1 / 10

Why doesn’t “gets()” get it?

Why doesn’t “gets()” get it?. Or more formally: An investigation into the use of the buffer overflow vulnerability in the C function gets(). Scope of research.

lita
Download Presentation

Why doesn’t “gets()” get it?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why doesn’t “gets()” get it? Or more formally: An investigation into the use of the buffer overflow vulnerability in the C function gets(). CS591-F2005, UCCS Frank Gearhart

  2. Scope of research Compare gets() function with strcpy() function, looking for area(s) where differences in code may contribute to differences in exploit behavior. CS591-F2005, UCCS Frank Gearhart

  3. Research plan Compare C code of strcpy() & gets() Compare assembly code of strcpy() & gets() Find suspicious areas that might explain difference in exploit behavior between strcpy() & gets() Determine how this difference might be used to exploit gets() in a new way CS591-F2005, UCCS Frank Gearhart

  4. From “C: The Complete Reference”, 4th Ed, p.372: “char *strcpy(char *str1, const char *str2); The strcpy() function copies the contents of str2 into str1. str2 must be a pointer to a null-terminated string. The strcpy() function returns a pointer to str1.” From “C: The Complete Reference”, 4th Ed, p.331: “char *gets(char *str); The gets() function reads characters from stdin and places them into the character array pointed to by str. Characters are read until a newline or an EOF is received. The newline character is not made part of the string; instead, it is translated into a null to terminate the string. If successful, gets() returns str; a null pointer is returned upon failure.” Function definitions: CS591-F2005, UCCS Frank Gearhart

  5. gets() Reads from stdin or newline/EOF terminated file 110 lines of assembly May call up to four other functions directly, with up to five sub-levels of calls to up to 18 additional functions strcpy() Reads from null-terminated buffer 16 lines of assembly No calls to other functions Comparison of gets() & strcpy() CS591-F2005, UCCS Frank Gearhart

  6. gets() When using exploit3 on ‘vulnerable’ & appropriate buffer size, result is new shell. strcpy() When using exploits similar to exploit3 in an input file on simple file that uses gets(), (e.g.; ‘bo.c’ in homework 2), result is usually a segmentation fault. Difference in exploit behavior: CS591-F2005, UCCS Frank Gearhart

  7. Areas of interest • gets() calls “_IO_getline” function, which is the function that reads in characters. • Why does putting shellcode in environment variable have no effect, and putting shellcode in input file results in segmentation faults? CS591-F2005, UCCS Frank Gearhart

  8. Current status • C code reviewed - no significant differences • Assembly code - significant differences, but no smoking gun yet • Using gdb debugger while running exploit code under various conditions - in progress CS591-F2005, UCCS Frank Gearhart

  9. Intermediate conclusions: • gets() is a more complicated function than strcpy() • 110 lines of assembly vs. 16 lines • Up to six sublevels of up to 22 function calls vs. no function calls • Complexity makes analyzing code more difficult • More work is needed • Continuing to run bo & various exploit codes under gdb CS591-F2005, UCCS Frank Gearhart

  10. References: • Schildt, Herbert, C: The Complete Reference, 4th Ed., 2000, Osborne/McGraw-Hill, Berkeley, CA • GNU C Library, 1997, Free Software Foundation Inc., Boston, MA • Foster, James C., et. al., Buffer Overflow Attacks, 2005, Syngress Publishing Inc., Rockland, MA CS591-F2005, UCCS Frank Gearhart

More Related