Monday, January 2, 2017

Format String Vulnerability–Overwriting Memory

Continuing with the format string vulnerability, we previously looked at information leakage, this time let’s take a look at overwriting memory. With this vulnerability one can potentially replace permissions or may even cause a program to perform some other action on its behalf.

Let’s look at the code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/*
 * fmtstr_overwrite.c
 * This code is from the original paper written by Tim Newsham
 * I'm just reusing it here for demonstrating purposes
 * original document can be found at: http://forum.ouah.org/FormatString.PDF
 *
 * check out my blog at http://securitynik.blogspot.com to learn more
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv)
  {
    char buf[512];
    int x;
    
    if (argc != 2)
      exit(1);

    x = 1;
    snprintf(buf, sizeof buf, argv[1] );
    buf[sizeof buf -1] = 0;
    printf("buffer (%d) : %s\n",    strlen(buf), buf);
    printf(" x is %d/%#x (@ %p)\n", x, x, &x);
    return 0;

  }


Let’s go ahead and compile this program.




Once compiled, let’s run our program to see what we get. In running it, let’s provide the input of “Hey SecurityNik”


Figure 1: Program run and x is 1.

Above shows we ran the program and it showed us the size of our buffer is 15, which is basically the string “Hey SecurityNik”. We also know that “x” is 1 in decimal (1/0x1) and 0x1 in hex and can be found at memory address “0xffffd1b0”.

What we would like to change here is the value of “x” based on its memory location. To do that let’s leverage “perl” along with the “%d” and “%n” format specifiers. The “%d” specifies a decimal integer while the "%n" format returns the number of characters that should have been output.

What we will do now is use the following:
perl -e 'system "./fmtstr_overwrite.exe", "\xb0\xd1\xff\xff%d%n"'

This will overwrite the memory location with the value 5. Why 5? Look at it this way, we are giving the 8 hex characters “\xb0\xd1\xff\xff” which would equate to 4 ASCII characters (whether printable or not is not our concern at this time). Then the “%d” would be another input. So at this point we have 5. You may be wonder why not add one for “%n”. Well as stated above, “%n” prints the number of characters that should have been outputted. As a result, what “%n” will do is print the 5 characters that preceded it. Let’s look at this now in practice.


Figure 2: X is now 5.

As can be seen in figure 2, we have now overwritten the value of “x” to make it 5. If we wanted we could have made that number something else. Let’s say 504.

Figure 3: X is now 504.

As show in figure 3, we were able to change X’s value at memory address “0xffffd1b0” to 504.

While these examples may seem trivial, consider the case where a program requires a user with a certain numeric value to be the one who does administrative tasks. If someone is able to overwrite this variable with that specific value, she may be able to perform administrative actions. You may also be able to overwrite an executed program or even the return pointer.

OK! That’s it!!

References:
Tim Newsham - Guardent, Inc. - Format String Attacks
Syracuse University Lecture Notes – Format String Vulnerability
Stanford - scut / team teso – Exploiting Format String Vulnerabilities
Saif El-Sherei - Format String Exploitation - Tutorial
Format String Vulnerability I & II
Paul Haas - Advanced Format String Attacks
Stonybrook – Format String Attacks
Wei Wang - Format String Vulnerability
Format String Vulnerabilities
Blind Format String Attacks
SP&E – Buffer Overflow and Format String Overflow Vulnerabilities
USENIX: FormatGuard: Automatic Protection From printf  Format String Vulnerabilities
Yan Huang - Heap Overflows and Double-Free
Lok Kwong Yan - CS392/681 – Polytechnic University - An Introduction to Buffer Overflows and Format String Vulnerabilities
Format string exploitation on windows Using Immunity Debugger / Python
Andreas Thuemmel - Analysis of Format String Bugs

No comments:

Post a Comment