Control Hijacking Quiz

Questions and Answers

What is the consequence of not performing adequate length checks before buffer manipulations?

• It ensures memory is used more efficiently.
• It optimizes the execution speed of the program.
• It can lead to buffer overflow vulnerabilities. (correct)
• The program will always return a valid output.

What is the purpose of using a NOP slide in exploitation techniques?

• To create a random buffer that increases security.
• To facilitate the landing of the execution flow on the actual shellcode. (correct)
• To slow down the execution of the shellcode.
• To hide the memory layout from attackers.

In the provided function, what is the purpose of the memcpy operation?

• To allocate additional space for the second buffer.
• To check the integrity of the data in the buffers.
• To clear the memory allocated for buffers.
• To concatenate two buffers into a single temporary buffer. (correct)

How can an integer overflow affect the buffer length calculations?

It can result in the buffer length being inaccurately calculated as zero. (A)

What problem is highlighted by the example given in the function concerning memory operations?

Unsafe functions like memcpy can cause security vulnerabilities. (A)

What occurs when a buffer overflows adjacent to a longjmp buffer?

It can overwrite the value of pos. (C)

Which component can a successful heap overflow specifically corrupt?

Method pointers in a vtable (A)

What is a common goal of an attacker exploiting a browser heap?

To infect the browser visiting a malicious web server. (C)

What technique can be used to help ensure a reliable exploit in a heap overflow situation?

Allocating shellcode in the heap using JavaScript (B)

What is the primary function of a NOP slide in the context of a buffer overflow attack?

To ensure successful jumping to shellcode (A)

Which unsafe function is often associated with vulnerabilities leading to buffer overflows?

gets (D)

What is the main challenge for an attacker when using a buffer overflow to place shellcode?

Attacker must know the exact memory location of the shellcode. (D)

In the context of heap exploitation, what does the term 'heap spraying' refer to?

Distributing multiple instances of shellcode in memory (B)

What is the primary goal of using a NOP slide in stack exploitation?

To increase the chance of landing in the executable code (A)

Which unsafe libc function can lead to buffer overflow vulnerabilities?

strcpy() (C)

Why should the program P not contain the ' extbackslash 0' character?

To avoid crashing the program (A)

What is one of the main concerns when performing a buffer overflow attack?

The overflow should not crash the program before func() exits (C)

What is the purpose of overwriting the address of an exception handler in a stack frame?

To redirect program control during an exception (C)

What is a significant drawback of using strncpy() and similar functions in the library?

They may leave the destination string unterminated (C)

In a stack exploitation context, what must an attacker guess about the stack state?

The approximate stack state when func() is called (A)

What is one of the vulnerabilities that lead to famous remote stack smashing overflows?

Buffer overflow in Windows animated cursors (B)

Flashcards

Heap Overflow

A vulnerability where an attacker can write data beyond the allocated buffer in the heap, potentially overwriting important data structures like function pointers.

Function Pointer Override

A vulnerability where an attacker, by overflowing a buffer, can replace a function pointer with a malicious one. This allows execution of the attacker's code.

Virtual Tables

Data structures storing method pointers within objects. Exploiting them can allow attackers to call unexpected or malicious methods.

Heap Exploit

An attack that uses the heap to overwrite vital data for gaining control of a program.

Heap Spraying

A technique in which an attacker uses JavaScript to spread a malicious shellcode (code to execute by the victim) throughout the heap

Browser Heap Exploit

Exploits that target vulnerabilities in a web browser's heap memory management.

Shellcode

Malicious code designed to execute specific actions, often to gain control of a system.

NOP Slide

A sequence of "no operation" instructions that are used to fill space in a buffer in order to slide a shellcode to an address that will be readily executed.

Heap Spraying (Javascript)

A technique to exploit vulnerabilities in JavaScript engines, where a large number of NOP instructions are placed in the heap memory. This allows malicious code to be placed strategically, and executed.

Integer Overflow

An error that happens when the value of an integer variable exceeds the maximum or minimum value that can be stored. It often leads to unexpected behavior, particularly if the variable controls the length of a memory copy operation.

