Control Hijacking Quiz

Questions and Answers

What is the consequence of not performing adequate length checks before buffer manipulations?

It ensures memory is used more efficiently.

It optimizes the execution speed of the program.

It can lead to buffer overflow vulnerabilities. (correct)

The program will always return a valid output.

What is the purpose of using a NOP slide in exploitation techniques?

To create a random buffer that increases security.

To facilitate the landing of the execution flow on the actual shellcode. (correct)

To slow down the execution of the shellcode.

To hide the memory layout from attackers.

In the provided function, what is the purpose of the memcpy operation?

To allocate additional space for the second buffer.

To check the integrity of the data in the buffers.

To clear the memory allocated for buffers.

To concatenate two buffers into a single temporary buffer. (correct)

How can an integer overflow affect the buffer length calculations?

It can result in the buffer length being inaccurately calculated as zero.

What problem is highlighted by the example given in the function concerning memory operations?

Unsafe functions like memcpy can cause security vulnerabilities.

What occurs when a buffer overflows adjacent to a longjmp buffer?

It can overwrite the value of pos.

Which component can a successful heap overflow specifically corrupt?

Method pointers in a vtable

What is a common goal of an attacker exploiting a browser heap?

To infect the browser visiting a malicious web server.

What technique can be used to help ensure a reliable exploit in a heap overflow situation?

Allocating shellcode in the heap using JavaScript

What is the primary function of a NOP slide in the context of a buffer overflow attack?

To ensure successful jumping to shellcode

Which unsafe function is often associated with vulnerabilities leading to buffer overflows?

gets

What is the main challenge for an attacker when using a buffer overflow to place shellcode?

Attacker must know the exact memory location of the shellcode.

In the context of heap exploitation, what does the term 'heap spraying' refer to?

Distributing multiple instances of shellcode in memory

What is the primary goal of using a NOP slide in stack exploitation?

To increase the chance of landing in the executable code

Which unsafe libc function can lead to buffer overflow vulnerabilities?

strcpy()

Why should the program P not contain the ' extbackslash 0' character?

To avoid crashing the program

What is one of the main concerns when performing a buffer overflow attack?

The overflow should not crash the program before func() exits

What is the purpose of overwriting the address of an exception handler in a stack frame?

To redirect program control during an exception

What is a significant drawback of using strncpy() and similar functions in the library?

They may leave the destination string unterminated

In a stack exploitation context, what must an attacker guess about the stack state?

The approximate stack state when func() is called

What is one of the vulnerabilities that lead to famous remote stack smashing overflows?

Buffer overflow in Windows animated cursors

Study Notes

Announcements

• Project 1 is out; part 1 due April 13
• Attend section on Friday at 11:30 AM

Control Hijacking

• Attacker's goal: Take over a target machine (e.g., web server) and execute arbitrary code by hijacking application control flow.
• Examples of attacks: Buffer overflow, integer overflow, format string vulnerabilities, use-after-free.

First Example: Buffer Overflows

• Buffer overflows are extremely common bugs in C/C++ programs.
• The 1988 Internet Worm and the Fingerd exploit are early examples.
• It's generally recommended to avoid C/C++ whenever possible but understanding attacks and defenses is crucial.
• White House support for memory safety emerged in February 2024

What is Needed

• Understanding C functions, the stack, the heap, system calls (like exec()).
• Attackers need to know the target machine's CPU and operating system (e.g., x86-64, Linux, or Windows).
• Specific details differ depending on the CPU (e.g., ARM) and OS (e.g., Windows).
• There are differences in stack frame structure (e.g., Unix vs. Windows, x86 vs. ARM) and endianness (e.g., little-endian vs. big-endian).

Linux Process Memory Layout (x86-64)

• The memory layout shows the user stack, shared libraries, run-time heap, executable text and data, and unused sections.

Stack Frame

• This shows the layout of data on the stack including arguments, the return address, the stack base pointer, exception handlers to deal with errors, local variables in the current function, and callee-saved registers.

What are Buffer Overflows?

• A scenario where a program receives more data than it expects to store in its allocated buffer, potentially overwriting adjacent memory locations.
• This is illustrated by an example function with a fixed-size buffer buf[128] and a potentially large input str that is copied using strcpy.
• If the length of str exceeds 128 characters, strcpy overwrites stack memory beyond the allocated buf, including the return address. The return address is crucial to program flow.
• This can lead to the execution of attacker-provided code.

Basic Stack Exploit

• The attacker's goal is to overwrite the return address on the stack with the beginning address of their malicious code so when the program returns to the caller, it will execute the attacker's code instead.

