Non-Stack Buffer Overflow and Pointer Subterfuge

Size: px

Start display at page:

Download "Non-Stack Buffer Overflow and Pointer Subterfuge"

Millicent Mitchell
7 years ago
Views:

1 Non-Stack Buffer Overflow and Pointer Subterfuge Wei Wang 1

2 The Memory Layout of Process in Linux Kernel space kernel Objections Stack function related data Heap dynamically allocated memory Data segment global variables & constants Text segment code to execution High Addr Low Addr Kernel Space Environment Variables Program Arguments Stack Heap Data Segment Text (code) Segment 2

3 Like Any Other Data, Buffers do not Only Reside in Stack Buffers can reside in data section global buffers static local buffers of functions Buffers can reside in heap e.g., buffers allocated using malloc Similar to stack, buffer overflow can happen to the buffers in data section and heap as well 3

4 Heap Buffer Overflow: A Simple Example Considering the following code: int main(){ char *buff; char *FileName; buff=(void*)malloc(16); FileName=(void*)malloc(16); strcpy(filename, harmless.txt ); gets(buff); f = fopen(filename, r ); display(f); } return 0; 4

5 Heap Buffer Overflow: A Simple Example cont'd Two buffers buff and FileName are allocated dynamically with malloc. In memory, buff and FileName are next to each other buff some string FileName Harmless.txt gets(buff) has an buffer overflow vulnerability Overrun buff can write to FileName 5

6 Heap Buffer Overflow: A Simple Example cont'd The attacker can easily overrun buff and change the value of FileName Let's try it out 6

7 Heap Buffer Overflow: Arbitrary Memory Write In the above slide, there is gap between buff and FileName. What is in the gap? malloc breaks memory into chuncks The gap is the meta data of each chunk 7

8 Heap Buffer Overflow: Arbitrary Memory Write cont'd Meta data include: prev_size: size of previous chunk Size: size of this chunk PREV_INUSE: whether previous chunk in use fd, bk: forward and backward pointer; used by free chunks to link free chunks into linked-list size size prev_size fd bk Data (e.g., buff) prev_size fd bk PREV INUSE PREV INUSE Data (e.g., FileName) 8

9 Heap Buffer Overflow: Arbitrary Memory Write cont'd The fd and bk pointers links free chunks into a linked list for a fast allocation When free is called, malloc inserts freed chunk into the free linked list Malloc also tries to merge adjacent free chunks into one big free chunk This merge performs some memory writes based on fd and bk pointers. The merge function is call unlink 9

10 Heap Buffer Overflow: Arbitrary Memory Write cont'd The a heap buffer is overrun, the fd and bk pointers may be compromised. Attackers can change the fd and bk pointers to point to some memory they wants to write. The write will happen during free chunk merge, allowing arbitrary memory addressed to be written If interested, more details can be found at 10

11 Stack/Heap Buffer Overflow: In some extreme case, stack/heap buffer overflow can reach each other If interested, check this out: om/resources/misc- 2010/xorg-largememory-attacks.pdf Stack Heap 11

12 Data Section Buffer Overflow: A Simple Example Consider the following code int main(){ static char buff[16]; static char *FileName = harmless.txt ; gets(buff); f = fopen(filename, r ); display(f); } return 0; buff and FileName reside in data section. 12

13 Data Section Buffer Overflow: A Simple Example Similar to the heap buffer overflow example, buff and FileName are close to each other However, in this example, FileName is only a pointer (4-byte address value) buff FileName some string addr of a str Question: how to write the attack string? Assuming you know the address of buff and FileName Compare your attack string with my code example 13

14 Non-stack Buffer Overflow Summary Buffers can also reside in heap and data sections, in addition to stack Heap and data section buffer can be overrun and exploit as well Although heap and data section does not have return address, they are Sometime easier to attack Have other important data, e.g., malloc meta data 14

15 Pointer Subterfuge Consider the following code: int main(){ int *ptr = ; int val = ; char buf[16]; } gets(buf); *ptr = val; return 0; Overrun buf may change the values of both ptr and val, causing arbitrary memory write 15

16 Pointer Subterfuge cont'd Pointer subterfuge is an attack there deliberately modify the value of pointer Originally an attack to overcome stack protection techniques Pointer subterfuge is an powerful attack by itself 16

17 Pointer Subterfuge cont'd Some Pointers subterfuge attacks: Function pointer clobbering (function pointers) Data pointers modification (data pointers) May modify arbitrary memory, including return addres, PLT and GOT PLT: procedure linkage table (for dynamically linked functions) GOT: global offset table (for dynamically linked functions, external variables and position-independent-code) Attacker can change function addresses with in PLT and GOT VPTR smashing (C++ virtual pointers) Virtual pointer points to virtual method table (v-table) Can compromise v-table entries 17

Defense in Depth: Protecting Against Zero-Day Attacks

Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth