Hacking Module 16
Hacking Module 16
2008 Batch-I
Module XVI
Buffer Overflows
Scenario
But this time lady luck was not smiling at him. The
web server of Tim's client had succumbed to a
buffer overflow attack. This was due to a flaw in
the coding part as bounds were not checked ...
Types of
Shellcode Skills Required
Buffer Overflows
Attacking a
Countermeasures NOPS
real program
Tools to defend
Buffer Overflows
Real World Scenario
On Oct 19 2000, hundreds of flights were grounded, or delayed, due
to a software problem in the Los Angeles air traffic control system.
The cause was attributed to a Mexican Controller typing 9 (instead
of 5) characters of flight-description data, resulting in a buffer
overflow.
Why are Programs/Applications
vulnerable?
Since there is lot of pressure on the deliverables;
programmers are bound to make mistakes which are
overlooked most of the time.
Boundary check are not done.
Programming languages, such as C, which
programmers still use to develop packages or
applications, have errors.
The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(),
gets(), and scanf() calls in C can be exploited because
these functions don’t check to see if the buffer,
allocated on the stack, is large enough for the data
copied into the buffer.
Good programming practices are not adhered to.
Buffer Overflows
A buffer overflow occurs when a program allocates a block of memory
of a certain length and then tries to place more data into the memory
space than allocated, with the extra data overflowing the space and
overwriting possibly critical information crucial to the normal
execution of the program. Consider the following source code:
#include<stdio.h>
int main ( int argc , char **argv)
{
char target[5]=”TTTT”;
char attacker[11]=”AAAAAAAAAA”;
strcpy( attacker,” DDDDDDDDDDDDDD”);
printf(“% \n”,target);
return 0;
}
When this source is compiled into a program, and the program is run,
it will assign a block of memory 32 bytes long to hold the name string.
This type of vulnerability is prevalent in UNIX and NT based systems
Reasons for Buffer Overflow attacks
3. How system calls are made (at the machine code level).
Manual auditing of
code
Disabling Stack
Execution
Safer C library
support
Compiler
Techniques
Tool to defend Buffer Overflow:
Return Address Defender(RAD)
RAD is a simple patch for the compiler that
automatically creates a safe area to store a copy
of return addresses.
After that, RAD automatically adds protective
code into applications that it compiles to defend
programs against buffer overflow attacks.
RAD does not change the stack layout.
Tool to defend against Buffer
Overflow: StackGuard
StackGuard: Protects Systems From Stack Smashing
Attacks.
StackGuard is a compiler approach for defending
programs and systems against "stack smashing" attacks.
Programs that have been compiled with StackGuard are
largely immune to stack smashing attacks.
Protection requires no source code changes at all. When
a vulnerability is exploited, StackGuard detects the
attack in progress, raises an intrusion alert, and halts
the victim program.
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Tool to defend Buffer Overflow:
Immunix System
Immunix System 7 is an Immunix-enabled RedHat
Linux 7.0 distribution and suite of application-level
security tools.
Immunix secures a Linux OS and applications.
Immunix works by hardening existing software
components and platforms so that attempts to exploit
security vulnerabilities will fail safe. i.e. the
compromised process halts instead of giving control to
the attacker, and then is restarted.
http://immunix.org
Vulnerability Search - ICAT
Summary