|
Xeny


Registered: 02/15/08
Posts: 387
Last seen: 4 years, 5 months
|
Format String Attack (you gotta be experienced with coding)
#8030438 - 02/16/08 08:34 AM (16 years, 3 months ago) |
|
|
Maybe this is not suited for this forum, but hell, you guys would read anything.
Format string attacks are a class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.
A typical exploit uses a combination of these techniques to force a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious Shellcode. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute.
Format bugs arise because C's argument passing conventions are not type-safe. In particular, the varargs mechanism allows functions to accept any number of arguments (e.g. printf) by "popping" as many arguments off the call stack as they wish, trusting the early arguments to indicate how many additional arguments are to be popped, and of what types.
Format string bugs can occur in other programming languages besides C, although they appear with less frequency and usually cannot be exploited to execute code of the attacker's choice.
I got this completely from Wikipedia, http://en.wikipedia.org/wiki/Format_string_attacks
If there's still someone reading, you gotta be interested. Here will be described how to do this on alpha linux systems. Have a go, and let me know how you did.
<case of buffer overflow exploit>
"/* align */" "/* nops */" "/* shellcode */" "\xc0\xfe\xff\x1f\x01\x00\x00\x00" "\xc0\xfe\xff\x1f\x01\x00\x00\x00" "\xc0\xfe\xff\x1f\x01\x00\x00\x00" "/* ; return addresses */
If the above string is our arbirary string, then it is recognized as this.
"/* align */" "/* nops */" "/* shellcode */" "\xc0\xfe\xff\x1f\x01" ^ | \x00 :This would be recognized end of string.
This feature is showing why the exploit of alpha linux buffer overflow should get only one return address. And that is a fatal problem against the format string bug exploit. As a matter of fact, arbitrary format string is constructed with two or more addresses like this:
<case of format string exploit>
"\xc0\xfe\xff\x1f\x01\x00\x00\x00" "\xc2\xfe\xff\x1f\x01\x00\x00\x00" "\xc3\xfe\xff\x1f\x01\x00\x00\x00" "\xc4\xfe\xff\x1f\x01\x00\x00\x00" "blah%blah .u%hn" "blah%blah .u%hn" "blah%blah .u%hn" "blah%blah .u%hn"
It seems to be impossible to set that strings into our programs environmental values or arguments properly. I explained the reason already. Environmental variables are read as a string before the program is started and it's also read as a common string. (string is a sequential bytes that is ended by null 0x00). Arguments are also read as a string. It works like case of environmental variables too. So we couldn't construct our arbirary format string in the environmental variables or arguments with expected branch address and control directives.
But how about applicate that using 'fgets()' or 'read()' for getting the user input string? How about applications that use functions which gets the user input strings through a file descriptor? This is the point of this document.
For instance, fgets() reads the string from file descriptor still EOF(-1) encounted. It means null(0x00) is not a problem to us more over, so we could put something into its stack like 64bits addresses and arbitrary format control directives. Exactly, 0x00 could be passed to that application. We might use it as a 'our arbirary format string'. As a result, it gives us more chances.
"aaaaaaa\x00\x00\x00\x01\x1f\xff\xff\xff%p"
If the application uses 'fgets()' for user input string, something binary character could be passed and set in his stack. So our hell string would be stored in the application stack. You can confirm what it features if you do this right.
-- snip1 -- 0x11ffff7b0 1a 00 00 00 00 00 00 00 61 61 61 61 61 61 61 00 ........aaaaaaa. 0x11ffff7c0 00 00 01 1f ff ff ff 25 70 00 df 03 00 00 00 00 .......%p....... -- snip2 --
But there are other problems, a kind of 'printf()' functions recognize it as a string, which should be cut off in front of "null", it would parse only the above string as "aaaaaaa".
Character set. It prints only "aaaaaaa" and does nothing after that. Parsing is over. However, we need not to worry about that, it could be solved simply. We know that we could use '%digit$' directives to pull something out from a stack. and if we get the command string to locate itself in the forth of string, then we could keep our work successfully.
"%<digit>$p%<digit+1>$p\x00\x00\x00\x01\xff\xff\xff\xff\x00\x00\x00\x01\xfc \xff\xff\xff"
The remain of our work is doing exploits.
If anyone read this and tried it for his own. Let me know the results
-------------------- Ik hou van je While you're still sleeping the saints are still weepin' cause things you call dead haven't yet had the chance to be born. -Scatman John
|
Thin White Duke
Stranger


Registered: 10/20/04
Posts: 51,530
Loc:
|
Re: Format String Attack (you gotta be experienced with coding) [Re: Xeny]
#8030453 - 02/16/08 08:41 AM (16 years, 3 months ago) |
|
|
I'm not reading that.
|
Prisoner#1
Even Dumber ThanAdvertized!


Registered: 01/22/03
Posts: 193,665
Loc: Pvt. Pubfag NutSuck
|
Re: Format String Attack (you gotta be experienced with coding) [Re: Thin White Duke]
#8030520 - 02/16/08 09:09 AM (16 years, 3 months ago) |
|
|
Quote:
Phumfeinz said: I'm not reading that.
|
Xeny


Registered: 02/15/08
Posts: 387
Last seen: 4 years, 5 months
|
Re: Format String Attack (you gotta be experienced with coding) [Re: Thin White Duke]
#8030760 - 02/16/08 10:45 AM (16 years, 3 months ago) |
|
|
Quote:
Phumfeinz said: I'm not reading that.
that's sad
-------------------- Ik hou van je While you're still sleeping the saints are still weepin' cause things you call dead haven't yet had the chance to be born. -Scatman John
|
Colonel Kurtz Ph.D
What What?

Registered: 07/22/04
Posts: 11,113
Loc: Shadow Moses
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Xeny]
#8030886 - 02/16/08 11:26 AM (16 years, 3 months ago) |
|
|
This thread was moved from Off-Topic Discussion.
Reason: Maybe it will make sense in S&T?
|
tak
geo's henchman




Registered: 11/20/00
Posts: 3,776
Loc: nowhereland
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Colonel Kurtz Ph.D]
#8032931 - 02/16/08 10:01 PM (16 years, 3 months ago) |
|
|
It's sad that this is even a problem in todays world. It makes me think of Diploids repeated rantings about proprietary encryption algorithms... "Security through obscurity."
At least there are people keeping them on their toes.
-------------------- The DJ's took pills to stay awake and play for seven days.
|
Xeny


Registered: 02/15/08
Posts: 387
Last seen: 4 years, 5 months
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: tak]
#8033796 - 02/17/08 06:30 AM (16 years, 3 months ago) |
|
|
you're right, all we do is improve security by fucking it up
-------------------- Ik hou van je While you're still sleeping the saints are still weepin' cause things you call dead haven't yet had the chance to be born. -Scatman John
|
Diploid
Cuban



Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: tak]
#8034882 - 02/17/08 02:17 PM (16 years, 3 months ago) |
|
|
Grrr! Don't get me started on one of my rants!
-------------------- Republican Values: 1) You can't get married to your spouse who is the same sex as you. 2) You can't have an abortion no matter how much you don't want a child. 3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer. 4) We need a smaller, less-intrusive government.
|
Seuss
Error: divide byzero



Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 3 months, 8 days
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Diploid]
#8036571 - 02/18/08 02:58 AM (16 years, 3 months ago) |
|
|
I'm having a difficult time following the exploit. A normal buffer overflow exploit takes advantage of the buffer overflow to over write the functions return address to point to executable code left in the buffer. When the functions returns, the code in the buffer is executed to do something nasty.
With varargs and string formats, even if the incoming data is obfuscated to confuse the formatting string, nothing is written into the stack. The return address is never munged, so the executable code pushed into the buffer is never executed. Sure, the output may be garbage, but I don't see an exploit. You may be able to print "garbage" off the stack, but the stack isn't corrupted and the return address is still valid.
Just because we can corrupt a buffer on the stack does not mean that we can execute the corrupt buffer. Unless he finds a way to corrupt the return address or some other method of executing the corrupt buffer, then there is no exploit.
Does anybody see what I am missing?
-------------------- Just another spore in the wind.
|
Diploid
Cuban



Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Seuss]
#8036686 - 02/18/08 05:19 AM (16 years, 3 months ago) |
|
|
Yeah, something doesn't make sense.
The printf format string is parsed at compile-time. By run-time, it's not relevant any more, though I guess you could be dynamically creating it. In that case you can make printf crap at run-time by passing it a format string in an array where you forgot the terminating NULL, but I don't think that's what's being described here, and it seems like a bad design from the start too.
Forgetting the NULL is a pretty elementary error. A seasoned C coder shouldn't make that mistake (or should catch it during code review at worst), not to mention this type of error is one reason CString was invented.
-------------------- Republican Values: 1) You can't get married to your spouse who is the same sex as you. 2) You can't have an abortion no matter how much you don't want a child. 3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer. 4) We need a smaller, less-intrusive government.
|
Colonel Kurtz Ph.D
What What?


