more software vulnerabilities Flashcards Preview

comp sec > more software vulnerabilities > Flashcards

Flashcards in more software vulnerabilities Deck (28)
Loading flashcards...
1
Q

printf:

A

: prints a format string to the standard output (screen).
 Format string: a string with special format specifiers (escape sequences
prefixed with `%’)
 printf can take more than one argument. The first argument is the format
string; the rest consist of values to be substituted for the format specifiers

2
Q

Escape sequences are

A

Escape sequences are essentially instruction.

 Attack works by injecting escape sequences into format strings.

3
Q

how is information leaked from the stack

A

Correct function: printf(“x value: %d, y value: %d, z value: %d”, x, y, z);
 Four arguments are pushed into the stack as function parameter
Incorrect function: printf(“x value: %d, y value: %d, z value: %d”, x, y);
 The stack does not realize an argument is missing, and will retrieve the
unauthorized data from the stack as the argument to print out.
 Data are thus leaked to the attacker
A neat way to view the stack: printf(“%08x %08x %08x %08x %08x”);

4
Q

Attack 2: Crash the Program

A

Correct function: printf(“%s”, “Hello, World”);
 The pointer of the string is pushed into the stack as function parameter
Incorrect function: printf(“%s”);
 The stack does not realize an argument is missing, and will retrieve the data from
the stack to print out data at this address.
 This address can be invalidated and program will crash
 No physical address has been assigned to such address
 The address is protected (kernel memory)
Increase the crash probability: printf(“%s%s%s%s%s%s%s%s%s%s%s%s”);

5
Q

Attack 3: Modify the Memory

A

Correct function: printf(“13579%n”, &i);
 Store the number of characters written so far (5) into an integer (i)
Incorrect function: printf(“13579%n”);
 The stack does not realize an argument is missing, and will retrieve the data from
the stack and write 5 into this address.
 Attacker can achieve the following goal:
 Overwrite important program flags that control access privileges
 Overwrite return addresses on the stack, function pointers, etc.
Writing larger values (e.g., 105) to the stack: printf(“13579%100u%n”);

6
Q

Conversion from 2’s Complement

A

Flip all the bits and add 1:

7
Q

Integer Overflow

A

An integer is increased over its maximal value, or decreased below
its minimal value.
 Unsigned overflow: the binary representation cannot represent an integer
value.
 Signed overflow: a value is carried over to the sign bit
In mathematics: 𝑎 + 𝑏 > 𝑎 and 𝑎 − 𝑏 < 𝑎 for 𝑏 > 0
 Such obvious facts are no longer true for binary represented integers

8
Q

Example 1: Bypass Length Checking

A

OS kernel system-call handler checks string lengths to defend
against buffer overruns
The following condition will pass the checking
 len1 < sizeof(buf), len2 = 0xffffffff
 len2 + 1 = 0 so strncpy and strncat will still be executed.

9
Q

Example 2: Write to Wrong Mem Location

A

Consider an array starting at memory location 0xBBBB (on a 16-
bit machine)
Write to the element at the index of 0xC445
 0xBBBB + 0xC445 = 0x8000
The memory location at 0x8000 is overwritten!!
Must check lower bounds for array indices.

10
Q

Example 3: JPEG of Death

A

Jpeg processing in Windows XP and Windows Server 2003
 A Jpeg image is associated with a Comment section, with two fields:
 First two bytes: length field (the total length in byte of this comment, including
these two bytes)
 Rest part: the detailed comments.
 Copy the comments to memory:

11
Q

Integer overflow vulnerability:

A

Set len as 0
 size is 0xFFFE, size + 1 is 0xFFFF
 Overflow the heap

12
Q

malloc():

A

: allocate a piece of memory on the heap to a pointer

13
Q

free():

A

the allocated memory is freed, and the pointer becomes a

dangling pointer.

14
Q

Use-after-free:

A

: refer to a dangling pointer as it were still valid, after
its memory on the heap is freed.
 Can possibly affect another pointer to the freed memory

15
Q

Overwrite memory region

A

When buf1 is freed, allocated memory is available for reuse immediately.
 Then buf2 are possibly allocated in that region
 strncpy may overwrite buf2.