Vulnerable Length Check (example)

Incorrect code preventing buffer overflow when adding two lengths (len1 + len2). Bad length checking allows writing past allocated memory.

Memory Copying Operations (memcpy)

A function used to copy a block of memory from one location to another.

Heap Memory

A region of computer memory used to store dynamically allocated data during program execution. It's a common target of attacks because of the way programs use it.

Buffer Overflow Vulnerability

A security flaw where an attacker can write data beyond the allocated buffer capacity, potentially corrupting or overwriting adjacent memory locations.

Stack Exploit

A technique where an attacker manipulates the stack memory to gain unauthorized access to a system.

Return Address Overwrite

A type of buffer overflow attack where the attacker modifies the return address on the stack, directing program execution to malicious code.

strcpy()

Libc function that copies a string from one location to another without checking for the size of the destination buffer, making it vulnerable to buffer overflows.

Unsafe Libc Functions

Functions in the C standard library that lack appropriate size checking, increasing the risk of buffer overflow.

Secure alternatives to strcpy()

Functions like strncpy() or strcpy_s() that check the destination buffer size to prevent buffer overflows.

Stack Frame

A block of memory used to store function-specific data like local variables and return addresses during function execution.

Study Notes

Announcements

• Project 1 is out; part 1 due April 13
• Attend section on Friday at 11:30 AM

Control Hijacking

• Attacker's goal: Take over a target machine (e.g., web server) and execute arbitrary code by hijacking application control flow.
• Examples of attacks: Buffer overflow, integer overflow, format string vulnerabilities, use-after-free.

First Example: Buffer Overflows

• Buffer overflows are extremely common bugs in C/C++ programs.
• The 1988 Internet Worm and the Fingerd exploit are early examples.
• It's generally recommended to avoid C/C++ whenever possible but understanding attacks and defenses is crucial.
• White House support for memory safety emerged in February 2024

What is Needed

• Understanding C functions, the stack, the heap, system calls (like exec()).
• Attackers need to know the target machine's CPU and operating system (e.g., x86-64, Linux, or Windows).
• Specific details differ depending on the CPU (e.g., ARM) and OS (e.g., Windows).
• There are differences in stack frame structure (e.g., Unix vs. Windows, x86 vs. ARM) and endianness (e.g., little-endian vs. big-endian).

Linux Process Memory Layout (x86-64)

• The memory layout shows the user stack, shared libraries, run-time heap, executable text and data, and unused sections.

Stack Frame

• This shows the layout of data on the stack including arguments, the return address, the stack base pointer, exception handlers to deal with errors, local variables in the current function, and callee-saved registers.

What are Buffer Overflows?

• A scenario where a program receives more data than it expects to store in its allocated buffer, potentially overwriting adjacent memory locations.
• This is illustrated by an example function with a fixed-size buffer buf[128] and a potentially large input str that is copied using strcpy.
• If the length of str exceeds 128 characters, strcpy overwrites stack memory beyond the allocated buf, including the return address. The return address is crucial to program flow.
• This can lead to the execution of attacker-provided code.

Basic Stack Exploit

• The attacker's goal is to overwrite the return address on the stack with the beginning address of their malicious code so when the program returns to the caller, it will execute the attacker's code instead.

The NOP Slide

• Attackers must guess the return address to be able to execute their attack.
• A NOP slide is a series of NOP instructions that help the attacker find the right location for the return address.
• This makes it easier to determine the return address when the function returns.

Details and Examples

• Program P should not include the null character ( '\0').
• Overflow should not crash the program within the given function.

Many Unsafe libc Functions

• strcpy, strcat, gets, and scanf are common unsafe functions.
• "Safe" functions like strncpy and strncat are sometimes misleading, as they may not always terminate the copied string properly.
• Functions that support checking for bounds during data copying are safer.
• Modern C runtimes (CRT) often include bounds-checked versions of functions like strcpy (e.g., strcpy_s).

