02 CTRL Hijacking
02 CTRL Hijacking
02 CTRL Hijacking
Hijacking
Source: NVD/CVE
Dan Boneh
What
is
needed
Understanding
C
funcFons,
the
stack,
and
the
heap.
Know
how
system
calls
are
made
The
exec()
system
call
A5acker
needs
to
know
which
CPU
and
OS
used
on
the
target
machine:
Our
examples
are
for
x86
running
Linux
or
Windows
Details
vary
slightly
between
CPUs
and
OSs:
Li5le
endian
vs.
big
endian
(x86 vs. Motorola)
Stack
Frame
structure
(Unix
vs.
Windows)
Dan
Boneh
shared libraries brk Loaded from exec run Fme heap unused
0x40000000
0x08048000 0
Dan Boneh
Stack
Frame
high
arguments
return
address
stack
frame
pointer
excepFon
handlers
local
variables
SP
callee
saved
registers
Stack
Growth
low
Dan
Boneh
*str
Dan Boneh
high
Program P
return address
low
Dan
Boneh
high
NOP Slide
return address
char
buf[128]
low
Dan
Boneh
Longjmp buers: longjmp(pos) (e.g. Perl 5.003) Overowing buf next to pos overrides value of pos.
Dan Boneh
vtable
Object T
NOP
slide
data
shell code
object T
Dan Boneh
Control Hijacking
Dan Boneh
An
example
void
func(
char
*buf1,
*buf2,
unsigned
int
len1,
len2)
{
char temp[256]; if (len1 + len2 > 256) {return -1} // length check memcpy(temp, buf1, len1); // cat buffers memcpy(temp+len1, buf2, len2); do-something(temp); // do stuff }
What
if
len1
=
0x80,
len2
=
0x80
?
len1+len2
=
0
Second
memcpy()
will
overow
heap
!!
Dan
Boneh
Source: NVD/CVE
Dan Boneh
Dan Boneh
Problem:
what
if
*user = %s%s%s%s%s%s%s
??
Most
likely
program
will
crash:
DoS.
If
not,
program
will
print
memory
contents.
Privacy?
Full
exploit
using
user
=
%n
Correct
form:
fprintf( stdout, %s, user);
Dan
Boneh
History
First
exploit
discovered
in
June
2000.
Examples:
Dan Boneh
Vulnerable
funcFons
Any
funcFon
using
a
format
string.
PrinFng:
prin},
fprin},
sprin},
vprin},
vfprin},
vsprin},
Logging:
syslog,
err,
warn
Dan
Boneh
Exploit
Dumping
arbitrary
memory:
Walk
up
stack
unFl
desired
pointer
is
found.
prin}(
%08x.%08x.%08x.%08x|%s|)
WriFng
to
arbitrary
memory:
prin}(
hello
%n,
&temp)
--
writes
6
into
temp.
prin}(
%08x.%08x.%08x.%08x.%n)
Dan
Boneh
Control Hijacking
Pla}orm Defenses
Dan Boneh
Audit
soiware
Automated
tools:
Coverity,
Prefast/Prex.
Dan Boneh
NX bit in every Page Table Entry (PTE) Deployment: Linux (via PaX project); OpenBSD Windows: since XP SP2 (DEP) Visual Studio: /NXCompat[:NO]
LimitaFons:
Some
apps
need
executable
heap
(e.g.
JITs).
Does
not
defend
against
`Return
Oriented
Programming
exploits
Dan
Boneh
Dan Boneh
Response:
randomizaFon
ASLR:
(Address
Space
Layout
RandomizaFon)
Map
shared
libraries
to
rand
locaFon
in
process
memory
A5acker
cannot
jump
directly
to
exec
funcFon
Deployment:
(/DynamicBase)
Windows
Vista:
8
bits
of
randomness
for
DLLs
aligned
to
64K
page
in
a
16MB
region
256
choices
Windows
8:
24
bits
of
randomness
on
64-bit
processors
Other randomizaFon methods: Sys-call randomizaFon: randomize sys-call ids InstrucFon Set RandomizaFon (ISR)
Dan Boneh
ASLR
Example
Booting twice loads libraries into different locations:
Note:
everything
in
process
memory
must
be
randomized
stack,
heap,
shared
libs,
image
Win
8
Force
ASLR:
ensures
all
loaded
modules
use
ASLR
Dan
Boneh
shellcode
heap
vtable
Dan Boneh
Control Hijacking
Run-Fme Defenses
Dan Boneh
Canary
Types
Random
canary:
Random
string
chosen
at
program
startup.
Insert
canary
string
into
every
stack
frame.
Verify
canary
before
returning
from
funcFon.
Exit
program
if
canary
changed.
Turns
potenFal
exploit
into
DoS.
StackGuard
(Cont.)
StackGuard
implemented
as
a
GCC
patch.
Minimal
performance
eects:
8%
for
Apache.
Note:
Canaries
dont
provide
full
proof
protecFon.
Heap
protecFon:
PointGuard.
Some
stack
smashing
a5acks
leave
canaries
unchanged
Protects
funcFon
pointers
and
setjmp
buers
by
encrypFng
them:
e.g.
XOR
with
random
cookie
Less
eecFve,
more
noFceable
performance
eects
Dan
Boneh
mov ecx, DWORD PTR [esp+8] xor ecx, esp call @__security_check_cookie@4 add esp, 8
Dan Boneh
Libsafe strcpy
main
Libsafe strcpy
main
Dan Boneh
More
methods
StackShield
At
funcFon
prologue,
copy
return
address
RET
and
SFP
to
safe
locaFon
(beginning
of
data
segment)
Upon
return,
check
that
RET
and
SFP
is
equal
to
copy.
Implemented
as
assembler
le
processor
(GCC)
Control
Flow
Integrity
(CFI)
A
combinaFon
of
staFc
and
dynamic
checking
StaFcally
determine
program
control
ow
Dynamically
enforce
control
ow
integrity
Dan
Boneh
Control Hijacking
Dan Boneh
vtable
Object T
ptr
object T
Dan Boneh
vtable
Object T
object T
Dan Boneh
A
reliable
exploit?
<SCRIPT
language="text/javascript">
shellcode
=
unescape("%u4343%u4343%...");
overow-string
=
unescape(%u2332%u4276%...);
cause-overow(
overow-string
);
//
overow
buf[
]
</SCRIPT>
Problem:
a5acker
does
not
know
where
browser
places
shellcode
on
the
heap
???
buf[256]
vtable
shellcode
Dan
Boneh
data ptr
heap
vtable
heap
spray
area
Dan
Boneh
Allocate
vuln.
buer
in
Javascript
and
cause
overow
Successfully
used
against
a
Safari
PCRE
overow
[DHM08]
Dan
Boneh
Improvements: Heap Feng Shui [S07] Reliable heap exploits on IE without spraying Gives a5acker full control of IE heap from Javascript
Dan Boneh
(parFal)
Defenses
Protect
heap
funcFon
pointers
(e.g.
PointGuard)
Be5er
browser
architecture:
Store
JavaScript
strings
in
a
separate
heap
from
browser
heap
End of Segment
Dan Boneh