16
Q

Overwrite different types of data

A

The function address and buffer address can be possibly overwritten by y.
 Calling this function will give unexpected results.

17
Q

malloc(): again

A

 Maintains a doubly-linked list of free and allocated memory regions:
 A chunk tag is used to store information about the region
 Free bit: whether the chunk is allocated or free
 Links to the previous and next chunk tag

18
Q

Double-Free Vulnerability

A

free() is called more than once with the same memory address.
 Chunk tag can be corrupted and allow a malicious user to write values in arbitrary memory
spaces.
After the 1st free():
 The attacker might have a chance to write the freed regions and generate a fake chunk tag
with wrong links
For the 2nd free():
 When merging the links, wrong data will be filled in the wrong location
 Unexpected behaviors will happen

19
Q

Scripting languages

A

 Construct commands (scripts) from predefined code fragments and user
input at runtime
 Script is then passed to another software component where it is executed.
 It is viewed as a domain-specific language for a particular environment.
 It is referred to as very high-level programming languages
 Example:
 Bash, PowerShell, Perl, PHP, Python, Tcl, Safe-Tcl, JavaScript

20
Q

Vulnerabilities in Scripting languages

A

An attacker can hide additional commands in the user input.

 The system will execute the malicious command without any awareness

21
Q

Common Gateway Interface

A

Define a standard way in which information may be passed to and from the
browser and server.

22
Q

Example: CGI Script

A

Consider a server running the following command
cat $file | mail $clientaddress
 $file and $clientaddress are provided by the client.

Normal case:
 A client sets $file=hello.txt, and $clientaddress=127.0.0.1
cat hello.txt | mail 127.0.0.1
Compromised Input
 The attacker sets $file = hello.txt, and $clientaddress=127.0.0.1 | rm –rf /
 The command becomes:
cat hello.txt | mail 127.0.0.1 | rm -rf /
 After mailing the file, all files the script has permission to delete are deleted!

23
Q

Structured Query Language

A

A domain-specific language for database

 Particularly useful for handling structured data

24
Q

SQL Injection Vulnerabilities

A

Consider a database system that runs the following SQL commands
SELECT * FROM client WHERE name= $name
 Requires the user client to provide the input $name
Normal case:
 A user sets $name=Bob:
SELECT * FROM client WHERE name= Bob
Compromised input
 The attacker sets $name = Bob’ OR 1=1 –
SELECT * FROM client WHERE name= Bob’ OR 1=1 –
 1=1 is always true. So the entire client database is selected, and – is a comment
erasing anything that would follow.

25
Q

Real-World SQL Injection Attacks

A

CardSystems (2006)
 A major credit card processing company. Stealing 263,000 accounts and 43 million
credit cards.
7-Eleven (2007)
 Stealing 130 million credit card numbers
Turkish government (2013)
 Breach government website and erase debt to government agencies.
Tesla (2014)
 Breach the website, gain administrative privileges and steal user data.
Cisco (2018)
 Gain shell access.
Fortnite (2019)
 An online game with over 350 million users. Attack can access user data

26
Q

Cross-Site Scripting (XSS)

A

Targeting the web applications
 Some websites may require users to provide input, e.g., searching
Vulnerabilities
 A malicious user may encode executable content in the input, which can be
echoed back in a webpage
 A victim user later visits this web page and his web browser may execute
the malicious commands on his computer

27
Q

Stored XSS Attack (Persistent)

A

Attack steps
 The attacker discovers a XSS vulnerability in a website
 The attacker embeds malicious commands inside the input and sends it to
the website.
 Now the command has been injected to the website.
 A victim browses the website, and the malicious command will run on the
victim’s computers.

28
Q

Reflected XSS Attack (Non-persistent)

A

Attack steps
 The attacker discovers a XSS vulnerability in a website
 The attacker creates a link with malicious commands inside.
 The attacker distributes the link to victims, e.g., via emails
 A victim accidently clicks the link, which actives the malicious commands.