buffer. Update GOT (Global Offset Table) pointer to point at code stored in buffer or to redirect calls to powerful functions such as system(). Write code on heap and use above methods to run it.

  13. Homework Scaffolded levels for leveraging format string vulnerabilities

More Related