Exploitation possibilities of memory related vulnerabilities - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Exploitation possibilities of memory related vulnerabilities

Description:

Title: Exploitation possibilities of memory related vulnerabilities Author: Laci Last modified by - Created Date: 1/1/1601 12:00:00 AM Document presentation format – PowerPoint PPT presentation

Number of Views:118
Avg rating:3.0/5.0
Slides: 18
Provided by: Laci156
Category:

less

Transcript and Presenter's Notes

Title: Exploitation possibilities of memory related vulnerabilities


1
Exploitation possibilities of memory related
vulnerabilities
  • László ERDODI, PhD, CEH, SSCP
  • Óbuda University, John von Neumann Faculty of
    Informatics, Department of Software Technology

2
Memory corruption vulnerabilities since 2002
CVE 2013-4974CVE 2013-4206CVE 2013-3348
400
300
200
100
2002
2005
2008
2011
3
Virtual address space
Local variables, method parameters, exception
handling data, return adresses
Physical memory
Virtual memory
Dynamically linked shared libraries (libc)
Dynamic variables
Global variables
Compiled code
4
Main causes and exploitation methods
  • Lack of input validation within methods (strcpy,
    gets, etc) stack based overflow (placing harmful
    code to the stack, ROP, JOP)
  • Dynamic memory allocation problems (use after
    free, double free vulnerabilities) heap overflow
    (function pointer overwrite heap spray)
  • Exception handling errors (SEH overwrite)
  • Others

5
Classic example of buffer overflow
Stack
Method1(a) d fixed size array copy a to
d Method2() Method1(a)
a
Code segment
d
6
Avoiding memory execution protection (return to
libc)

7
Avoiding DEP Return oriented programming (ROP)
Shacham, 2007
  • Executable code will not be placed on the stack
    only series of memory addresses and parameters

Memory addr 1 Memory addr 2 Parameter 1 Parameter
2 Memory addr 3 Parameter 4
Instruction 1 ret
Instruction 3 ret
Instruction 2 ret
8
Jump oriented programming (JOP)Bletsch, Jiang,
Freeh 2011
  • Attack execution without using stack (not
    sensible for stack cookie and returnless kernel,
    it can be used in the case of register machines)

Dispatcher gadget Increasing the index
pointer Jumping to current address
Instruction 1 jmp
Instruction 2 jmp
Dispatcher table Memory addr1 Memory
addr2 Parameter 1 Parameter 2 Memory
addr3 Parameter4
Instruction 3 jmp
9
Protection against memory corruption
SEH chain rewrite
Return address checking? control flow
integrity?
ROP
JOP
Heap overflow (double free, use after free)
?
Unhandled exceptions
Stack overflow
Return to libc
10
Jump Oriented Programming dispatcher gadgets
in shared libraries (Erdodi, 2013)
11
Jump Oriented Programming WinExec example for
Win32 X86
12
Return and Jump Oriented Programing requirements
of Turing-completeness Kornau ARM 2009,
Buchanen, Roemer RISC 2008
  • Arbitrary code execution
  • Loading variables from memory
  • Writing variables to memory
  • Branches
  • Cycles
  • Method calls

13
Example How to carry out conditional statements
with return-oriented programming?
Method 1 Writing the addresses of the false
branch and true branch into the writeable memory,
setting of the esp according to indirect
addressing. 31 gadgets Method 2 Loading the
distance between the address of the false branch
and true branch in the memory into a register,
adding to esp that value if the condition is
true17 gadgets Method 3 Applying gadget which
carries out the condition evaluation and jumps at
the same time 5 gadgets
Instruction 1 ret
Instruction 3 ret
Instruction 2 ret
14
Description language for return- and
jump- oriented
programmingwrite e.g placing net user add
user passw to the data segmentgadget1 pop
reg1 gadget1 pop reg1
write4addressvaluegadget2 pop reg2 gadget2
pop reg2gadget3 mov reg1, reg2 gadget3 add
reg1, reg2 gadget4 pop reg3 gadget5 pop
reg4 gadget6 add reg3, reg4 gadget7 mov
reg1, reg3write400400000netwrite400400004u
serwrite400400008 add write00400000net user
add user passwdwrite40040000c
usewrite400400010r pawrite300400014ssw
15
Description language for return- and
jump- oriented
programmingwriteaddressvaluecalladd
ressparam1param2 paramn e.g callfopen
addressfilenamestringfilemodifconditionaddre
ss_trueaddress_false
16
Description language for return- and
jump- oriented
programmingsample program 1
writedataseg_addr1filename_string write0040000
0try.txt 2 callfopen_addressdataseg_addr1
filemod call7c5601220040000003
ifaddress_of_gadget_cmp eax,064 if77c7d2306
44 writedataseg_addr2name of
executable write00400010cmd.exe5callwinexec_a
ddrdataseg_addr2 call7d77501c04000106callex
itprocess_addr call7c210254
17
Summary
  • Memory related vulnerabilities are extremly
    dangerous and developing quickly
  • The tendency is the legitimate code-reuse for
    attacking (ROP, JOP)
  • Several open questions still to solve
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Exploitation possibilities of memory related vulnerabilities" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!