140 likes | 260 Vues
Libsafe for Windows. Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001. Background: Libsafe for Linux. Released in April 2000, Libsafe has gained popularity in the Linux community. Libsafe is very easy to install. Once installed, Libsafe does its job transparently.
E N D
Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001
Background: Libsafe for Linux • Released in April 2000, Libsafe has gained popularity in the Linux community. • Libsafe is very easy to install. Once installed, Libsafe does its job transparently. • Libsafe does not need access to the source code of the program to be protected. • Libsafe protection is system-wide. Libsafe automatically attaches to applications. • Libsafe incurs only a slight overhead.
Motivation for porting Libsafe to Windows • Windows is also susceptible to buffer overflow attacks. • Windows is also susceptible to buffer overflow attacks. • Unchecked string functions are still widely used in Windows system DLLs and applications. • Unchecked string functions are still widely used in Windows system DLLs and applications. From 1999 to 2001, there were 54 buffer overflow bugs reported to SecurityFocus.com for Microsoft products running on Windows. Eleven of them were reported between Jan. 2001 and August 2001. Our investigation reveals that: 1) 63% of executables and DLLs are still using unchecked string functions. 2) 83% of services are still using unchecked string functions.
Magic of Microsoft Detours • Runtime insertion of the detour function and trampoline functions between source function and target function.
Sample exploit program Buffer (80 bytes) fp ra Attack code g & a b r u b f a f g e e r void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; } /*input_string = attack code+garbage+&buffer total length = 88 bytes */ A vulnerable program running without Libsafe
Sample exploit program(cont.) Buffer (80 bytes) fp ra void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; }/*len(input_string)=88 bytes*/ char * libsafeStrcpy( char *dest, const char * src) { if (src is longer than max_size) report the event; else return strcpy(dest,src); } max_size=80 A vulnerable program running with Libsafe
Real exploit: vCard buffer overflow • When a .vcf file contains a long BDAY string, a buffer in Windows Address Book (wab.exe) will overflow. BEGIN:VCARD VERSION:2.1 N:Chen;Shuo FN:Shuo Chen BDAY:19750317AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EMAIL;PREF;INTERNET:shuochen@avaya.com REV:20010619T141800Z END:VCARD
Real exploit: Netscape Smartdownload 1.3 buffer overflow • A component for URL parsing has an unchecked buffer. <HTML><BODY> This is a test.<P> <A HREF="http://www.yahoo.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zip" onMouseOver="window.status='I am friendly'; return true">Crash Me</A><P> End test. </BODY></HTML>
Real exploit: FrontPage Server Extension sub-component buffer overflow vulnerability When we make the following request: $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'` we get such response: <HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</b> at this time.</BODY> But if that it is longer than 258 bytes, a buffer overflow will occur. $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`
IIS running without Libsafe: Remote attack succeeds (Screen Shots) Start attack from kira Try to get a shell Get full access
IIS running with Libsafe: Remote attack fails (Screen Shots) Start attack from kira Try to get a shell Attack fails
Limitations of Libsafe • The buffer overflow should be caused by the string functions intercepted by Libsafe. • The program to be protected should use frame-pointers. • The attack string should try to overwrite the return address. This implies that the buffer has to be on the stack. (Libsafe is bypassed when it cannot handle the situation. It does no harm to the program.)
My work in this summer • Investigated the effectiveness of Libsafe on Windows • Ported Libsafe to Windows • Tested Libsafe with sample/real-world exploit programs • Wrote a detailed TM • This work will be distributed internally and externally
Acknowledgment • My mentor: Tim Tsai • ARC Help people: Tarek Warraky, Lookman Fazal and Eniko Kovacs • My “first-week-mentors”: Navjot Singh and Hamilton Slye