Buffer Overflow Opportunities

• Exception Handlers: Overwriting exception handler addresses can trigger unexpected behavior.
• Function Pointers: Overwriting function pointers can lead to the execution of malicious code.
• Longjmp Buffers: Overwriting buffers used in longjmp instructions can disrupt program flow.

Heap Exploits: Corrupting Virtual Tables

• Compiler-generated function pointers in C++ or C are stored in virtual tables.
• Overwriting memory in the heap can change these pointers, potentially leading to invoking attacker-provided code.

An Example: Exploiting the Browser Heap

• Attackers aim to infect browsers visiting a malicious website by sending Javascript to a victim browser that exploits their heap overflow.

A Reliable Exploit

• Attackers often don't know where the browser places the shellcode in the heap memory.

Heap Spraying

• A technique where an attacker uses JavaScript to fill the browser's heap memory with NOP slides and shellcode.
• Then points a function pointer in a virtual table to a location in the sprayed memory.

Javascript Heap Spraying (Techniques)

• Instructions for creating a NOP slide and a shellcode in JavaScript during heap spraying are outlined.

Ad-hoc Heap Overflow Mitigations

• Better browser architectures separate JavaScript strings from the browser heap.
• OpenBSD and Windows 8 heap overflow protection introduces guard pages to prevent cross-page overflows.
• Ideally, every object would be allocated on a separate page through techniques like eFence.

Finding Overflows by Fuzzing

• Fuzzing techniques involve testing web servers on a local machine with malformed requests, often ending with a specific pattern (e.g., "$").
• Automated tools (fuzzers) accelerate this process.
• If a crash occurs, the core dump files can be analyzed to identify the location of the overflow.

More Control Hijacking Attacks

• Integer Overflows: When integer values exceed their maximum possible value, the behavior can be unexpected.
• Double Free: Releasing the same memory space twice can lead to memory manager issues.
• Use-after-Free: Accessing memory after it's been released (freed) by the program.
• Format String Vulnerabilities: Vulnerabilities that arise when user input is directly used as part of a format string for printf-like functions.

Integer Overflows (Problem and Example)

• What happens when integer values exceed their maximum possible value?
• Example calculations showcasing integer wrapping (e.g., adding large values)

An Example

• Shows a hypothetical example where two buffer segments, buf1 and buf2 are to be copied into a larger temp buffer if the combined size doesn't exceed a predefined limit (256).
• The example showcases how combined lengths cause overflows if their sum surpasses the temp buffer.

An Example: A Better Length Check

• Includes a corrected length check for the memcpy operations to avoid buffer overflows.

Integer Overflow Exploit Stats

• Data presented on the statistics of exploit attempts involving integer overflows are presented.

Format String Bugs

• Explains how format string bugs can be used to exploit programs.

Format String Problem (Example)

• Provides an example demonstrating a format string vulnerability that can be exploited.

Vulnerable Functions (Format String Issues)

• Lists various functions prone to format string issues.

Exploit

• Explains how attackers can exploit format string vulnerabilities to control a program's behavior.

Use After Free Exploits

• Exploits using memory after it is freed.

High-Impact Security Vulnerabilities in Chrome (2015-2020)

• Data on the number of high-impact security vulnerabilities related to memory management bugs found in Chrome between 2015 and 2020 are presented.

IE11 Example: CVE-2014-0282 (Simplified)

• A simplified example demonstrating a use-after-free vulnerability in Internet Explorer 11.

What Just Happened (IE Vulnerability)

• Explains what occurs during the exploit related to the c1.doReset() and changer() functions in the IE11 example.

What Just Happened (Exploit Sequence)

• Details related to the sequence that occurred when the vulnerability was exploited.

The Exploit (Code Snippet)

• Provides the code snippet of the exploited part of the program.

Defenses

• Details about defenses are covered in the next lecture.

Description

Test your knowledge on control hijacking techniques, focusing on buffer overflows and related vulnerabilities. The quiz will cover the fundamentals necessary to understand how attackers exploit memory safety issues, particularly in C/C++ programs. Gain insights into historical examples and modern defenses.