Registered: 07/22/04
Posts: 11,113
Loc: Shadow Moses
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Seuss]
#8037145 - 02/18/08 09:17 AM (16 years, 3 months ago) |
|
|
Are you guys talking about heavy metal bands?
--------------------
There's no better way to rock out than with your cock out!!
|
Diploid
Cuban



Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Colonel Kurtz Ph.D]
#8037147 - 02/18/08 09:18 AM (16 years, 3 months ago) |
|
|
Of course. What else would we be talking about?
-------------------- Republican Values: 1) You can't get married to your spouse who is the same sex as you. 2) You can't have an abortion no matter how much you don't want a child. 3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer. 4) We need a smaller, less-intrusive government.
|
Colonel Kurtz Ph.D
What What?


Registered: 07/22/04
Posts: 11,113
Loc: Shadow Moses
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Diploid]
#8037367 - 02/18/08 10:49 AM (16 years, 3 months ago) |
|
|
Ah!
Double damn!
Cstring sounds sexy
--------------------
There's no better way to rock out than with your cock out!!
|
Xeny


Registered: 02/15/08
Posts: 387
Last seen: 4 years, 5 months
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Colonel Kurtz Ph.D]
#8109613 - 03/06/08 02:51 AM (16 years, 2 months ago) |
|
|
There's a problem involved into the 'exploit'. It explains you cannot execute this line perfectly, but you can enchance it to a better exploit. You probally already found the bug, so have you succeeded into actually executing a harmful code? Don't we all love C Strings ?
-------------------- Ik hou van je While you're still sleeping the saints are still weepin' cause things you call dead haven't yet had the chance to be born. -Scatman John
|
Seuss
Error: divide byzero



Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 3 months, 8 days
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Diploid]
#8109717 - 03/06/08 04:07 AM (16 years, 2 months ago) |
|
|
I've taken a look at the implementation of printf in libc and there is only one exploit that I can find...
A call such as printf(userInput); can be exploited. Instead, printf("%s", userInput); should be used. Never allow user input to set the format string and there is no exploit.
Modern implementations of libc disallow the %n specifier in format strings, or only allow it to function in read-only memory, because it was a security issue allowing the stack to be written. Again, never allow user input to set the format string and there is no exploit.
-------------------- Just another spore in the wind.
|
Colonel Kurtz Ph.D
What What?


Registered: 07/22/04
Posts: 11,113
Loc: Shadow Moses
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Seuss]
#8109791 - 03/06/08 05:09 AM (16 years, 2 months ago) |
|
|
--------------------
There's no better way to rock out than with your cock out!!
|
Diploid
Cuban



Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Seuss]
#8110065 - 03/06/08 07:56 AM (16 years, 2 months ago) |
|
|
never allow user input to set the format string and there is no exploit.
Or process it before it gets used, but the whole idea of end user's providing coding constructs has 'bad design' written all over it.
-------------------- Republican Values: 1) You can't get married to your spouse who is the same sex as you. 2) You can't have an abortion no matter how much you don't want a child. 3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer. 4) We need a smaller, less-intrusive government.
|
Xeny


Registered: 02/15/08
Posts: 387
Last seen: 4 years, 5 months
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Diploid]
#8110488 - 03/06/08 11:02 AM (16 years, 2 months ago) |
|
|
Quote:
Diploid said:
[...] has 'bad design' written all over it.
You call it 'bad design', i call it sheer genious. I'm not saying the coding is perfect, but i aint no god, are you?
-------------------- Ik hou van je While you're still sleeping the saints are still weepin' cause things you call dead haven't yet had the chance to be born. -Scatman John
|
Seuss
Error: divide byzero



Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 3 months, 8 days
|
Re: Format String Attack (you gotta be experienced with coding) (moved) [Re: Xeny]
#8110728 - 03/06/08 12:05 PM (16 years, 2 months ago) |
|
|
> i aint no god, are you?
In my book, Diploid is as close to a god as many of us will ever get.
> You call it 'bad design', i call it sheer genious (sic).
Poor programing is not genius; more the antithesis of genius. There is absolutely no reason at all that a program should need the user to input a format string. Worst case would be generating a format string based upon user input. The C language was designed to be very close to assembly. If somebody is incapable of writing secure code at that level, then they should stick to something like Ruby or Python where they are protected from their own stupidity (or genious, as you put it).
The person that realized that "printf(userInput);" can result in a buffer overflow is on the Diploid level of godliness, but not the programmers that make the mistake of writing bad code.
-------------------- Just another spore in the wind.
|
Annapurna1
liberal pussy


Registered: 05/21/02
Posts: 5,646
Loc: innsmouth..MA
|
Re: Format String Attack (you gotta be experienced with coding) [Re: Xeny]
#8110765 - 03/06/08 12:14 PM (16 years, 2 months ago) |
|
|
you can avoid that problem by using snprintf(), which checks for buffer overflow...
--------------------
"anchor blocks counteract the process of pontiprobation..while omalean globes regulize the pressure"...
|
|