Libsafe for windows
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Libsafe for Windows PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Libsafe for Windows. Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001. Background: Libsafe for Linux. Released in April 2000, Libsafe has gained popularity in the Linux community. Libsafe is very easy to install. Once installed, Libsafe does its job transparently.

Download Presentation

Libsafe for Windows

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Libsafe for windows

Libsafe for Windows

Shuo Chen

Mentor: Timothy K. Tsai

Avaya Labs

Aug. 16, 2001


Background libsafe for linux

Background: Libsafe for Linux

  • Released in April 2000, Libsafe has gained popularity in the Linux community.

  • Libsafe is very easy to install. Once installed, Libsafe does its job transparently.

  • Libsafe does not need access to the source code of the program to be protected.

  • Libsafe protection is system-wide. Libsafe automatically attaches to applications.

  • Libsafe incurs only a slight overhead.


Motivation for porting libsafe to windows

Motivation for porting Libsafe to Windows

  • Windows is also susceptible to buffer overflow attacks.

  • Windows is also susceptible to buffer overflow attacks.

  • Unchecked string functions are still widely used in Windows system DLLs and applications.

  • Unchecked string functions are still widely used in Windows system DLLs and applications.

From 1999 to 2001, there were 54 buffer overflow bugs reported to SecurityFocus.com for Microsoft products running on Windows.

Eleven of them were reported between Jan. 2001 and August 2001.

Our investigation reveals that:

1) 63% of executables and DLLs are still using unchecked string functions.

2) 83% of services are still using unchecked string functions.


Magic of microsoft detours

Magic of Microsoft Detours

  • Runtime insertion of the detour function and trampoline functions between source function and target function.


Sample exploit program

Sample exploit program

Buffer (80 bytes) fp ra

Attack code g &

a b

r u

b f

a f

g e

e r

void foo(char * input_string)

{ char buffer[80];

strcpy(buffer,input_string);

return;

}

/*input_string =

attack code+garbage+&buffer

total length = 88 bytes */

A vulnerable program running without Libsafe


Sample exploit program cont

Sample exploit program(cont.)

Buffer (80 bytes) fp ra

void foo(char * input_string)

{ char buffer[80];

strcpy(buffer,input_string);

return;

}/*len(input_string)=88 bytes*/

char * libsafeStrcpy(

char *dest,

const char * src)

{ if (src is longer than max_size)

report the event;

else

return strcpy(dest,src);

}

max_size=80

A vulnerable program running with Libsafe


Real exploit vcard buffer overflow

Real exploit: vCard buffer overflow

  • When a .vcf file contains a long BDAY string, a buffer in Windows Address Book (wab.exe) will overflow.

    BEGIN:VCARD

    VERSION:2.1

    N:Chen;Shuo

    FN:Shuo Chen

    BDAY:19750317AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    EMAIL;PREF;INTERNET:[email protected]

    REV:20010619T141800Z

    END:VCARD


Real exploit netscape smartdownload 1 3 buffer overflow

Real exploit: Netscape Smartdownload 1.3 buffer overflow

  • A component for URL parsing has an unchecked buffer.

    <HTML><BODY>

    This is a test.<P>

    <A HREF="http://www.yahoo.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zip" onMouseOver="window.status='I am friendly'; return true">Crash Me</A><P>

    End test.

    </BODY></HTML>


Real exploit frontpage server extension sub component buffer overflow vulnerability

Real exploit: FrontPage Server Extension sub-component buffer overflow vulnerability

When we make the following request:

$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'`

we get such response:

<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</b> at this time.</BODY>

But if that it is longer than 258 bytes, a buffer overflow will occur.

$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`


Iis running without libsafe remote attack succeeds screen shots

IIS running without Libsafe: Remote attack succeeds (Screen Shots)

Start attack from kira

Try to get a shell

Get full access


Iis running with libsafe remote attack fails screen shots

IIS running with Libsafe: Remote attack fails (Screen Shots)

Start attack from kira

Try to get a shell

Attack fails


Limitations of libsafe

Limitations of Libsafe

  • The buffer overflow should be caused by the string functions intercepted by Libsafe.

  • The program to be protected should use frame-pointers.

  • The attack string should try to overwrite the return address. This implies that the buffer has to be on the stack.

    (Libsafe is bypassed when it cannot handle the situation. It does no harm to the program.)


My work in this summer

My work in this summer

  • Investigated the effectiveness of Libsafe on Windows

  • Ported Libsafe to Windows

  • Tested Libsafe with sample/real-world exploit programs

  • Wrote a detailed TM

  • This work will be distributed internally and externally


Acknowledgment

Acknowledgment

  • My mentor: Tim Tsai

  • ARC Help people: Tarek Warraky, Lookman Fazal and Eniko Kovacs

  • My “first-week-mentors”: Navjot Singh and Hamilton Slye


  • Login