The NOP Slide

• Attackers must guess the return address to be able to execute their attack.
• A NOP slide is a series of NOP instructions that help the attacker find the right location for the return address.
• This makes it easier to determine the return address when the function returns.

Details and Examples

• Program P should not include the null character ( '\0').
• Overflow should not crash the program within the given function.

Many Unsafe libc Functions

• strcpy, strcat, gets, and scanf are common unsafe functions.
• "Safe" functions like strncpy and strncat are sometimes misleading, as they may not always terminate the copied string properly.
• Functions that support checking for bounds during data copying are safer.
• Modern C runtimes (CRT) often include bounds-checked versions of functions like strcpy (e.g., strcpy_s).

Buffer Overflow Opportunities

• Exception Handlers: Overwriting exception handler addresses can trigger unexpected behavior.
• Function Pointers: Overwriting function pointers can lead to the execution of malicious code.
• Longjmp Buffers: Overwriting buffers used in longjmp instructions can disrupt program flow.

Heap Exploits: Corrupting Virtual Tables

• Compiler-generated function pointers in C++ or C are stored in virtual tables.
• Overwriting memory in the heap can change these pointers, potentially leading to invoking attacker-provided code.

An Example: Exploiting the Browser Heap

• Attackers aim to infect browsers visiting a malicious website by sending Javascript to a victim browser that exploits their heap overflow.

A Reliable Exploit

• Attackers often don't know where the browser places the shellcode in the heap memory.

Heap Spraying

• A technique where an attacker uses JavaScript to fill the browser's heap memory with NOP slides and shellcode.
• Then points a function pointer in a virtual table to a location in the sprayed memory.

Javascript Heap Spraying (Techniques)

• Instructions for creating a NOP slide and a shellcode in JavaScript during heap spraying are outlined.

Ad-hoc Heap Overflow Mitigations

• Better browser architectures separate JavaScript strings from the browser heap.
• OpenBSD and Windows 8 heap overflow protection introduces guard pages to prevent cross-page overflows.
• Ideally, every object would be allocated on a separate page through techniques like eFence.

Finding Overflows by Fuzzing

• Fuzzing techniques involve testing web servers on a local machine with malformed requests, often ending with a specific pattern (e.g., "$").
• Automated tools (fuzzers) accelerate this process.
• If a crash occurs, the core dump files can be analyzed to identify the location of the overflow.

More Control Hijacking Attacks

• Integer Overflows: When integer values exceed their maximum possible value, the behavior can be unexpected.
• Double Free: Releasing the same memory space twice can lead to memory manager issues.
• Use-after-Free: Accessing memory after it's been released (freed) by the program.
• Format String Vulnerabilities: Vulnerabilities that arise when user input is directly used as part of a format string for printf-like functions.

Integer Overflows (Problem and Example)

• What happens when integer values exceed their maximum possible value?
• Example calculations showcasing integer wrapping (e.g., adding large values)

An Example

• Shows a hypothetical example where two buffer segments, buf1 and buf2 are to be copied into a larger temp buffer if the combined size doesn't exceed a predefined limit (256).
• The example showcases how combined lengths cause overflows if their sum surpasses the temp buffer.

An Example: A Better Length Check

• Includes a corrected length check for the memcpy operations to avoid buffer overflows.

Integer Overflow Exploit Stats

• Data presented on the statistics of exploit attempts involving integer overflows are presented.

Format String Bugs

• Explains how format string bugs can be used to exploit programs.

Format String Problem (Example)

• Provides an example demonstrating a format string vulnerability that can be exploited.

Vulnerable Functions (Format String Issues)

• Lists various functions prone to format string issues.

Exploit

• Explains how attackers can exploit format string vulnerabilities to control a program's behavior.

Use After Free Exploits

• Exploits using memory after it is freed.

High-Impact Security Vulnerabilities in Chrome (2015-2020)

• Data on the number of high-impact security vulnerabilities related to memory management bugs found in Chrome between 2015 and 2020 are presented.

IE11 Example: CVE-2014-0282 (Simplified)

• A simplified example demonstrating a use-after-free vulnerability in Internet Explorer 11.

What Just Happened (IE Vulnerability)

• Explains what occurs during the exploit related to the c1.doReset() and changer() functions in the IE11 example.

What Just Happened (Exploit Sequence)

• Details related to the sequence that occurred when the vulnerability was exploited.

The Exploit (Code Snippet)

• Provides the code snippet of the exploited part of the program.

Defenses

• Details about defenses are covered in the next lecture.

Description

Test your knowledge on control hijacking techniques, focusing on buffer overflows and related vulnerabilities. The quiz will cover the fundamentals necessary to understand how attackers exploit memory safety issues, particularly in C/C++ programs. Gain insights into historical examples and modern defenses.